rules/windows/sysmon/sysmon_mshta_spawn_shell.yml

title: MSHTA Spawning Windows Shell
status: experimental
description: Detects a Windows command line executable started from MSHTA.
reference: https://www.trustedsec.com/july-2015/malicious-htas/
author: Michael Haag
logsource:
    product: windows
    service: sysmon
detection:
    selection:
        EventID: 1
        ParentImage:
            - '*\mshta.exe'
        Image:
            - '*\cmd.exe'
            - '*\powershell.exe'
            - '*\wscript.exe'
            - '*\cscript.exe'
            - '*\sh.exe'
            - '*\bash.exe'
    condition: selection
falsepositives:
    - Minimal FPs.
level: high
Typo 2017-03-05 01:47:37 +01:00			`title: MSHTA Spawning Windows Shell`
mshta shells 2017-03-04 14:33:09 -08:00			`status: experimental`
			`description: Detects a Windows command line executable started from MSHTA.`
			`reference: https://www.trustedsec.com/july-2015/malicious-htas/`
			`author: Michael Haag`
			`logsource:`
Sysmon as 'service' of product 'windows' 2017-03-13 09:23:08 +01:00			`product: windows`
			`service: sysmon`
mshta shells 2017-03-04 14:33:09 -08:00			`detection:`
			`selection:`
			`EventID: 1`
			`ParentImage:`
			`- '*\mshta.exe'`
			`Image:`
			`- '*\cmd.exe'`
			`- '*\powershell.exe'`
			`- '*\wscript.exe'`
			`- '*\cscript.exe'`
			`- '*\sh.exe'`
			`- '*\bash.exe'`
			`condition: selection`
			`falsepositives:`
			`- Minimal FPs.`
			`level: high`