Suspicious Microsoft HTML Application Child Process
Adversaries are leveraging mshta.exe to execute malicious scripts, and evade detection by spawning suspicious child processes such as cmd.exe, powershell.exe, certutil.exe, bitsadmin.exe, curl.exe, msiexec.exe, schtasks.exe, reg.exe, wscript.exe, or rundll32.exe.
Mshta.exe is a legitimate Windows utility used to execute Microsoft HTML Application (HTA) files. Attackers abuse this trusted process to execute malicious scripts and evade detection. The technique involves mshta.exe spawning child processes commonly used for malicious purposes, such as command interpreters (cmd.exe, powershell.exe), file downloaders (curl.exe, bitsadmin.exe), and executable installers (msiexec.exe). This activity is often part of a multi-stage attack where the initial HTA file downloads or executes further payloads. This behavior allows attackers to bypass application whitelisting and execute arbitrary code on a compromised system. This brief focuses on detecting this specific pattern of mshta.exe spawning suspicious child processes to enable defenders to identify and respond to potential intrusions effectively.
Attack Chain
- An attacker gains initial access via an unspecified method (e.g., phishing, drive-by download) to place a malicious HTA file on the target system.
- The user executes the HTA file, either directly or through a social engineering lure.
- Mshta.exe is invoked to execute the HTA file.
- The malicious HTA file contains script (e.g., VBScript, JavaScript) that is executed by mshta.exe.
- The script within the HTA file spawns a child process, such as cmd.exe or powershell.exe, to execute further commands.
- The child process downloads additional malware or executes malicious code directly in memory.
- The downloaded malware establishes persistence, performs lateral movement, or exfiltrates sensitive data.
- The attacker achieves their final objective, such as data theft, system compromise, or ransomware deployment.
Impact
Successful exploitation can lead to arbitrary code execution, allowing attackers to gain control over the compromised system. This can result in data theft, installation of malware, or further propagation within the network. The defense evasion aspect makes it difficult to detect, potentially leading to prolonged compromise. Organizations in all sectors are at risk, as this technique can be used in various attack campaigns. The impact can range from data breaches and financial losses to reputational damage.
Recommendation
- Monitor process creation events for mshta.exe spawning child processes such as cmd.exe, powershell.exe, certutil.exe, bitsadmin.exe, curl.exe, msiexec.exe, schtasks.exe, reg.exe, wscript.exe, and rundll32.exe, using the provided Sigma rule to identify suspicious activity.
- Enable process creation logging with command line arguments to capture the full context of mshta.exe execution (logsource: process_creation).
- Implement application whitelisting to restrict the execution of mshta.exe to authorized users and applications only.
- Investigate any alerts generated by the provided Sigma rule to determine the scope and impact of the potential compromise.
- Review and update the list of exclusions in the Sigma rule to minimize false positives, as described in the rule's documentation.
Detection coverage 2
Mshta Spawning Suspicious Child Process
highDetects mshta.exe spawning a suspicious child process indicative of malicious script execution.
Mshta Executing From Suspicious Location
mediumDetects mshta.exe executing from a user profile directory, indicating potential malicious activity.
Detection queries are available on the platform. Get full rules →