ATT&CK coverage › Technique

System Binary Proxy Execution: Mshta `T1218.005`

Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code

Events covered

5 catalog events are tagged with this technique by at least one rule.

Provider	Event ID	Title
Sysmon	1	Process creation
Sysmon	8	CreateRemoteThread
Sysmon	11	FileCreate
Sysmon	13	RegistryEvent (Value Set)
Security-Auditing	4688	A new process has been created.

Authoring guide

Patterns shared across the 10 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (11 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

Field	Rules	How	Sample values
`Image`	8	`ends_with` 7, `eq` 1	`\mshta.exe`, `\csc.exe`, `\excel.exe`, `\winword.exe`, `\System32\mshta.exe`
`OriginalFileName`	6	`eq` 6	`MSHTA.EXE`, `csc.exe`, `mshta.exe`, `REGSVR32.EXE`, `PowerShell.EXE`
`ParentImage`	3	`ends_with` 3, `starts_with` 1, `eq` 1	`\excel.exe`, `\onenote.exe`, `C:\Windows\System32\sdiagnhost.exe`, `\svchost.exe`, `\mshta.exe`
`CommandLine`	3	`match` 3	`.gz`, `.gif`, `.tmp`, `https://`, `http://`
`TargetFilename`	2	`in` 2	`"\\Windows\\tracing\\"`, `"\\Windows\\Temp\\"`, `"\\Windows\\System32\\Com\\dmp\\"`, `"\\Windows\\System32\\LogFiles\\WMI\\"`, `"\\Windows\\System32\\Tasks\\"`
`ParentCommandLine`	1	`match` 1, `regex_match` 1	`FromBase64String`, `\Contacts\`, `:\Windows\Temp\`
`TargetImage`	1	`match` 1	`\SysWOW64\`
`StartModule`	1	`is_null` 1
`Details`	1	`in` 1, `eq` 1	`"mshta"`, `"vbscript:"`, `"javascript:"`
`EventID`	1	`eq` 1	`11`
`file_name`	1	`eq` 1	`*.txt`

Top indicator values (130 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

Field	Kind	Value	Rules (here)	Corpus reach
`Image`	`ends_with`	`\mshta.exe`	4	57
`ParentImage`	`ends_with`	`\mshta.exe`	2	10
`OriginalFileName`	`eq`	`MSHTA.EXE`	2	7
`TargetFilename`	`in`	`"\\Windows\\System32\\spool\\drivers\\color\\"`	2	2
`TargetFilename`	`in`	`"\\Windows\\System32\\Microsoft\\Crypto\\RSA\\MachineKeys\\"`	2	2
`TargetFilename`	`in`	`"\\Windows\\Temp\\"`	2	3
`TargetFilename`	`in`	`"\\Windows\\Registration\\CRMLog\\"`	2	2
`TargetFilename`	`in`	`"\\Windows\\PLA\\Templates\\"`	2	2
`TargetFilename`	`in`	`"\\Windows\\PLA\\Reports\\"`	2	2
`TargetFilename`	`in`	`"\\Windows\\SysWOW64\\Tasks\\"`	2	2
`TargetFilename`	`in`	`"\\Windows\\Tasks\\"`	2	2
`TargetFilename`	`in`	`"\\Windows\\System32\\spool\\PRINTERS\\"`	2	2
`TargetFilename`	`in`	`"\\Windows\\PLA\\Rules\\"`	2	2
`TargetFilename`	`in`	`"\\Windows\\System32\\Tasks\\"`	2	2
`TargetFilename`	`in`	`"\\Windows\\tracing\\"`	2	2
`TargetFilename`	`in`	`"\\Windows\\System32\\LogFiles\\WMI\\"`	2	2
`TargetFilename`	`in`	`"\\Windows\\System32\\spool\\SERVERS\\"`	2	2
`TargetFilename`	`in`	`"\\Windows\\System32\\Com\\dmp\\"`	2	2
`TargetFilename`	`in`	`"\\Windows\\SysWOW64\\Com\\dmp\\"`	2	2
`ParentImage`	`starts_with`	`C:\Program Files\`	1	2

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 7 rules

Csc.EXE Execution Form Potentially Suspicious Parent severity high, 1 event, 33 indicators, 0 exclusions
HackTool - CACTUSTORCH Remote Thread Creation severity high, 1 event, 6 indicators, 0 exclusions
MSHTA Execution with Suspicious File Extensions severity high, 1 event, 36 indicators, 0 exclusions
Potential LethalHTA Technique Execution severity high, 2 events, 2 indicators, 0 exclusions
Remotely Hosted HTA File Executed Via Mshta.EXE severity high, 1 event, 5 indicators, 0 exclusions
Suspicious JavaScript Execution Via Mshta.EXE severity high, 1 event, 3 indicators, 0 exclusions
Suspicious MSHTA Child Process severity high, 1 event, 20 indicators, 0 exclusions

Splunk 3 rules

Windows Mshta Execution In Registry 1 event, 4 indicators, 0 exclusions
Windows MSHTA Writing to World Writable Path 1 event, 19 indicators, 0 exclusions
Windows Process Writing File to World Writable Path 1 event, 23 indicators, 0 exclusions

System Binary Proxy Execution: Mshta T1218.005