From c2ed7bd9dfd2f732ee499639bbd373445a2a90d9 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 13 Apr 2017 01:08:30 +0200 Subject: [PATCH] MSHTA Rule v1 --- rules/windows/sysmon/sysmon_office_shell.yml | 2 +- rules/windows/sysmon/sysmon_susp_mshta.yml | 17 +++++++++++++++++ 2 files changed, 18 insertions(+), 1 deletion(-) create mode 100644 rules/windows/sysmon/sysmon_susp_mshta.yml diff --git a/rules/windows/sysmon/sysmon_office_shell.yml b/rules/windows/sysmon/sysmon_office_shell.yml index 5150f39a..838bb554 100644 --- a/rules/windows/sysmon/sysmon_office_shell.yml +++ b/rules/windows/sysmon/sysmon_office_shell.yml @@ -1,4 +1,4 @@ -title: Microsoft Office Product Spawning Windows Shell +title: Microsoft Office Product Spawning Windows Shell status: experimental description: Detects a Windows command line executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio. reference: https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100 diff --git a/rules/windows/sysmon/sysmon_susp_mshta.yml b/rules/windows/sysmon/sysmon_susp_mshta.yml new file mode 100644 index 00000000..b5748679 --- /dev/null +++ b/rules/windows/sysmon/sysmon_susp_mshta.yml @@ -0,0 +1,17 @@ +title: Suspicious MSHTA Child +status: experimental +description: Detects a Microsoft HTML Application Host execution a suspicious child process +reference: https://twitter.com/wdormann/status/851615583099650049 +author: Florian Roth +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 1 + ParentImage: '*\mshta.exe' + condition: selection +falsepositives: + - unknown +level: high +