Detect Mshta in Google Chronicle
Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. Mshta.exe executes Microsoft HTML Applications (HTA) files outside of the Internet Explorer browser security context, bypassing browser security settings and application control solutions. HTA files can be loaded locally, from remote URLs (mshta http://server/payload.hta), or as inline scripts (mshta vbscript:...). This technique is widely used by nation-state APTs including FIN7, Lazarus Group, APT29, APT32, MuddyWater, Kimsuky, Sidewinder, Gamaredon, and many others, making it one of the most commonly abused LOLBins for initial access and execution.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1218 System Binary Proxy Execution
- Sub-technique
- T1218.005 Mshta
- Canonical reference
- https://attack.mitre.org/techniques/T1218/005/
YARA-L Detection Query
rule t1218_005_mshta_suspicious_execution {
meta:
author = "Argus Detection Engineering"
description = "Detects suspicious mshta.exe execution patterns associated with T1218.005 — Signed Binary Proxy Execution: Mshta. Covers remote URL loading, inline VBScript/JavaScript, COM object invocation, Office application parent processes, and mshta.exe spawning high-risk child processes."
mitre_attack_technique = "T1218.005"
mitre_attack_tactic = "Defense Evasion"
reference = "https://attack.mitre.org/techniques/T1218/005/"
severity = "HIGH"
confidence = "HIGH"
version = "1.0"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
(
(
re.regex($e.target.process.file.full_path, `(?i)\\mshta\.exe$`) and
(
re.regex($e.target.process.command_line,
`(?i)(https?:\/\/|vbscript:|javascript:|GetObject|WScript\.Shell|Shell\.Application|CreateObject|ActiveXObject)`) or
re.regex($e.principal.process.file.full_path,
`(?i)(winword|excel|outlook|powerpnt)\.exe$`) or
re.regex($e.target.process.command_line,
`(?i)(\\\\Temp\\\\|\\\\AppData\\\\|\\\\Downloads\\\\|\\\\Desktop\\\\|\\\\Public\\\\)`)
)
) or
(
re.regex($e.principal.process.file.full_path, `(?i)\\mshta\.exe$`) and
re.regex($e.target.process.file.full_path,
`(?i)\\(cmd|powershell|wscript|cscript|certutil|bitsadmin|regsvr32|rundll32)\.exe$`)
)
)
condition:
$e
}Chronicle Security Operations (Google SecOps) YARA-L 2.0 rule detecting T1218.005 mshta.exe abuse using the UDM process launch event model. The rule fires on two patterns: (1) mshta.exe as the target process with suspicious command-line indicators or an Office/Explorer parent, and (2) mshta.exe as the principal (parent) process spawning a known post-exploitation binary. Uses re.regex() for case-insensitive path and command-line matching against UDM fields.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise asset management or inventory agents built on HTA that legitimately load configuration data from internal HTTP shares — the RemoteURL indicator will fire even for trusted intranet URLs, so enrich with internal IP allowlists before escalating
- Windows IT toolkits distributed via software management platforms where mshta.exe is used to render post-install configuration wizards stored in AppData, triggering the writable-path path indicator
- Red team or purple team exercises that explicitly test mshta.exe detection coverage; cross-reference against the organisation's threat simulation calendar and authorised tool inventory
Other platforms for T1218.005
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Mshta Remote HTA Execution
Expected signal: Sysmon Event ID 1: mshta.exe with URL in command line. Sysmon Event ID 3: Network connection attempt to 127.0.0.1:8080. Sysmon Event ID 22 (DNS Query) if a domain was used instead of IP. Security Event ID 4688.
- Test 2Mshta Inline VBScript Execution
Expected signal: Sysmon Event ID 1: mshta.exe with 'vbscript:' and 'CreateObject' in command line. Sysmon Event ID 1: cmd.exe as a child of mshta.exe. Sysmon Event ID 11: File created at temp path. Security Event ID 4688 for both processes.
- Test 3Mshta Launched from Office Application Path
Expected signal: Sysmon Event ID 1: cmd.exe, then mshta.exe with vbscript: and Execute in command line. InlineScript, GetObject/ShellInvoke indicators fire. If the obfuscated CreateObject resolves, WScript.Shell child process spawns calc.exe as grandchild of mshta.
References (7)
- https://attack.mitre.org/techniques/T1218/005/
- https://lolbas-project.github.io/lolbas/Binaries/Mshta/
- https://www.redcanary.com/blog/microsoft-html-application-hta-abuse-part-deux/
- https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md
- https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html
- https://msdn.microsoft.com/library/ms536471.aspx
Unlock Pro Content
Get the full detection package for T1218.005 including response playbook, investigation guide, and atomic red team tests.