Detect Mshta Exe Running Scripts In Command-Line Arguments
This search looks for the execution of "mshta.exe" with command-line arguments that launch a script. The search will return the first time and last time these command-line arguments were used for these executions, as well as the target system, the user, process "mshta.exe" and its parent process.
This content is not mapped to any local saved search. Add mapping
Detect Mshta Exe Running Scripts In Command-Line Arguments Help
To successfully implement this search, you need to be ingesting logs with the process name, parent process, and command-line executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.
Open in Search