Mshta Network Connections¶
Identifies suspicious mshta.exe
commands that make outbound network connections.
id: | 6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4 |
---|---|
categories: | detect |
confidence: | medium |
os: | windows |
created: | 11/30/2018 |
updated: | 11/30/2018 |
MITRE ATT&CK™ Mapping¶
tactics: | Execution, Defense Evasion, Command and Control |
---|---|
techniques: | T1170 Mshta |
Query¶
sequence by unique_pid
[process where subtype.create and process_name == "mshta.exe" and command_line == "*javascript*"]
[network where process_name == "mshta.exe"]