Mshta Descendant of Microsoft Office

Identifies the execution of mshta.exe as a descendant of a Microsoft Office process.

id:d49fc9fe-df80-416d-a861-0be02bef0df5 categories:detect confidence:medium os:windows created:12/04/2019 updated:12/04/2019

MITRE ATT&CK™ Mapping

tactics:Execution, Defense Evasion, Command and Control techniques:T1170 Mshta

Query

process where subtype.create and process_name == "mshta.exe"
  and descendant of
    [process where process_name in ("outlook.exe", "winword.exe", "excel.exe", "powerpnt.exe")]

Contributors

• Daniel Stepanic

References

• https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql