MSHTA Execution with Suspicious File Extensions

Severity: high
Author: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule), Swachchhanda Shrawan Poudel (Nextron Systems)
Source: upstream

Detects execution of mshta.exe with file types that looks like they do not typically represent HTA (HTML Application) content, such as .png, .jpg, .zip, .pdf, and others, which are often polyglots. MSHTA is a legitimate Windows utility for executing HTML Applications containing VBScript or JScript. Threat actors often abuse this lolbin utility to download and execute malicious scripts disguised as benign files or hosted under misleading extensions to evade detection.

MITRE ATT&CK coverage

Tactic	Techniques
Execution	`T1059.007` Command and Scripting Interpreter: JavaScript
Defense Evasion	`T1140` Deobfuscate/Decode Files or Information, `T1218.005` System Binary Proxy Execution: Mshta

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `all of selection_img`

or:
Image|endswith: '\mshta.exe'
OriginalFileName: mshta.exe

Stage 2: `all of selection_cli`

or:
CommandLine|contains: .7z
CommandLine|contains: .avi
CommandLine|contains: .bat
CommandLine|contains: .bmp
CommandLine|contains: .conf
CommandLine|contains: .csv
CommandLine|contains: .dll
CommandLine|contains: .doc
CommandLine|contains: .gif
CommandLine|contains: .gz
CommandLine|contains: .ini
CommandLine|contains: .jpe
CommandLine|contains: .jpg
CommandLine|contains: .json
CommandLine|contains: .lnk
CommandLine|contains: .log
CommandLine|contains: .mkv
CommandLine|contains: .mp3
CommandLine|contains: .mp4
CommandLine|contains: .pdf
CommandLine|contains: .png
CommandLine|contains: .ppt
CommandLine|contains: .rar
CommandLine|contains: .rtf
CommandLine|contains: .svg
CommandLine|contains: .tar
CommandLine|contains: .tmp
CommandLine|contains: .txt
CommandLine|contains: .xls
CommandLine|contains: .xml
CommandLine|contains: .yaml
CommandLine|contains: .yml
CommandLine|contains: .zip
CommandLine|contains: vbscript

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`.7z` corpus 2 (sigma 2) `.avi` `.bat` corpus 8 (sigma 8) `.bmp` corpus 2 (sigma 2) `.conf` `.csv` corpus 2 (sigma 2) `.dll` corpus 15 (sigma 15) `.doc` corpus 4 (sigma 4) `.gif` corpus 6 (sigma 6) `.gz` `.ini` `.jpe` `.jpg` corpus 7 (sigma 7) `.json` `.lnk` corpus 2 (sigma 2) `.log` corpus 2 (sigma 2) `.mkv` `.mp3` corpus 2 (sigma 2) `.mp4` `.pdf` corpus 3 (sigma 3) `.png` corpus 7 (sigma 7) `.ppt` corpus 4 (sigma 4) `.rar` corpus 2 (sigma 2) `.rtf` corpus 2 (sigma 2) `.svg` `.tar` `.tmp` corpus 3 (sigma 3) `.txt` corpus 7 (sigma 7) `.xls` corpus 4 (sigma 4) `.xml` corpus 5 (sigma 5) `.yaml` `.yml` corpus 2 (sigma 2) `.zip` corpus 4 (sigma 4) `vbscript` corpus 2 (sigma 2)
`Image`	ends_with	`\mshta.exe` corpus 57 (sigma 57)
`OriginalFileName`	eq	`mshta.exe` corpus 6 (sigma 6)