PowerShell spawning MSHTA & initiating remote connection
Powershell Spawning Mshta Initiating Connection
Query
let Process = DeviceProcessEvents
| where InitiatingProcessParentFileName has_any (@"powershell.exe", @"pwsh.exe", @"powershell_ise.exe")
| where InitiatingProcessFileName has @"mshta.exe"
| project Timestamp, DeviceName, AccountDomain, AccountName;
Process
| join (DeviceNetworkEvents
| where RemoteIP !has "" or RemoteUrl !has ""
| project DeviceName, RemoteIP, RemoteUrl
) on DeviceNameAbout this query
PowerShell spawning MSHTA & initiating remote connection
Description
MSHTA is heavily used by adversaries as it allows to execute arbitrary code using a Windows native application. A scenario observed includes powershell.exe spawning mshta.exe which by itself is suspicious but it is almost certainly malicious when a remote call initiates through an .hta file. The following query will track powershell spawning mshta initiating a remote connection.
References
- https://redcanary.com/threat-detection-report/techniques/mshta/
- https://twitter.com/Kostastsale/status/1691302618037903363
Microsoft 365 Defender & Microsoft Sentinel
MITRE ATT&CK Mapping
- Tactic: Defence evasion
- Technique ID: T1218.005
- System Binary Proxy Execution: Mshta
Versioning
| Version | Date | Comments |
|---|---|---|
| 1.0 | 16/08/2023 | Initial publish |
Explanation
This query is designed to track instances where PowerShell spawns MSHTA and initiates a remote connection. MSHTA is a Windows native application that can be used by adversaries to execute arbitrary code. This behavior is suspicious, and potentially malicious, especially when a remote call is made through an .hta file. The query retrieves process events where PowerShell spawns MSHTA and joins them with network events to identify the device, timestamp, account information, remote IP, and remote URL associated with the suspicious activity. The purpose of this query is to detect and investigate potential threats related to PowerShell and MSHTA.
