SigmaHQ/rules/windows/sysmon/sysmon_mshta_spawn_shell.yml

36 lines
876 B
YAML

title: MSHTA Spawning Windows Shell
status: experimental
description: Detects a Windows command line executable started from MSHTA.
references:
- https://www.trustedsec.com/july-2015/malicious-htas/
author: Michael Haag
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
ParentImage: '*\mshta.exe'
Image:
- '*\cmd.exe'
- '*\powershell.exe'
- '*\wscript.exe'
- '*\cscript.exe'
- '*\sh.exe'
- '*\bash.exe'
- '*\reg.exe'
- '*\regsvr32.exe'
- '*\BITSADMIN*'
filter:
Commandline:
- '*/HP/HP*'
- '*\HP\HP*'
condition: selection and not filter
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- Printer software / driver installations
level: high