Environment
- Enterprise EDR Web Console: All Versions
Symptoms
The report "Defense Evasion - AMSI - Suspicious MSHTA File Write And Execute Behaviors Detected" in Watchlist triggers an incorrect Hit however, the scriptloads specified in the IOC does not show events in Processes tab under Investigate page when searched specifically.
(process_name:mshta.exe AND (fileless_scriptload_cmdline:ITextStream.Write AND fileless_scriptload_cmdline:IWshShell3.Run) OR (scriptload_content:ITextStream.Write AND scriptload_content:IWshShell3.Run)) AND NOT crossproc_name:windows\\ccm\\ccmexec.exe
Cause
Engineering team found that the query is missing set of parentheses, causing non-deterministic behavior (See additional Notes)
Resolution
The query has been updated with the added parentheses, and will now report as expected
Additional Notes
- Engineering team found that the query is missing set of parentheses here, causing non-deterministic behavior.
- The IOC query should be like below:
(process_name:mshta.exe AND ((fileless_scriptload_cmdline:ITextStream.Write AND fileless_scriptload_cmdline:IWshShell3.Run) OR (scriptload_content:ITextStream.Write AND scriptload_content:IWshShell3.Run))) AND NOT crossproc_name:windows\\ccm\\ccmexec.exe.
Related Content
