rules/windows/process_creation/proc_creation_win_mshta_javascript.yml

title: Suspicious JavaScript Execution Via Mshta.EXE
id: 67f113fa-e23d-4271-befa-30113b3e08b1
status: test
description: Detects execution of javascript code using "mshta.exe".
references:
    - https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.005/T1218.005.md
author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
date: 2019-10-24
modified: 2023-02-07
tags:
    - attack.defense-evasion
    - attack.t1218.005
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\mshta.exe'
        - OriginalFileName: 'MSHTA.EXE'
    selection_cli:
        CommandLine|contains: 'javascript'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high
feat: update and enhancements 2023-02-07 13:55:14 +01:00			`title: Suspicious JavaScript Execution Via Mshta.EXE`
UUIDs + moved unsupported logic 2019-12-19 23:56:36 +01:00			`id: 67f113fa-e23d-4271-befa-30113b3e08b1`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`status: test`
feat: update and enhancements 2023-02-07 13:55:14 +01:00			`description: Detects execution of javascript code using "mshta.exe".`
Update win_mshta_javascript.yml 2019-11-11 21:49:46 +03:00			`references:`
Update Ref+Selection 2 2022-07-11 17:48:40 +01:00			`- https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html`
			`- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.005/T1218.005.md`
$frack113$ order yaml 2022-10-28 15:06:36 +02:00			`author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`date: 2019-10-24`
			`modified: 2023-02-07`
$frack113$ order yaml 2022-10-28 15:06:36 +02:00			`tags:`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`- attack.defense-evasion`
$frack113$ order yaml 2022-10-28 15:06:36 +02:00			`- attack.t1218.005`
OSCD QA wave 3 2020-01-19 22:34:16 +01:00			`logsource:`
Update Ref+Selection 2 2022-07-11 17:48:40 +01:00			`category: process_creation`
			`product: windows`
Added Atomic Blue Detections Repo 2019-10-28 11:59:49 +01:00			`detection:`
feat: update and enhancements 2023-02-07 13:55:14 +01:00			`selection_img:`
			`- Image\|endswith: '\mshta.exe'`
			`- OriginalFileName: 'MSHTA.EXE'`
			`selection_cli:`
Update Ref+Selection 2 2022-07-11 17:48:40 +01:00			`CommandLine\|contains: 'javascript'`
feat: update and enhancements 2023-02-07 13:55:14 +01:00			`condition: all of selection_*`
Added Atomic Blue Detections Repo 2019-10-28 11:59:49 +01:00			`falsepositives:`
Update Ref+Selection 2 2022-07-11 17:48:40 +01:00			`- Unknown`
Added Atomic Blue Detections Repo 2019-10-28 11:59:49 +01:00			`level: high`