search

triw0lf / HEARTH

A community-driven repository for threat hunting ideas, methodologies, and research that serves as a central gathering place for hunters to share knowledge, collaborate on techniques, and advance the field of threat hunting.
https://threathuntingcommunity.com/
145 stars 11 forks source link

Hunting mshta.exe abuse #11

Closed Azrara closed 2 days ago

Azrara commented 1 week ago

Hunt Type 🔥

{"Flames (Hypothesis-Driven)"=>"Based on assumptions about adversary behavior or specific activities."}

HEARTH Crafter

Oussama AZRARA

Hunt Idea / Hypothesis

Attackers may exploit mshta.exe, a trusted Windows utility, to execute malicious .hta files as well as JavaScript or VBScript indirectly. Mshta.exe is designed to run Microsoft HTML Applications (HTA) files, which are stand-alone applications that operate independently of the browser but use the same frameworks and technologies as Internet Explorer. This utility's trusted status can make it a valuable tool for adversaries seeking to evade detection and execute code stealthily.

MITRE ATT&CK Tactic

Defense Evasion

Implementation Notes

Data requirements: Windows Sysmon, EDR telemetry, Proxy logs

Search Tags

DefenseEvasion #SystemBinaryProxyExecutionMshta

Value and Impact

Hunting for malicious mshta.exe activity provides critical early detection of potential threats by targeting a commonly exploited Windows utility that attackers use to evade security defenses. This hunt improves threat visibility, enhances detection accuracy, and mitigates the risk of full-scale attacks by catching adversaries in the early stages.

Knowledge Base

DrTerdnugget commented 2 days ago

Submission approved! Nice work! Don't forget to make a pull request to add your name to the list to get your official Contributor status on the repo here:

https://github.com/triw0lf/HEARTH/blob/main/Keepers/Contributors.md