Detect Mshta Exe Running Scripts In Command-Line Arguments

Description

This search looks for the execution of "mshta.exe" with command-line arguments that launch a script. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process "mshta.exe" and its parent process.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Security Monitoring

Category

Adversary Tactics

Alert Volume

This search looks for the execution of "mshta.exe" with command-line arguments that launch a script. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process "mshta.exe" and its parent process.

SPL Difficulty

None

Journey

Stage 3

MITRE ATT&CK Tactics

Defense Evasion

MITRE ATT&CK Techniques

Signed Binary Proxy Execution

Mshta

MITRE Threat Groups

APT32
FIN7
Inception
Kimsuky
Lazarus Group
MuddyWater

   Help

Detect Mshta Exe Running Scripts In Command-Line Arguments Help

To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.

   Search

Open in Search