LoFP / false positives may occur if legitimate processes are writing to world-writable directories. it is recommended to investigate the context of the file write operation to determine if it is malicious or not. modify the search to include additional known good paths for `mshta.exe` to reduce false positives.

Techniques

• T1218.005

Sample rules

Windows MSHTA Writing to World Writable Path

• source: splunk
• technicques:
  • T1218.005

Description

This detection identifies instances of the Windows utility mshta.exe being used to write files to world-writable directories, a technique commonly leveraged by adversaries to execute malicious scripts or payloads. Starting from 26 February 2024, APT29 has been observed distributing phishing attachments that lead to the download and execution of the ROOTSAW dropper via a compromised website. The ROOTSAW payload, utilizing obfuscated JavaScript, downloads a file named invite.txt to the C:\Windows\Tasks directory. This file is then decoded and decompressed to execute a malicious payload, often leveraging legitimate Windows binaries for malicious purposes, as seen with SqlDumper.exe in this campaign.
The analytic is designed to detect the initial file write operation by mshta.exe to directories that are typically writable by any user, such as C:\Windows\Tasks, C:\Windows\Temp, and others. This behavior is indicative of an attempt to establish persistence, execute code, or both, as part of a multi-stage infection process. The detection focuses on the use of mshta.exe to write to these locations, which is a deviation from the utility’s legitimate use cases and thus serves as a strong indicator of compromise (IoC).
The ROOTSAW campaign associated with APT29 utilizes a sophisticated obfuscation technique and leverages multiple stages of payloads, ultimately leading to the execution of the WINELOADER malware. This detection aims to catch the early stages of such attacks, enabling defenders to respond before full compromise occurs.

Detection logic

`sysmon` EventCode=11 Image="*\\mshta.exe" TargetFilename IN ("*\\Windows\\Tasks\\*", "*\\Windows\\Temp\\*", "*\\Windows\\tracing\\*", "*\\Windows\\PLA\\Reports\\*", "*\\Windows\\PLA\\Rules\\*", "*\\Windows\\PLA\\Templates\\*", "*\\Windows\\PLA\\Reports\\en-US\\*", "*\\Windows\\PLA\\Rules\\en-US\\*", "*\\Windows\\Registration\\CRMLog\\*", "*\\Windows\\System32\\Tasks\\*", "*\\Windows\\System32\\Com\\dmp\\*", "*\\Windows\\System32\\LogFiles\\WMI\\*", "*\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\\*", "*\\Windows\\System32\\spool\\PRINTERS\\*", "*\\Windows\\System32\\spool\\SERVERS\\*", "*\\Windows\\System32\\spool\\drivers\\color\\*", "*\\Windows\\System32\\Tasks\\Microsoft\\Windows\\RemoteApp and Desktop Connections Update\\*", "*\\Windows\\SysWOW64\\Tasks\\*", "*\\Windows\\SysWOW64\\Com\\dmp\\*", "*\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\*", "*\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\RemoteApp and Desktop Connections Update\\*", "*\\Windows\\SysWOW64\\Tasks\\Microsoft\\Windows\\PLA\\System\\*") 
| rename Computer as dest, User as user 
| stats count min(_time) as firstTime max(_time) as lastTime by dest, user, Image, TargetFilename 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_mshta_writing_to_world_writable_path_filter`