Investigating MSHTA Execution Activity

Posted on: Last updated on: Written by:

Investigating MSHTA Execution Activity: A Threat Hunting Case Study

Why This Activity Stood Out

During our routine SOC monitoring, we flagged several MSHTA execution events that caught our attention. The activity was unusual and warranted a closer look for the following reasons:

  1. Unusual Command-Line Arguments: We noticed mshta.exe being invoked with non-standard command-line arguments.
  2. Network Activity: There were outbound connections initiated from internal systems to remote, suspicious IP addresses.
  3. Process Creation Events: Multiple process creation events suggested potential malicious activity.

Initial Hypothesis and Hunt Logic

Given our experience with threats like Wizard Spider, which often use MSHTA for evasion, we suspected this might be a similar tactic aimed at bypassing traditional monitoring mechanisms. Our primary hypothesis was that these executions could indicate adversarial behavior.

Why This Activity Looks Suspicious

  1. Unexpected Behavior: Normal usage of mshta.exe is rare and typically limited to developers or small-scale scripting.
  2. Remote Connections: The presence of network connections from the internal network to external, suspicious IP addresses suggested potential data exfiltration or command-and-control (C2) activity.

Reviewing Process Lineage

Initial Indicators of Compromise

We started by reviewing the process lineage and identified several key events that hinted at malicious intent:

  • Process Creation Event: mshta.exe was launched with an unusual argument.

    • CommandLine: "mshta.exe" /b "about:blank"

  • Network Connection: A connection was made from the internal network to a known threat actor-controlled IP address.

Process Lineage Analysis

  1. Parent Process: The parent process of mshta.exe was observed to be an Office application, such as Excel or Word.
  2. Child Processes: Additional child processes were spawned, including rundll32.exe and other suspicious binaries.

Expanding the Investigation

To further validate our suspicions, we expanded our investigation by reviewing additional telemetry:

Network Connections

Using KQL (Kusto Query Language), we queried device network events to find connections initiated from the system where mshta.exe was executed:

DeviceNetworkEvents
| where RemoteAddress contains "suspiciousipaddress"

The results showed a series of HTTP GET requests to an external IP address, consistent with our hypothesis.

Process Creation Events

To get a broader view of the process lineage and identify any potential parent-child relationships, we used Sysmon logs:

DeviceProcessEvents
| where ProcessName == "mshta.exe"

The output revealed that mshta.exe had been spawned by an Office application. Additional processes like rundll32.exe were also identified.

Command Line Logging

Reviewing command-line arguments provided more context:

DeviceProcessEvents
| where ProcessCommandLine contains "mshta"

The findings confirmed that the command-line arguments used with MSHTA execution were unusual and potentially indicative of malicious activity.

Detection Opportunities

Given the observed behavior, we developed a detection rule using Sigma for Sysmon logs:

title: Suspicious Rundll32 Usage
logsource:
  category: process_creation

detection:
  selection:
    Image|endswith: 'rundll32.exe'

condition: selection

level: medium

This sigma rule helped us quickly identify suspicious rundll32.exe executions.

Analyst Notes

  1. Contextual Understanding: Understanding the normal usage patterns of MSHTA and Office applications was crucial in identifying anomalies.
  2. Telemetry Interpretation: Proper interpretation of process lineage, network connections, and command-line arguments provided valuable insights into the nature of the threat.
  3. False Positives: We encountered false positives where legitimate software updates or administrative actions caused similar behavior. Contextual analysis helped us distinguish between benign and malicious activity.

Operational Challenges

  1. Telemetry Gaps: Some processes did not leave clear telemetry, making it difficult to trace their full lifecycle.
  2. Resource Constraints: Limited resources for manual investigation required prioritizing high-value targets.
  3. Evolution of Threats: Adversaries continually evolve their tactics, requiring regular updates to detection rules and investigative techniques.

Telemetry Blind Spots

  1. Network Monitoring: While we identified network connections, there were gaps in monitoring internal services or C2 infrastructure.
  2. Process Creation Logs: Some processes may not be logged by default, leading to incomplete lineage analysis.
  3. User Behavior: Normal user behavior can sometimes mimic malicious activity, making it challenging to distinguish between the two.

Practical Hunting Methodology

  1. Automated Alerts: Utilize SIEM tools like Splunk or ELK Stack to set up automated alerts for suspicious activities.
  2. Manual Correlation: Review event logs manually to correlate suspicious processes and network connections.
  3. Threat Intelligence Feeds: Integrate threat intelligence feeds to identify known malicious IP addresses and domains.

MITRE ATT&CK Mapping

Technique: MSHTA Execution (T1218.005)

Tactic Sub-technique
Defense Evasion

The activity we observed aligns with the following MITRE ATT&CK sub-technique:

  • Defense Evasion: MSHTA is used to execute malicious HTA pay-loads, which can help adversaries bypass traditional monitoring mechanisms.

Practical Detection Recommendations

  1. Enhance Process Monitoring: Ensure comprehensive logging of process creation events and command-line arguments.
  2. Network Segmentation: Implement network segmentation to limit lateral movement and reduce the impact of potential threats.
  3. Regular Updates: Keep detection rules up-to-date with the latest threat intelligence.

Telemetry Improvement Ideas

  1. Extended Logging: Enable extended logging for Office applications to capture more detailed process information.
  2. Anomaly Detection: Implement machine learning models to detect anomalies in normal behavior patterns.
  3. Real-time Monitoring: Utilize real-time monitoring tools to quickly respond to suspicious activities.

Hashtags

ThreatHunting #MSHTAExecution #WizardSpider #DefenseEvasion #MITREATT&CK #SecurityOperationsCenter #DetectionEngineering #SIEMMonitoring #ProcessLineageAnalysis

#ThreatHunting #CyberSecurity #BlueTeam #SOC #DetectionEngineering #MITREATTACK #DefenseEvasion #Windows #MSHTAExecution