heroui logo

Invoke-Obfuscation Via Use MSHTA

Sigma Rules

View Source
Summary
This detection rule targets evasion techniques employed by adversaries utilizing obfuscated PowerShell commands executed through the Microsoft HTML Application (MSHTA). It specifically monitors for process creations that involve calling 'mshta' with certain command line arguments indicative of script-based obfuscation, including usage patterns like 'set', '&&', and calls to VBScript's 'createobject'. Such tactics are often leveraged to bypass traditional security mechanisms and execute malicious scripts under the radar. By focusing on these command patterns, this rule aims to identify potentially harmful actions that could compromise system integrity. This detection rule is particularly relevant in scenarios where script execution may indicate attempts at lateral movement, privilege escalation, or exploitation of the environment in a covert manner. The robust selection criteria ensure that legitimate uses of MSHTA are filtered out, reducing false positives.
Categories
  • Windows
  • Endpoint
Data Sources
  • Process
Created: 2020-10-08