{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/process-creation/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Windows","Microsoft Defender XDR","SentinelOne Cloud Funnel"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","mshta","windows","process-creation"],"_cs_type":"advisory","_cs_vendors":["Microsoft","HP","Crowdstrike","SentinelOne"],"content_html":"\u003cp\u003eMshta.exe (Microsoft HTML Application Host) is a Windows utility used to execute HTML Applications (.hta files). Adversaries often abuse Mshta to execute malicious scripts and evade detection, as it is a signed Microsoft binary and can bypass application whitelisting. This activity typically involves Mshta spawning other processes like cmd.exe or powershell.exe to perform malicious actions. This behavior has been observed across various attack campaigns and is a common tactic used to deliver payloads, establish persistence, or perform lateral movement within a network. Defenders need to monitor Mshta.exe process creations and child processes to detect and prevent potential threats. The detection logic focuses on identifying specific child processes commonly associated with malicious activities, while excluding legitimate uses of Mshta, such as those related to HP printer software.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access via an unspecified method (e.g., phishing, drive-by download) that delivers a malicious HTA file.\u003c/li\u003e\n\u003cli\u003eThe user executes the HTA file, which launches Mshta.exe to interpret and execute the embedded script.\u003c/li\u003e\n\u003cli\u003eThe script within the HTA file spawns a suspicious child process, such as cmd.exe or powershell.exe, using \u003ccode\u003eCreateProcess\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe spawned process executes malicious commands or scripts to download additional payloads or perform reconnaissance.\u003c/li\u003e\n\u003cli\u003eCertutil.exe may be used to decode encoded payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker may use bitsadmin.exe to download files from remote servers.\u003c/li\u003e\n\u003cli\u003ePowerShell is used to execute malicious code directly in memory, bypassing file-based detections.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, such as establishing persistence, stealing credentials, or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to a range of consequences, including malware infection, data theft, and system compromise. The impact can vary depending on the attacker\u0026rsquo;s objectives, but it can result in significant financial losses, reputational damage, and disruption of business operations. While specific numbers of victims are not listed, this technique is widely used and can affect any organization that does not adequately monitor and restrict the use of Mshta.exe. The sectors targeted are broad, as this is a general-purpose technique applicable to various environments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable process creation logging and monitor for Mshta.exe spawning suspicious child processes to enable the \u0026ldquo;Suspicious Microsoft HTML Application Child Process\u0026rdquo; rule.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect Mshta.exe spawning cmd.exe, powershell.exe, certutil.exe, bitsadmin.exe, curl.exe, msiexec.exe, schtasks.exe, reg.exe, wscript.exe, or rundll32.exe to detect potential defense evasion.\u003c/li\u003e\n\u003cli\u003eExamine \u003ccode\u003eprocess.command_line\u003c/code\u003e and \u003ccode\u003eprocess.parent.command_line\u003c/code\u003e for suspicious arguments and file paths to further investigate potential malicious use of Mshta.\u003c/li\u003e\n\u003cli\u003eMonitor for executables running from user directories using the Sigma rule provided to identify potentially malicious processes spawned by Mshta.exe.\u003c/li\u003e\n\u003cli\u003eInvestigate the parent process of Mshta.exe to determine the initial source of the HTA execution, focusing on browsers, email clients, and other potential delivery mechanisms.\u003c/li\u003e\n\u003cli\u003eTune the provided Sigma rules for your environment to reduce false positives and ensure accurate detection of malicious activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-mshta-suspicious-child/","summary":"Mshta.exe spawning a suspicious child process, such as cmd.exe or powershell.exe, indicates potential adversarial activity leveraging Mshta to execute malicious scripts and evade detection on Windows systems.","title":"Suspicious Microsoft HTML Application Child Process","url":"https://feed.craftedsignal.io/briefs/2024-01-mshta-suspicious-child/"}],"language":"en","title":"CraftedSignal Threat Feed — Process-Creation","version":"https://jsonfeed.org/version/1.1"}