T1218.005 Mshta Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let SuspiciousPatterns = dynamic([
  "http://", "https://", "vbscript:", "javascript:",
  "GetObject", "WScript.Shell", "Shell.Application",
  "CreateObject", "ActiveXObject", "cmd.exe", "powershell"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "mshta.exe"
| extend RemoteURL = ProcessCommandLine has_any ("http://", "https://")
| extend InlineScript = ProcessCommandLine has_any ("vbscript:", "javascript:")
| extend GetObject = ProcessCommandLine has "GetObject"
| extend ShellInvoke = ProcessCommandLine has_any ("WScript.Shell", "Shell.Application", "CreateObject")
| extend SuspiciousParent = InitiatingProcessFileName has_any ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe", "explorer.exe")
| extend HTAPath = ProcessCommandLine has_any ("Temp", "AppData", "Downloads", "Desktop", "Public")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName,
         InitiatingProcessCommandLine, RemoteURL, InlineScript, GetObject, ShellInvoke, SuspiciousParent, HTAPath
| sort by Timestamp desc
union (
  DeviceProcessEvents
  | where Timestamp > ago(24h)
  | where InitiatingProcessFileName =~ "mshta.exe"
  | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
           InitiatingProcessFileName, InitiatingProcessCommandLine
  | sort by Timestamp desc
)

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legacy enterprise applications that use HTA files for management interfaces or configuration wizards
Some older IT management tools (HP, Dell BIOS update utilities) that use HTA for their installation UI
Legitimate corporate HTA-based tools deployed by IT for specific administrative tasks
Software vendors whose legacy applications use HTA for splash screens or update notifications

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(Image="*\\mshta.exe" OR ParentImage="*\\mshta.exe")
| eval RemoteURL=if(match(CommandLine, "http[s]?://"), 1, 0)
| eval InlineScript=if(match(CommandLine, "(vbscript:|javascript:)"), 1, 0)
| eval GetObject=if(match(CommandLine, "GetObject"), 1, 0)
| eval ShellInvoke=if(match(CommandLine, "(WScript\.Shell|Shell\.Application|CreateObject|ActiveXObject)"), 1, 0)
| eval OfficeParent=if(match(ParentImage, "(winword|excel|outlook|powerpnt)\.exe"), 1, 0)
| eval HTAPath=if(match(CommandLine, "(Temp|AppData|Downloads|Desktop|Public)"), 1, 0)
| eval SuspiciousChild=if(ParentImage="*\\mshta.exe" AND match(Image, "(cmd|powershell|wscript|cscript|certutil|bitsadmin|regsvr32|rundll32)\.exe"), 1, 0)
| eval RiskScore=RemoteURL + InlineScript + GetObject + ShellInvoke + OfficeParent + HTAPath + SuspiciousChild
| where RiskScore > 0 OR ParentImage="*\\mshta.exe"
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, RemoteURL, InlineScript, GetObject, ShellInvoke, OfficeParent, HTAPath, SuspiciousChild, RiskScore
| sort - _time

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legacy enterprise applications that use HTA files for management interfaces or configuration wizards
Some older IT management tools (HP, Dell BIOS update utilities) that use HTA for their installation UI
Legitimate corporate HTA-based tools deployed by IT for specific administrative tasks
Software vendors whose legacy applications use HTA for splash screens or update notifications

Elastic Security (EQL)

eql

process where event.type == "start" and
(
  (
    process.name : "mshta.exe" and
    (
      process.command_line : ("*http://*", "*https://*", "*vbscript:*", "*javascript:*",
                               "*GetObject*", "*WScript.Shell*", "*Shell.Application*",
                               "*CreateObject*", "*ActiveXObject*", "*cmd.exe*", "*powershell*") or
      process.parent.name : ("winword.exe", "excel.exe", "outlook.exe", "powerpnt.exe", "explorer.exe") or
      process.command_line : ("*\\Temp\\*", "*\\AppData\\*", "*\\Downloads\\*", "*\\Desktop\\*", "*\\Public\\*")
    )
  ) or
  (
    process.parent.name : "mshta.exe" and
    process.name : ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe",
                    "certutil.exe", "bitsadmin.exe", "regsvr32.exe", "rundll32.exe")
  )
)

high severity high confidence

Data Sources

Elastic Endpoint Security Windows Sysmon (via Elastic Agent) Elastic Defend

Required Tables

logs-endpoint.events.process-* .ds-logs-windows.sysmon_operational-* logs-system.security-*

