- Home
- Correlation Rule Library
- Office Product Spawning MSHTA
Office Product Spawning MSHTA
Rule added on 20th February, 2024In this page
Prerequisite:
The rule requires sysmon /auditing to be enabled for proper functioning.
Rule type:
Correlation rule
Rule description:
This correlation rule watches for Microsoft Office applications (Word, Excel, PowerPoint, etc.) launching MSHTA.exe. Attackers often exploit it to run malicious scripts hidden within Office documents.
Data source
Windows: application log, process, network traffic, file
Relevant MITRE ATT&CK techniques and tactics:
Tactics: TA0005 - Defense Evasion
Techniques: T1218 - System Binary Proxy Execution
Sub-techniques: T1218.005 - System Binary Proxy Execution: Mshta
Criteria:
Process name ends with mshta.exe:This part of the rule identifies the child process that the analyzer is interested in. Mshta.exe is a Microsoft program that can execute HTML code and ActiveX controls. In some cases, malicious actors can misuse mshta.exe to execute harmful scripts
Parent Process name ends with various Office applications: This part specifies different parent processes that the rule considers. These are all common Microsoft Office applications like WinWord, Excel, PowerPoint, etc.
When to enable this rule:
Enable this rule when the user wants to detect malicious document execution leveraging MSHTA for credential theft or lateral movement.
This correlation rule watches for Microsoft Office applications (Word, Excel, PowerPoint, etc.) launching MSHTA.exe. Attackers often exploit this technique to execute malicious HTA (HTML Application) scripts hidden within Office documents. These scripts can be used for various malicious purposes, including downloading additional malware, harvesting credentials, or pivoting within a network.
Compliance mapping (NIST, CIS):
Enabling this rule will help you comply with the below security standards' requirements:
- NIST Cybersecurity Framework (CSF): PR.PT (Protective Technology) to prevent exploitation of office products for malicious purposes.
- CIS Control:7 (Email and Web Browser Protections) to mitigate the risk of exploitation from web-based and email vector
Next steps:
Upon triggering this alert, the following actions can be taken:
- Identification: Mark this alert as a part of an existing incident or initiate a new incident. Assign the incident to an analyst for in-depth examination.
- Analysis: Conduct an impact investigation and thoroughly analyze the degree of compromise utilizing the Incident Workbench to gain insights into the threat's severity.
- Response: Initiate automated workflow execution to swiftly terminate the identified malicious process, leveraging Workflows for prompt mitigation.
