MSHTA Execution With Suspicious File Extensions

    Thursday, June 12, 2025 In: Threat Research Print

    Date: 06/12/2025

    Severity: Medium

    Summary

    Detects instances where mshta.exe is used to execute files with extensions not typically associated with HTA (HTML Application) content—such as .png, .jpg, .zip, .pdf, and others—which are often polyglot files. MSHTA is a legitimate Windows tool designed to run HTML Applications containing VBScript or JScript. However, threat actors frequently abuse this living-off-the-land binary (LOLBIN) to download and execute malicious scripts disguised as harmless files or using misleading extensions to bypass security detection.

    Indicators of Compromise (IOC) List 

    Image

    mshta.exe

    CommandLine

    '.7z'

    '.avi'

    '.bat'

    '.bmp'

    '.conf'

    '.csv'

    '.dll'

    '.doc'

    '.gif'

    '.gz'

    '.ini'

    '.jpe'

    '.jpg'

    '.json'

    '.lnk'

    '.log'

    '.mkv'

    '.mp3'

    '.mp4'

    '.pdf'

    '.png'

    '.ppt'

    '.rar'

    '.rtf'

    '.svg'

    '.tar'

    '.tmp'

    '.txt'

    '.xls'

    '.xml'

    '.yaml'

    '.yml'

    '.zip'

    'vbscript'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 : 

    (resourcename = "Windows Security"  AND eventtype = "4688") AND (processname like "mshta.exe") AND (commandline like ".7z" OR commandline like ".avi" OR commandline like ".bat" OR commandline like ".bmp" OR commandline like ".conf" OR commandline like ".csv" OR commandline like ".dll" OR commandline like ".doc" OR commandline like ".gif" OR commandline like ".gz" OR commandline like ".ini" OR commandline like ".jpe" OR commandline like ".jpg" OR commandline like ".json" OR commandline like ".lnk" OR commandline like ".log" OR commandline like ".mkv" OR commandline like ".mp3" OR commandline like ".mp4" OR commandline like ".pdf" OR commandline like ".png" OR commandline like ".ppt" OR commandline like ".rar" OR commandline like ".rtf" OR commandline like ".svg" OR commandline like ".tar" OR commandline like ".tmp" OR commandline like ".txt" OR commandline like ".xls" OR commandline like ".xml" OR commandline like ".yaml" OR commandline like ".yml" OR commandline like ".zip" OR commandline like "vbscript")

    Detection Query 2 : 

    technologygroup = "EDR" AND (processname like "mshta.exe") AND (commandline like ".7z" OR commandline like ".avi" OR commandline like ".bat" OR commandline like ".bmp" OR commandline like ".conf" OR commandline like ".csv" OR commandline like ".dll" OR commandline like ".doc" OR commandline like ".gif" OR commandline like ".gz" OR commandline like ".ini" OR commandline like ".jpe" OR commandline like ".jpg" OR commandline like ".json" OR commandline like ".lnk" OR commandline like ".log" OR commandline like ".mkv" OR commandline like ".mp3" OR commandline like ".mp4" OR commandline like ".pdf" OR commandline like ".png" OR commandline like ".ppt" OR commandline like ".rar" OR commandline like ".rtf" OR commandline like ".svg" OR commandline like ".tar" OR commandline like ".tmp" OR commandline like ".txt" OR commandline like ".xls" OR commandline like ".xml" OR commandline like ".yaml" OR commandline like ".yml" OR commandline like ".zip" OR commandline like "vbscript")

    Reference:    

    https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml


    Tags

    SigmaMSHTA

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.