MSHTA Suspicious Execution 01

About the rule

Rule Type

Standard

Rule Description

Mshta.exe is a legitimate Windows binary used to execute Microsoft HTML Applications (HTA). Attackers often abuse mshta.exe to execute malicious scripts or code hosted locally or remotely, taking advantage of its ability to run JavaScript or VBScript in a trusted context. This technique is commonly used in phishing attacks, initial access, or execution of payloads without dropping a binary to disk, making detection more difficult. Suspicious usage of mshta.exe should be carefully monitored, particularly when it launches with encoded commands, remote URLs, or non-standard HTA files.

Severity

Trouble

Rule journey

Attack chain scenario

Initial Access → Execution → Persistence → Defense Evasion → Command and Control

Impact

• Credential theft
• Remote Code Execution
• Lateral movement
• Data Exfiltration

Rule Requirement

Prerequisites

Using Windows event viewer:
To enable detailed process tracking in a domain environment, log in to a domain controller using domain admin credentials and open the Group Policy Management Console (GPMC). Create or edit a GPO linked to the target OU and navigate to the Advanced Audit Policy Configuration section to enable success auditing for both process creation and termination. To capture command-line details, enable the Include command line in process creation events setting under Audit Process Creation. Additionally, create the Microsoft-Windows-Security-Auditing/Operational registry key in the specified EventLog path to support enhanced auditing.

Using Sysmon:
To enable detailed process monitoring using Sysmon, first download and install it from Microsoft Sysinternals. Run Command Prompt as an administrator and install Sysmon with a configuration file that includes process creation tracking using sysmon.exe -i [configfile.xml]. Ensure your configuration includes a <ProcessCreate> filter to capture all process creation events. Additionally, create the Microsoft-Windows-Sysmon/Operational registry key under the EventLog path if it doesn’t already exist.

Criteria

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Defense Evasion: Deobfuscate/Decode Files or Information (T1140),
Defense Evasion: System Binary Proxy Execution - Mshta (T1218.005),
Execution: Command and Scripting Interpreter - JavaScript (T1059.007)

Security Standards

Enabling this rule will help you meet the security standard's requirement listed below:

DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events

By detecting suspicious executions of mshta.exe, this rule helps surface instances where attackers attempt to bypass traditional defenses using trusted Windows utilities.

Author

Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule)

Future actions

Known False Positives

System administrators or legitimate applications may invoke mshta.exe for valid operations such as software installations or internal tools using HTML Applications (HTA).

Next Steps

When this rule is triggered, the following measures can be implemented:

• Identification: Review the command-line arguments used with mshta.exe. Check if it references external URLs, suspicious script paths, or encoded commands.
• Analysis: Use EDR or logging tools to trace the parent process and assess whether the execution was user-initiated or automated.
• Response: Isolate the affected host, block the URL or script path, and remove any persistence mechanisms or payloads dropped.
• Restrict HTA Execution: Block or limit usage of mshta.exe via application control or endpoint protection policies, especially on non-developer endpoints.

Mitigation