DET0506 Detecting Mshta-based Proxy Execution via Suspicious HTA or Script Invocation

Item	Value
ID	DET0506
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1218.005 (Mshta)

Analytics

Windows

AN1397

Detection of mshta.exe execution where command-line arguments reference remote or local HTA/script content (VBScript/JScript) followed by subsequent file creation, network retrieval, or process spawning that indicates payload execution outside standard Internet Explorer security context. Correlation includes parent process lineage, command-line inspection, and network connection creation to untrusted or anomalous endpoints.

Log Sources

Data Component	Name	Channel
Process Creation (DC0032)	WinEventLog:Security	EventCode=4688
Network Connection Creation (DC0082)	WinEventLog:Sysmon	EventCode=3, 22
File Creation (DC0039)	WinEventLog:Sysmon	EventCode=11

Mutable Elements

Field	Description
CommandLinePattern	Regex patterns for mshta.exe arguments referencing remote HTA/script content; may need tuning to exclude known-good internal scripts.
SuspiciousParentProcesses	List of parent processes considered suspicious when spawning mshta.exe (e.g., Office applications, script interpreters).
AllowedHTASources	Whitelist of domains/paths from which legitimate HTAs are executed.
TimeWindow	Time threshold for correlating mshta.exe execution with subsequent network connections or file creations.