False Positives

Legacy enterprise applications that ship legitimate HTA-based administrative consoles or installer wizards — particularly common in older healthcare, finance, and manufacturing ISV software that has not been modernised away from IE-era tooling
IT provisioning or helpdesk workflows using SCCM/ConfigMgr or custom HTA front-ends to guide technicians through build steps; these frequently load HTA files from UNC paths or local AppData staging directories
Developer and QA workstations actively building or testing HTA-based tooling where inline script evaluation or CreateObject calls are expected behaviour during the development cycle

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(deviceTime, 'yyyy-MM-dd HH:mm:ss') AS "Event Time",
  LOGSOURCENAME(logsourceid) AS "Log Source",
  sourceip AS "Source IP",
  username AS "User",
  "Image" AS "Process Path",
  "CommandLine" AS "Command Line",
  "ParentImage" AS "Parent Process",
  "ParentCommandLine" AS "Parent Command Line",
  CASE WHEN LOWER("CommandLine") LIKE '%http://%' OR LOWER("CommandLine") LIKE '%https://%' THEN 1 ELSE 0 END AS "RemoteURL",
  CASE WHEN LOWER("CommandLine") LIKE '%vbscript:%' OR LOWER("CommandLine") LIKE '%javascript:%' THEN 1 ELSE 0 END AS "InlineScript",
  CASE WHEN "CommandLine" LIKE '%GetObject%' THEN 1 ELSE 0 END AS "GetObject",
  CASE WHEN "CommandLine" LIKE '%WScript.Shell%' OR "CommandLine" LIKE '%Shell.Application%' OR "CommandLine" LIKE '%CreateObject%' OR "CommandLine" LIKE '%ActiveXObject%' THEN 1 ELSE 0 END AS "ShellInvoke",
  CASE WHEN LOWER("ParentImage") LIKE '%winword.exe%' OR LOWER("ParentImage") LIKE '%excel.exe%' OR LOWER("ParentImage") LIKE '%outlook.exe%' OR LOWER("ParentImage") LIKE '%powerpnt.exe%' THEN 1 ELSE 0 END AS "OfficeParent",
  CASE WHEN LOWER("CommandLine") LIKE '%temp%' OR LOWER("CommandLine") LIKE '%appdata%' OR LOWER("CommandLine") LIKE '%downloads%' OR LOWER("CommandLine") LIKE '%desktop%' OR LOWER("CommandLine") LIKE '%public%' THEN 1 ELSE 0 END AS "HTAPath",
  CASE WHEN LOWER("ParentImage") LIKE '%\mshta.exe' AND (LOWER("Image") LIKE '%\cmd.exe' OR LOWER("Image") LIKE '%\powershell.exe' OR LOWER("Image") LIKE '%\wscript.exe' OR LOWER("Image") LIKE '%\cscript.exe' OR LOWER("Image") LIKE '%\certutil.exe' OR LOWER("Image") LIKE '%\bitsadmin.exe' OR LOWER("Image") LIKE '%\regsvr32.exe' OR LOWER("Image") LIKE '%\rundll32.exe') THEN 1 ELSE 0 END AS "SuspiciousChild"
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND deviceTime > NOW() - 86400000
  AND (LOWER("Image") LIKE '%\mshta.exe' OR LOWER("ParentImage") LIKE '%\mshta.exe')
  AND (
    LOWER("CommandLine") LIKE '%http://%' OR
    LOWER("CommandLine") LIKE '%https://%' OR
    LOWER("CommandLine") LIKE '%vbscript:%' OR
    LOWER("CommandLine") LIKE '%javascript:%' OR
    "CommandLine" LIKE '%GetObject%' OR
    "CommandLine" LIKE '%WScript.Shell%' OR
    "CommandLine" LIKE '%Shell.Application%' OR
    "CommandLine" LIKE '%CreateObject%' OR
    "CommandLine" LIKE '%ActiveXObject%' OR
    LOWER("ParentImage") LIKE '%winword.exe%' OR
    LOWER("ParentImage") LIKE '%excel.exe%' OR
    LOWER("ParentImage") LIKE '%outlook.exe%' OR
    LOWER("ParentImage") LIKE '%powerpnt.exe%' OR
    LOWER("ParentImage") LIKE '%\mshta.exe'
  )
ORDER BY deviceTime DESC
LAST 24 HOURS

high severity high confidence

Data Sources

Windows Security Event Log (QRadar DSM) Sysmon for Windows (QRadar DSM) Microsoft Endpoint Defense (optional enrichment)

