LoFP LoFP / hp software

Techniques

Sample rules

Suspicious MSHTA Child Process

Description

Detects a suspicious process spawning from an “mshta.exe” process, which could be indicative of a malicious HTA script execution

Detection logic

condition: all of selection*
selection_child:
- Image|endswith:
  - \cmd.exe
  - \powershell.exe
  - \pwsh.exe
  - \wscript.exe
  - \cscript.exe
  - \sh.exe
  - \bash.exe
  - \reg.exe
  - \regsvr32.exe
  - \bitsadmin.exe
- OriginalFileName:
  - Cmd.Exe
  - PowerShell.EXE
  - pwsh.dll
  - wscript.exe
  - cscript.exe
  - Bash.exe
  - reg.exe
  - REGSVR32.EXE
  - bitsadmin.exe
selection_parent:
  ParentImage|endswith: \mshta.exe