alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"🐾 - 🚨 Suspicious MSHTA connection to Internet 🌐 - T1105"; flow:to_server, stateless; http.user_agent; content:"|4d 6f 7a 69 6c 6c 61 2f 34 2e 30 20 28 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 20 37 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b|"; startswith; fast_pattern; content:"|54 72 69 64 65 6e 74 2f 37 2e 30 3b 20 2e 4e 45 54 34 2e 30 43 3b 20 2e 4e 45 54 34 2e 30 45 29|"; endswith; reference:url,https://lolbas-project.github.io/lolbas/Binaries/Mshta/#download; target:src_ip; metadata:signature_severity Major, attack_target Client_and_Server, affected_product Windows_XP_Vista_7_8_10_11_Server_32_64_Bit, mitre_tactic_id TA0005, mitre_tactic_name Defense_Evasion, mitre_technique_id T1218_005, mitre_technique_name System_Binary_Proxy_Execution_Mshta, mitre_tactic_id TA0011, mitre_tactic_name Command_and_Control, mitre_technique_id T1105, mitre_technique_name Ingress_Tool_Transfer, created_at 2024_08_01, updated_at 2024_08_01; sid:3321315; rev:1; classtype:command-and-control;)