SOC164 — Suspicious Mshta Behavior EventID: 114 @ LetsDefend.io walkthrough
Hopefully I have fulfilled the request of Omer Gunal, Co-Founder of LetsDefend.io to show the right solution and steps for this investigation. This walkthrough is following the playbook (with few screen shots short).
Lets dive in the playbook right the way.
Go to the Monitoring page…for this case investigation, the useful information are color marked here.
Let’s go to Virustotal to check the ps1.hta md5 hash. The file with the file hash has been flagged 27/60 as malicious.
Just want to double check, I went to hybrid analysis to check the file hash. It is marked as malicious as well.
Now, lets go to the EndPoint Security to check the host: Roberto @ 172.16.17.38
Under the Command History, we can see the the Mshta.exe command ran and then Ps1.hta ran on 10:29 am on March 5th. Following that, in the next minute, the powershell.exe ran. And the request of contacting 22.214.171.124 for the Server.txt file can be found with the powershell command execution.
Under the Network Connections, it is certain that the host had contacted the 126.96.36.199 on March 5th, 10:29.
Under the Process List, we can also find mshta.exe process and also the child process of mshta.exe: powershell.exe
Now, go to the Log Management, check the communication between the host and the C2: 188.8.131.52
We can see Mar 5th, 2022, 10:29AM, the host contacted the C2. And from the raw log, we see it sent the request as in the powershell execution.
From the raw log of C2 response to the host request. Luckily, it is a 404 message.
Most of our investigation is finished. Let’s continue with the playbook…
Don’t forget to check the LOLBAS Project. It has the answer to the next questions.
If anything in doubt about the execute of powershell instead, check the link of MITRE ATT&CK T1218.005: Mshta.
Here are the questions that we already found the answers in the LOLBAS Project.
Yes. it is malicious. So we need to put the host into containment.
Here are the artifacts that we have for this case. I forgot to put in the request of URL address. http:// 184.108.40.206/Server.txt
Well, here is my conclusion for this case.
Finally, close the case. Surely, select TRUE POSITIVE and put in the final note.
This is the first time I did a walkthrough. It is kinda fun.