{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/amazon-assistant/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Amazon Assistant","TeamViewer","Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","system-binary-proxy-execution","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Amazon","TeamViewer","SentinelOne","Elastic"],"content_html":"\u003cp\u003eMshta.exe is a legitimate Windows utility used to execute Microsoft HTML Application (HTA) files. Adversaries exploit it to run malicious scripts, leveraging its trusted status to bypass security measures. This activity can be difficult to detect because Mshta.exe is a signed Microsoft binary. This detection identifies suspicious network activity by Mshta.exe, excluding known benign processes, to flag potential threats. Legitimate uses of Mshta.exe include software updates, installations, and automation scripts using HTA files. This rule helps identify unauthorized network connections indicative of malicious intent and flags suspicious use of mshta.exe.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access through an unknown method, such as phishing or exploiting a software vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a malicious script, such as VBScript or JavaScript, using Mshta.exe.\u003c/li\u003e\n\u003cli\u003eMshta.exe interprets and executes the script, bypassing application control policies due to its signed status.\u003c/li\u003e\n\u003cli\u003eThe script establishes a network connection to an external command and control (C2) server.\u003c/li\u003e\n\u003cli\u003eThe C2 server provides instructions to the compromised host, such as downloading additional malware.\u003c/li\u003e\n\u003cli\u003eThe downloaded malware executes, performing actions such as data exfiltration or lateral movement.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised host to move laterally within the network, compromising additional systems.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as stealing sensitive data or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the execution of arbitrary code, potentially compromising sensitive data, facilitating lateral movement, and establishing a persistent presence within the network. Systems affected by this activity may be used as a beachhead for further attacks, leading to significant data breaches, financial loss, and reputational damage. The number of victims can vary depending on the scope of the initial compromise and the attacker\u0026rsquo;s objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture the command-line arguments used by Mshta.exe.\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Mshta Network Connection\u0026rdquo; Sigma rule to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to prevent unauthorized execution of Mshta.exe and similar system binaries.\u003c/li\u003e\n\u003cli\u003eMonitor network connections initiated by Mshta.exe, including destination IP addresses, domains, and ports, to identify any connections to known malicious or suspicious endpoints.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-mshta-network-connections/","summary":"Mshta.exe making outbound network connections may indicate adversarial activity, as it is often used to execute malicious scripts and evade detection by proxying execution of untrusted code.","title":"Mshta Making Network Connections Indicative of Defense Evasion","url":"https://feed.craftedsignal.io/briefs/2024-01-mshta-network-connections/"}],"language":"en","title":"CraftedSignal Threat Feed — Amazon Assistant","version":"https://jsonfeed.org/version/1.1"}