{"title":"LetsDefend level 1 alert SOC164 - Suspicious Mshta Behavior event-id 114","provider_url":"https://hatena.blog","categories":["LetsDefend"],"provider_name":"Hatena Blog","type":"rich","url":"https://zarat.hatenablog.com/entry/2023/01/17/144003","width":"100%","height":"190","blog_title":"4ensiX","blog_url":"https://zarat.hatenablog.com/","published":"2023-01-17 14:40:03","version":"1.0","author_url":"https://blog.hatena.ne.jp/Zarat/","author_name":"Zarat","html":"<iframe src=\"https://hatenablog-parts.com/embed?url=https%3A%2F%2Fzarat.hatenablog.com%2Fentry%2F2023%2F01%2F17%2F144003\" title=\"LetsDefend level 1 alert SOC164 - Suspicious Mshta Behavior event-id 114 - 4ensiX\" class=\"embed-card embed-blogcard\" scrolling=\"no\" frameborder=\"0\" style=\"display: block; width: 100%; height: 190px; max-width: 500px; margin: 10px 0px;\"></iframe>","description":"\u4eca\u56de\u306e\u30a2\u30e9\u30fc\u30c8 Start Playbook! Determine Suspicious Activity What Is Suspicious Activity? Who Performed the Activity? Add Artifacts End appendix \u4eca\u56de\u306e\u30a2\u30e9\u30fc\u30c8 SOC164 - Suspicious Mshta Behavior Low reputation hta file executed via mshta.exe mshta.exe\u3092\u4f7f\u3063\u3066\u602a\u3057\u3044hta\u30d5\u30a1\u30a4\u30eb\u304c\u5b9f\u884c\u3055\u308c\u305f\uff0e mshta.exe Microsoft(R) HTML \u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3 \u30db\u30b9\u30c8 \u2026","image_url":"https://cdn-ak.f.st-hatena.com/images/fotolife/Z/Zarat/20230117/20230117132107.png"}