Required Tables

events

False Positives

Enterprise middleware or ERP applications (e.g. SAP GUI, legacy Oracle Forms wrappers) that use HTA scaffolding and call COM objects such as Shell.Application for file-open dialogs or CreateObject for data exchange — these will score highly on ShellInvoke despite being benign
Software deployment tooling that stages HTA installer UIs into %APPDATA% or %TEMP% as part of a sanctioned software delivery pipeline, triggering the HTAPath indicator
Penetration testing or red team exercises with explicit authorisation that use mshta.exe as a test vector; confirm against change management records before escalating

Sumo Logic CSE

sql

(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*WinEventLog*)
| where !isNull(EventCode) and EventCode = "1"
| where Image matches "(?i).*mshta\.exe" OR ParentImage matches "(?i).*mshta\.exe"
| if(CommandLine matches "(?i)https?://", 1, 0) as RemoteURL
| if(CommandLine matches "(?i)(vbscript:|javascript:)", 1, 0) as InlineScript
| if(CommandLine matches "(?i)GetObject", 1, 0) as GetObject
| if(CommandLine matches "(?i)(WScript\.Shell|Shell\.Application|CreateObject|ActiveXObject)", 1, 0) as ShellInvoke
| if(ParentImage matches "(?i)(winword|excel|outlook|powerpnt)\.exe", 1, 0) as OfficeParent
| if(CommandLine matches "(?i)(Temp|AppData|Downloads|Desktop|Public)", 1, 0) as HTAPath
| if(ParentImage matches "(?i).*mshta\.exe" AND Image matches "(?i)(cmd|powershell|wscript|cscript|certutil|bitsadmin|regsvr32|rundll32)\.exe", 1, 0) as SuspiciousChild
| RemoteURL + InlineScript + GetObject + ShellInvoke + OfficeParent + HTAPath + SuspiciousChild as RiskScore
| where RiskScore > 0 OR ParentImage matches "(?i).*mshta\.exe"
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, RemoteURL, InlineScript, GetObject, ShellInvoke, OfficeParent, HTAPath, SuspiciousChild, RiskScore
| sort by _messageTime desc

high severity high confidence

Data Sources

Sysmon for Windows (Sumo Logic Collector) Windows Event Log Collector Sumo Logic Cloud SIEM (normalised process events)

Required Tables

Sumo Logic log partitions indexed under Sysmon or WinEventLog source categories

False Positives

Legacy line-of-business applications built on the Microsoft HTA platform that legitimately invoke WScript.Shell or CreateObject to interact with local COM automation interfaces — common in older healthcare and legal document management systems
SCCM task sequences or PDQ Deploy jobs that unpack HTA-based setup UIs into the user's Temp or AppData directory as part of a managed software install, simultaneously triggering HTAPath and ShellInvoke indicators
Security awareness or phishing simulation platforms (e.g. KnowBe4, Proofpoint Security Awareness) that use benign mshta payloads to demonstrate phishing risk to end users during authorised exercises

