-
-
Notifications
You must be signed in to change notification settings - Fork 205
Expand file tree
/
Copy pathexecution_suspicious_mshta_execution_via_html_smuggling.yml
More file actions
46 lines (43 loc) · 1.62 KB
/
execution_suspicious_mshta_execution_via_html_smuggling.yml
File metadata and controls
46 lines (43 loc) · 1.62 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
name: Suspicious MSHTA execution via HTML smuggling
id: 2d7c76e9-1e59-4413-9ff3-624b9d71e6d0
version: 1.0.0
description: |
Identifies suspicious execution of mshta process initiated by a web browser as
part of an HTML smuggling attack chain.
This behavior is strongly associated with multi-stage malware delivery and execution
via phishing-driven HTML smuggling.
labels:
tactic.id: TA0002
tactic.name: Execution
tactic.ref: https://attack.mitre.org/tactics/TA0002/
technique.id: T1204
technique.name: User Execution
technique.ref: https://attack.mitre.org/techniques/T1204/
subtechnique.id: T1204.001
subtechnique.name: Malicious Link
subtechnique.ref: https://attack.mitre.org/techniques/T1204/001/
references:
- https://www.securonix.com/blog/jssmuggler-multi-stage-hidden-iframes-obfuscated-javascript-silent-redirectors-netsupport-rat-delivery/
condition: >
sequence
maxspan 2m
by ps.uuid
|spawn_process and
ps.name ~= 'mshta.exe' and ps.parent.name iin web_browser_binaries and
ps.cmdline imatches ('*http://*', '*https://*', '*\\webdav\\*', '*\\DavWWWRoot\\*', '\\\\*@*\\*')
|
|create_file and
file.path imatches
(
'?:\\Users\\*\\AppData\\Local\\*',
'?:\\Users\\*\\AppData\\Roaming\\*',
'?:\\Users\\*\\AppData\\Local\\Temp\\*',
'?:\\Windows\\Temp\\*',
'?:\\Users\\Public\\*'
)
|
|spawn_process and ps.name iin ('powershell.exe', 'pwsh.exe', 'cmd.exe', 'rundll32.exe', 'mshta.exe', 'regsvr32.exe')|
action:
- name: kill
severity: high
min-engine-version: 3.0.0