Mshta Network Connections

Identifies suspicious mshta.exe commands that make outbound network connections.

id:6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4 categories:detect confidence:medium os:windows created:11/30/2018 updated:11/30/2018

MITRE ATT&CK™ Mapping

tactics:Execution, Defense Evasion, Command and Control techniques:T1170 Mshta

Query

sequence by unique_pid
  [process where subtype.create and process_name == "mshta.exe" and command_line == "*javascript*"]
  [network where process_name == "mshta.exe"]

Detonation

Atomic Red Team: T1170

Contributors

• Endgame