Detectionhightest
Suspicious MSHTA Child Process
Detects a suspicious process spawning from an "mshta.exe" process, which could be indicative of a malicious HTA script execution
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic2 selectors
detection:
selection_parent:
ParentImage|endswith: '\mshta.exe'
selection_child:
- Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\sh.exe'
- '\bash.exe'
- '\reg.exe'
- '\regsvr32.exe'
- '\bitsadmin.exe'
- OriginalFileName:
- 'Cmd.Exe'
- 'PowerShell.EXE'
- 'pwsh.dll'
- 'wscript.exe'
- 'cscript.exe'
- 'Bash.exe'
- 'reg.exe'
- 'REGSVR32.EXE'
- 'bitsadmin.exe'
condition: all of selection*False Positives
Printer software / driver installations
HP software
References
MITRE ATT&CK
Tactics
Sub-techniques
CAR Analytics
2013-02-003 · CAR 2013-02-0032013-03-001 · CAR 2013-03-0012014-04-003 · CAR 2014-04-003
Rule Metadata
Rule ID
03cc0c25-389f-4bf8-b48d-11878079f1ca
Status
test
Level
high
Type
Detection
Created
Wed Jan 16
Modified
Mon Feb 06
Author
Path
rules/windows/process_creation/proc_creation_win_mshta_susp_child_processes.yml
Raw Tags
attack.defense-evasionattack.t1218.005car.2013-02-003car.2013-03-001car.2014-04-003