Mshta Descendant of Microsoft Office¶
Identifies the execution of mshta.exe
as a descendant of a Microsoft Office process.
id: | d49fc9fe-df80-416d-a861-0be02bef0df5 |
---|---|
categories: | detect |
confidence: | medium |
os: | windows |
created: | 12/04/2019 |
updated: | 12/04/2019 |
MITRE ATT&CK™ Mapping¶
tactics: | Execution, Defense Evasion, Command and Control |
---|---|
techniques: | T1170 Mshta |
Query¶
process where subtype.create and process_name == "mshta.exe"
and descendant of
[process where process_name in ("outlook.exe", "winword.exe", "excel.exe", "powerpnt.exe")]