Atomic Red Team
Description
Invoked AtomicTestHarnesses executing T1218.005 manually and via pester tests. Atomic Test Results: Successful Execution of test T1218.005-1 Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject Return value unclear for test T1218.005-2 Mshta executes VBScript to execute malicious command Return value unclear for test T1218.005-3 Mshta Executes Remote HTML Application (HTA) Successful Execution of test T1218.005-4 Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement Successful Execution of test T1218.005-5 Invoke HTML Application - Jscript Engine Simulating Double Click Successful Execution of test T1218.005-6 Invoke HTML Application - Direct download from URI Successful Execution of test T1218.005-7 Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler Successful Execution of test T1218.005-8 Invoke HTML Application - JScript Engine with Inline Protocol Handler Successful Execution of test T1218.005-9 Invoke HTML Application - Simulate Lateral Movement over UNC Path
MITRE ATT&CK Techniques
| ID | Technique | Tactic |
|---|---|---|
| T1218.005 | Mshta | Defense Evasion |
Environment Details
| Field | Value |
|---|---|
| Environment | attack_range |
| Directory | atomic_red_team |
| Test Date | 2020-11-09 |
Datasets
The following datasets were collected during this attack simulation:
Windows-Sysmon
- Path:
/datasets/attack_techniques/T1218.005/atomic_red_team/windows-sysmon.log - Sourcetype:
XmlWinEventLog - Source:
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Mshta_tasks_windows-Sysmon
- Path:
/datasets/attack_techniques/T1218.005/atomic_red_team/mshta_tasks_windows-sysmon.log - Sourcetype:
XmlWinEventLog - Source:
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Related Detections
The following detections in our security content repository use this attack data for testing:
| Detection Name | Type | Source | MITRE ATT&CK | Analytic Story |
|---|---|---|---|---|
| Detect Rundll32 Inline HTA Execution | TTP |
Endpoint | T1218.005 | Suspicious MSHTA Activity, NOBELIUM Group, Living Off The Land, APT37 Rustonotto and FadeStealer |
| Detect mshta inline hta execution | TTP |
Endpoint | T1218.005 | Compromised Windows Host, Gozi Malware, Living Off The Land, Suspicious MSHTA Activity, XWorm, APT37 Rustonotto and FadeStealer |
| Detect mshta renamed | Hunting |
Endpoint | T1218.005 | Suspicious MSHTA Activity, Living Off The Land, APT37 Rustonotto and FadeStealer |
| Suspicious mshta child process | TTP |
Endpoint | T1218.005 | Suspicious MSHTA Activity, Living Off The Land, Lumma Stealer |
| Suspicious mshta spawn | TTP |
Endpoint | T1218.005 | Suspicious MSHTA Activity, Living Off The Land, APT37 Rustonotto and FadeStealer |
| Detect MSHTA Url in Command Line | TTP |
Endpoint | T1218.005 | APT37 Rustonotto and FadeStealer, Compromised Windows Host, Lumma Stealer, Living Off The Land, Suspicious MSHTA Activity, XWorm, Cisco Network Visibility Module Analytics |
| Windows Process Writing File to World Writable Path | Hunting |
Endpoint | T1218.005 | APT29 Diplomatic Deceptions with WINELOADER, PHP-CGI RCE Attack on Japanese Organizations, PathWiper |
| Windows MSHTA Writing to World Writable Path | TTP |
Endpoint | T1218.005 | APT29 Diplomatic Deceptions with WINELOADER, Suspicious MSHTA Activity, XWorm |
Usage Instructions
Replay with Splunk Attack Data
Replay attack data with replay.py from Splunk Attack Data.
1python replay.py --dataset /datasets/attack_techniques/T1218.005/atomic_red_team/windows-sysmon.log --index attack_data
Manual Import
- Download the dataset files from the paths listed above
- Configure your Splunk instance with the appropriate sourcetypes
- Import the logs using the Splunk Add Data wizard
Related Content
Find more detections and analytics for this attack technique in our security content repository.
Source: GitHub | Version: 1.0