← Library
sigmaDRL-1.1from SigmaHQ/sigma

Potential LethalHTA Technique Execution

Detects potential LethalHTA technique where the "mshta.exe" is spawned by an "svchost.exe" process

Quality
96
FP risk
Forks
0
Views
0
ATT&CK techniques
T1218.005
Rule sourcerules/windows/process_creation/proc_creation_win_mshta_lethalhta_technique.yml
title: Potential LethalHTA Technique Execution
id: ed5d72a6-f8f4-479d-ba79-02f6a80d7471
status: test
description: Detects potential LethalHTA technique where the "mshta.exe" is spawned by an "svchost.exe" process
references:
    - https://codewhitesec.blogspot.com/2018/07/lethalhta.html
author: Markus Neis
date: 2018-06-07
modified: 2023-02-07
tags:
    - attack.defense-evasion
    - attack.t1218.005
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\svchost.exe'
        Image|endswith: '\mshta.exe'
    condition: selection
falsepositives:
    - Unknown
level: high