Google Chronicle / SecOps

yaral

rule t1218_005_mshta_suspicious_execution {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects suspicious mshta.exe execution patterns associated with T1218.005 — Signed Binary Proxy Execution: Mshta. Covers remote URL loading, inline VBScript/JavaScript, COM object invocation, Office application parent processes, and mshta.exe spawning high-risk child processes."
    mitre_attack_technique = "T1218.005"
    mitre_attack_tactic = "Defense Evasion"
    reference = "https://attack.mitre.org/techniques/T1218/005/"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      (
        re.regex($e.target.process.file.full_path, `(?i)\\mshta\.exe$`) and
        (
          re.regex($e.target.process.command_line,
            `(?i)(https?:\/\/|vbscript:|javascript:|GetObject|WScript\.Shell|Shell\.Application|CreateObject|ActiveXObject)`) or
          re.regex($e.principal.process.file.full_path,
            `(?i)(winword|excel|outlook|powerpnt)\.exe$`) or
          re.regex($e.target.process.command_line,
            `(?i)(\\\\Temp\\\\|\\\\AppData\\\\|\\\\Downloads\\\\|\\\\Desktop\\\\|\\\\Public\\\\)`)
        )
      ) or
      (
        re.regex($e.principal.process.file.full_path, `(?i)\\mshta\.exe$`) and
        re.regex($e.target.process.file.full_path,
          `(?i)\\(cmd|powershell|wscript|cscript|certutil|bitsadmin|regsvr32|rundll32)\.exe$`)
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google SecOps UDM (Chronicle) Windows Sensor / Sysmon ingested via Chronicle forwarder CrowdStrike Falcon or Microsoft Defender for Endpoint (Chronicle-integrated)

Required Tables

UDM events with metadata.event_type = PROCESS_LAUNCH

False Positives

Enterprise asset management or inventory agents built on HTA that legitimately load configuration data from internal HTTP shares — the RemoteURL indicator will fire even for trusted intranet URLs, so enrich with internal IP allowlists before escalating
Windows IT toolkits distributed via software management platforms where mshta.exe is used to render post-install configuration wizards stored in AppData, triggering the writable-path path indicator
Red team or purple team exercises that explicitly test mshta.exe detection coverage; cross-reference against the organisation's threat simulation calendar and authorised tool inventory

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| FileName = /(?i)^mshta\.exe$/ OR ParentBaseFileName = /(?i)^mshta\.exe$/
| RemoteURL := if(CommandLine = /(?i)https?:\/\//, "true", "false")
| InlineScript := if(CommandLine = /(?i)(vbscript:|javascript:)/, "true", "false")
| GetObject := if(CommandLine = /(?i)GetObject/, "true", "false")
| ShellInvoke := if(CommandLine = /(?i)(WScript\.Shell|Shell\.Application|CreateObject|ActiveXObject)/, "true", "false")
| OfficeParent := if(ParentBaseFileName = /(?i)^(winword|excel|outlook|powerpnt)\.exe$/, "true", "false")
| HTAPath := if(CommandLine = /(?i)(\\Temp\\|\\AppData\\|\\Downloads\\|\\Desktop\\|\\Public\\)/, "true", "false")
| SuspiciousChild := if(ParentBaseFileName = /(?i)^mshta\.exe$/ AND FileName = /(?i)^(cmd|powershell|wscript|cscript|certutil|bitsadmin|regsvr32|rundll32)\.exe$/, "true", "false")
| Suspicious := if(RemoteURL = "true" OR InlineScript = "true" OR GetObject = "true" OR ShellInvoke = "true" OR OfficeParent = "true" OR HTAPath = "true" OR SuspiciousChild = "true", "true", "false")
| filter(Suspicious = "true" OR ParentBaseFileName = /(?i)^mshta\.exe$/)
| select([timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, RemoteURL, InlineScript, GetObject, ShellInvoke, OfficeParent, HTAPath, SuspiciousChild])
| sort(timestamp, order=desc, limit=500)

high severity high confidence

Data Sources

CrowdStrike Falcon Sensor (ProcessRollup2 events) Falcon Data Replicator CrowdStrike Falcon LogScale

Required Tables

#event_simpleName=ProcessRollup2 (Falcon telemetry stream)

False Positives

Falcon sensors deployed on systems running legacy HTA-based enterprise applications — particularly ERP or clinical systems where mshta.exe is part of a sanctioned application stack; build a suppression list keyed on ComputerName and a hash allowlist for known-good HTA binaries
Software distribution workflows where ConfigMgr or a third-party deployment tool stages and executes HTA-based installer UIs in user-writable paths; the HTAPath indicator will fire consistently — correlate with Falcon's application inventory to identify managed installers
Authorised offensive security engagements using mshta.exe as a test payload; Falcon's Detection Graph should surface associated IOAs regardless, but verify against the engagement schedule before escalating to IR

Mshta

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections