LOLBin Mshta
This query detects the use of mshta.exe.
EDRhuntingT1218.005T1105
FDR intermediatepor ByteRay GmbH (cql-hub.com) 1 min read
Query
in(#event_simpleName, values=["ProcessRollup2","ProcessBlocked"])
| event_platform=Win and ImageFileName=/mshta.exe/i
| CommandLine=/mshta(?:\.exe)?\"?\s+\"?(?<HtaPath>(?:.*?\.hta|(?=\").*?(?=\")|.*?(?=(?:\s|$))))/i
| HtaPath=/(?<HtaFolder>.*)(\\\\|\/)/i
| HtaPath=/(.*(\\\\|\/))?(?<HtaFile>.*)$/iExplicación
Importado desde cql-hub.com. Agrega explicación de pipes aquí.
Variables a ajustar
Revisa y ajusta los valores según tu entorno.