Mshta Executions
Query
let SuspiciousChildProcesses = dynamic(['cmd.exe', 'powershell.exe', 'bash.exe', 'csscript.exe', 'mshta.exe', 'msiexec.exe', 'rundll32.exe']);
DeviceProcessEvents
| where InitiatingProcessFileName =~ 'mshta.exe' or ProcessVersionInfoOriginalFileName =~ 'mshta.exe'
// Optionally only list suspicious child processes
//| where FileName in~ (SuspiciousChildProcesses)
| project-reorder Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessCommandLine, AccountUpn, ProcessVersionInfoOriginalFileNameAbout this query
MSHTA Executions
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1218.005 | System Binary Proxy Execution: Mshta | https://attack.mitre.org/techniques/T1218/005/ |
Description
This query lists all mshta executions, or if mshta is used legitimately can be used to filter on suspicious mshta child processes.
Risk
Threat actors can use mshta to drop payloads on systems.
References
Defender XDR
Sentinel
let SuspiciousChildProcesses = dynamic(['cmd.exe', 'powershell.exe', 'bash.exe', 'csscript.exe', 'mshta.exe', 'msiexec.exe', 'rundll32.exe']);
DeviceProcessEvents
| where InitiatingProcessFileName =~ 'mshta.exe' or ProcessVersionInfoOriginalFileName =~ 'mshta.exe'
// Optionally only list suspicious child processes
//| where FileName in~ (SuspiciousChildProcesses)
| project-reorder TimeGenerated, DeviceName, ProcessCommandLine, InitiatingProcessCommandLine, AccountUpn, ProcessVersionInfoOriginalFileName
Explanation
This query is designed to identify and list all instances where the mshta.exe process is executed on a system. mshta.exe is a legitimate Windows utility that can be exploited by threat actors to execute malicious scripts or payloads. The query is part of a security monitoring strategy to detect potential misuse of this utility.
Key Points:
- Purpose: To track the execution of
mshta.exeand identify potentially suspicious activity. - Technique: It relates to the MITRE ATT&CK technique T1218.005, which involves using system binaries like
mshta.exefor proxy execution. - Risk: Malicious actors can use
mshta.exeto deploy harmful payloads on a system. - Functionality: The query checks for processes initiated by
mshta.exeand can be refined to focus on suspicious child processes, such ascmd.exe,powershell.exe, and others. - Output: The query outputs a reordered list of relevant details, including timestamps, device names, command lines, and user accounts involved in the process execution.
This query can be used in both Microsoft Defender XDR and Microsoft Sentinel environments to enhance threat detection capabilities.
