Office Product Spawning MSHTA

Prerequisite:

The rule requires sysmon /auditing to be enabled for proper functioning.

Rule type:

Correlation rule

Rule description:

This correlation rule watches for Microsoft Office applications (Word, Excel, PowerPoint, etc.) launching MSHTA.exe. Attackers often exploit it to run malicious scripts hidden within Office documents.

Data source

Windows: application log, process, network traffic, file

Relevant MITRE ATT&CK techniques and tactics:

Tactics: TA0005 - Defense Evasion

Techniques: T1218 - System Binary Proxy Execution

Sub-techniques: T1218.005 - System Binary Proxy Execution: Mshta

Criteria:

Process name ends with mshta.exe:This part of the rule identifies the child process that the analyzer is interested in. Mshta.exe is a Microsoft program that can execute HTML code and ActiveX controls. In some cases, malicious actors can misuse mshta.exe to execute harmful scripts

Parent Process name ends with various Office applications: This part specifies different parent processes that the rule considers. These are all common Microsoft Office applications like WinWord, Excel, PowerPoint, etc.

When to enable this rule:

Enable this rule when the user wants to detect malicious document execution leveraging MSHTA for credential theft or lateral movement.

This correlation rule watches for Microsoft Office applications (Word, Excel, PowerPoint, etc.) launching MSHTA.exe. Attackers often exploit this technique to execute malicious HTA (HTML Application) scripts hidden within Office documents. These scripts can be used for various malicious purposes, including downloading additional malware, harvesting credentials, or pivoting within a network.

Compliance mapping (NIST, CIS):

Enabling this rule will help you comply with the below security standards' requirements:

• NIST Cybersecurity Framework (CSF): PR.PT (Protective Technology) to prevent exploitation of office products for malicious purposes.
• CIS Control:7 (Email and Web Browser Protections) to mitigate the risk of exploitation from web-based and email vector

Next steps:

Upon triggering this alert, the following actions can be taken:

• Identification: Mark this alert as a part of an existing incident or initiate a new incident. Assign the incident to an analyst for in-depth examination.
• Analysis: Conduct an impact investigation and thoroughly analyze the degree of compromise utilizing the Incident Workbench to gain insights into the threat's severity.
• Response: Initiate automated workflow execution to swiftly terminate the identified malicious process, leveraging Workflows for prompt mitigation.