Techniques
Sample rules
Suspicious MSBuild Spawn
- source: splunk
- technicques:
- T1127
- T1127.001
Description
The following analytic identifies wmiprvse.exe spawning msbuild.exe. This behavior is indicative of a COM object being utilized to spawn msbuild from wmiprvse.exe. It is common for MSBuild.exe to be spawned from devenv.exe while using Visual Studio. In this instance, there will be command line arguments and file paths. In a malicious instance, MSBuild.exe will spawn from non-standard processes and have no command line arguments. For example, MSBuild.exe spawning from explorer.exe, powershell.exe is far less common and should be investigated.
Detection logic
| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=wmiprvse.exe AND `process_msbuild` by Processes.dest Processes.parent_process Processes.original_file_name Processes.user
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `suspicious_msbuild_spawn_filter`
Detect mshta inline hta execution
- source: splunk
- technicques:
- T1218
- T1218.005
Description
The following analytic identifies “mshta.exe” execution with inline protocol handlers. “JavaScript”, “VBScript”, and “About” are the only supported options when invoking HTA content directly on the command-line. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process “mshta.exe” and its parent process.
Detection logic
| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_mshta` (Processes.process=*vbscript* OR Processes.process=*javascript* OR Processes.process=*about*) by Processes.user Processes.process_name Processes.original_file_name Processes.parent_process_name Processes.dest
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_mshta_inline_hta_execution_filter`
Suspicious mshta spawn
- source: splunk
- technicques:
- T1218
- T1218.005
Description
The following analytic identifies wmiprvse.exe spawning mshta.exe. This behavior is indicative of a DCOM object being utilized to spawn mshta from wmiprvse.exe or svchost.exe. In this instance, adversaries may use LethalHTA that will spawn mshta.exe from svchost.exe.
Detection logic
| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where (Processes.parent_process_name=svchost.exe OR Processes.parent_process_name=wmiprvse.exe) AND `process_mshta` by Processes.dest Processes.parent_process Processes.user Processes.original_file_name
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `suspicious_mshta_spawn_filter`
Detect Rundll32 Inline HTA Execution
- source: splunk
- technicques:
- T1218
- T1218.005
Description
The following analytic identifies “rundll32.exe” execution with inline protocol handlers. “JavaScript”, “VBScript”, and “About” are the only supported options when invoking HTA content directly on the command-line. This type of behavior is commonly observed with fileless malware or application whitelisting bypass techniques. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process “rundll32.exe” and its parent process.
Detection logic
| tstats `security_content_summariesonly` count values(Processes.process) as process values(Processes.parent_process) as parent_process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_rundll32` (Processes.process=*vbscript* OR Processes.process=*javascript* OR Processes.process=*about*) by Processes.user Processes.process_name Processes.parent_process_name Processes.original_file_name Processes.dest
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_rundll32_inline_hta_execution_filter`
Suspicious mshta child process
- source: splunk
- technicques:
- T1218
- T1218.005
Description
The following analytic identifies child processes spawning from “mshta.exe”. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, parent process “mshta.exe” and its child process.
Detection logic
| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name=mshta.exe AND (Processes.process_name=powershell.exe OR Processes.process_name=colorcpl.exe OR Processes.process_name=msbuild.exe OR Processes.process_name=microsoft.workflow.compiler.exe OR Processes.process_name=searchprotocolhost.exe OR Processes.process_name=scrcons.exe OR Processes.process_name=cscript.exe OR Processes.process_name=wscript.exe OR Processes.process_name=powershell.exe OR Processes.process_name=cmd.exe) by Processes.dest Processes.parent_process Processes.user
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `suspicious_mshta_child_process_filter`