Windows MSHTA Writing to World Writable Path

Author: Michael Haag, Splunk
Source: upstream

The following analytic identifies instances of mshta.exe writing files to world-writable directories. It leverages Sysmon EventCode 11 logs to detect file write operations by mshta.exe to directories like C:\Windows\Tasks and C:\Windows\Temp. This activity is significant as it often indicates an attempt to establish persistence or execute malicious code, deviating from the utility's legitimate use. If confirmed malicious, this behavior could lead to the execution of multi-stage payloads, potentially resulting in full system compromise and unauthorized access to sensitive information.

MITRE ATT&CK coverage

Tactic	Techniques
Defense Evasion	`T1218.005` System Binary Proxy Execution: Mshta

Event coverage

Provider	Event ID	Title
Sysmon	11	FileCreate

Stages and Predicates

Stage 1: `search`

search (Image="*\\mshta.exe" OR OriginalFileName="mshta.exe") EventCode=11 TargetFilename IN ("*\\Windows\\PLA\\Reports\\*", "*\\Windows\\PLA\\Rules\\*", "*\\Windows\\PLA\\Templates\\*", "*\\Windows\\Registration\\CRMLog\\*", "*\\Windows\\SysWOW64\\Com\\dmp\\*", "*\\Windows\\SysWOW64\\Tasks\\*", "*\\Windows\\System32\\Com\\dmp\\*", "*\\Windows\\System32\\LogFiles\\WMI\\*", "*\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\\*", "*\\Windows\\System32\\Tasks\\*", "*\\Windows\\System32\\spool\\PRINTERS\\*", "*\\Windows\\System32\\spool\\SERVERS\\*", "*\\Windows\\System32\\spool\\drivers\\color\\*", "*\\Windows\\Tasks\\*", "*\\Windows\\Temp\\*", "*\\Windows\\tracing\\*")

Stage 2: `stats`

stats BY action, dest, file_name, file_path, process_guid, process_id, user, user_id, vendor_product, Image, TargetFilename

Stage 3: `search`

search

Stage 4: `search`

search

Stage 5: `search`

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`EventCode`	eq	`11` corpus 10 (splunk 10)
`Image`	eq	`"*\\mshta.exe"`
`OriginalFileName`	eq	`"mshta.exe"`
`TargetFilename`	in	`"\\Windows\\PLA\\Reports\\"` corpus 2 (splunk 2) `"\\Windows\\PLA\\Rules\\"` corpus 2 (splunk 2) `"\\Windows\\PLA\\Templates\\"` corpus 2 (splunk 2) `"\\Windows\\Registration\\CRMLog\\"` corpus 2 (splunk 2) `"\\Windows\\SysWOW64\\Com\\dmp\\"` corpus 2 (splunk 2) `"\\Windows\\SysWOW64\\Tasks\\"` corpus 2 (splunk 2) `"\\Windows\\System32\\Com\\dmp\\"` corpus 2 (splunk 2) `"\\Windows\\System32\\LogFiles\\WMI\\"` corpus 2 (splunk 2) `"\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\\"` corpus 2 (splunk 2) `"\\Windows\\System32\\Tasks\\"` corpus 2 (splunk 2) `"\\Windows\\System32\\spool\\PRINTERS\\"` corpus 2 (splunk 2) `"\\Windows\\System32\\spool\\SERVERS\\"` corpus 2 (splunk 2) `"\\Windows\\System32\\spool\\drivers\\color\\"` corpus 2 (splunk 2) `"\\Windows\\Tasks\\"` corpus 2 (splunk 2) `"\\Windows\\Temp\\"` corpus 3 (splunk 3) `"\\Windows\\tracing\\"` corpus 2 (splunk 2)

Windows MSHTA Writing to World Writable Path

MITRE ATT&CK coverage

Event coverage

Stages and Predicates

Stage 1: search

Stage 2: stats

Stage 3: search