Techniques
Sample rules
Mshta spawning Rundll32 OR Regsvr32 Process
- source: splunk
- technicques:
- T1218
- T1218.005
Description
The following analytic detects a suspicious mshta.exe process spawning rundll32 or regsvr32 child processes. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process GUID, process name, and parent process fields. This activity is significant as it is a known technique used by malware like Trickbot to load malicious DLLs and execute payloads. If confirmed malicious, this behavior could allow attackers to execute arbitrary code, escalate privileges, or download additional malware, posing a severe threat to the environment.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.parent_process_name = "mshta.exe" `process_rundll32` OR `process_regsvr32` by Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.process_id Processes.process_guid Processes.user Processes.dest
| `drop_dm_object_name("Processes")`
| `security_content_ctime(firstTime)`
|`security_content_ctime(lastTime)`
| `mshta_spawning_rundll32_or_regsvr32_process_filter`