Process and command-line monitoring
Monitoring process execution and command-line parameters will offer defenders visibility into many behaviors associated with malicious abuse of Mshta. Similarly, process lineage is also helpful for detecting adversary use of Mshta. At a minimum, collect parent-child process relationships, and, if possible, consider collecting information about “grandparent” relationships too.
We observed multiple adversaries this year renaming the Mshta binary to evade brittle detection logic. While we cover this extensively in our analysis of T1036.003: Rename System Utilities, binary metadata like internal process names are an effective data source to determine the true identity of a given process.
File monitoring and network connections
File monitoring and network connections—sometimes used in conjunction with one another—are also useful data sources for defenders seeking to observe potentially malicious Mshta abuse.
Two fundamental and complementary ways that you can think about detection for a given technique are to:
- Build analytics around the ways you’ve observed or otherwise know that adversaries have leveraged a technique in the past
- Identify all of the possible variations in the way a technique can be leveraged, a process discussed in detail in this blog post, and develop methods for detecting variations that deviate from what you expect
In our experience, it’s best to combine these two strategies while setting priorities that ensure you have sufficient coverage against actualized threats in the wild.
Inline script execution and protocol handlers
Mshta permits a user to execute inline Windows Script Host (WSH) script code (i.e., VBScript and JScript). The way that Mshta then interprets that code is dependent on the specified protocol handle, which is a component of Windows that tells the operating system how to parse and interpret protocol paths (e.g.,
Defenders can build detection analytics for inline Mshta script execution around these protocol handlers appearing in the command line. A specific detection example for this would be to look for the execution of
mshta.exe in conjunction with a command line containing any of the protocol handlers that are relevant to Mshta:
about, to name a few options. The following offers an example of what that might look like in the wild: