valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
56a1ed1eac
SigmaHQ/rules/windows/process_creation/win_mshta_spawn_shell.yml
Thomas Patzke 7602309138 Increased indentation to 4 
* Converted (to generic sigma) rules
* Converter outputs by default with indentation 4
2019-03-02 00:14:20 +01:00

38 lines
944 B
YAML
Raw Blame History

title: MSHTA Spawning Windows Shell
status: experimental
description: Detects a Windows command line executable started from MSHTA.
references:
- https://www.trustedsec.com/july-2015/malicious-htas/
author: Michael Haag
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage: '*\mshta.exe'
Image:
- '*\cmd.exe'
- '*\powershell.exe'
- '*\wscript.exe'
- '*\cscript.exe'
- '*\sh.exe'
- '*\bash.exe'
- '*\reg.exe'
- '*\regsvr32.exe'
- '*\BITSADMIN*'
filter:
CommandLine:
- '*/HP/HP*'
- '*\HP\HP*'
condition: selection and not filter
fields:
- CommandLine
- ParentCommandLine
tags:
- attack.defense_evasion
- attack.execution
- attack.t1170
falsepositives:
- Printer software / driver installations
level: high
Reference in New Issue View Git Blame Copy Permalink