Skip to content

Latest commit

 

History

History
35 lines (28 loc) · 1.15 KB

MATCH-S00352.md

File metadata and controls

35 lines (28 loc) · 1.15 KB
Raw

Rules: MSHTA Suspicious Execution

Description

Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism.

Additional Details

Detail Value
Type Templated Match
Category Defense Evasion
Apply Risk to Entities device_hostname, device_ip, user_username
Signal Name MSHTA Suspicious Execution
Summary Expression Suspicious MSHTA execution on host: {{device_hostname}}
Score/Severity Static: 3
Enabled by Default True
Prototype False
Tags _mitreAttackTactic:TA0005, _mitreAttackTechnique:T1140, _mitreAttackTechnique:T1218, _mitreAttackTechnique:T1218.005

Vendors and Products

Fields Used

Origin Field
Normalized Schema baseImage
Normalized Schema commandLine
Normalized Schema device_hostname
Normalized Schema device_ip
Normalized Schema user_username