KQL Search

Query Details

HomeAI ToolsDevice Query

Mshta Executions

Query

# MSHTA Executions

## Query Information

#### MITRE ATT&CK Technique(s)

| Technique ID | Title    | Link    |
| ---  | --- | --- |
| T1218.005| System Binary Proxy Execution: Mshta | https://attack.mitre.org/techniques/T1218/005/ |

#### Description
This query lists all mshta executions, or if mshta is used legitimately can be used to filter on suspicious mshta child processes.

#### Risk
Threat actors can use mshta to drop payloads on systems.

#### References
- https://redcanary.com/threat-detection-report/techniques/mshta/

## Defender XDR
```KQL
let SuspiciousChildProcesses = dynamic(['cmd.exe', 'powershell.exe', 'bash.exe', 'csscript.exe', 'mshta.exe', 'msiexec.exe', 'rundll32.exe']);
DeviceProcessEvents
| where InitiatingProcessFileName =~ 'mshta.exe' or ProcessVersionInfoOriginalFileName  =~ 'mshta.exe'
// Optionally only list suspicious child processes
//| where FileName in~ (SuspiciousChildProcesses)
| project-reorder  Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessCommandLine, AccountUpn, ProcessVersionInfoOriginalFileName
```

## Sentinel
```KQL
let SuspiciousChildProcesses = dynamic(['cmd.exe', 'powershell.exe', 'bash.exe', 'csscript.exe', 'mshta.exe', 'msiexec.exe', 'rundll32.exe']);
DeviceProcessEvents
| where InitiatingProcessFileName =~ 'mshta.exe' or ProcessVersionInfoOriginalFileName  =~ 'mshta.exe'
// Optionally only list suspicious child processes
//| where FileName in~ (SuspiciousChildProcesses)
| project-reorder  TimeGenerated, DeviceName, ProcessCommandLine, InitiatingProcessCommandLine, AccountUpn, ProcessVersionInfoOriginalFileName
```

Explanation

This query is designed to identify and list all instances where the mshta.exe process is executed on a system. mshta.exe is a legitimate Windows utility that can be exploited by threat actors to execute malicious scripts or payloads. The query is part of a security monitoring strategy to detect potential misuse of this utility.

Key Points:

  • Purpose: To track the execution of mshta.exe and identify potentially suspicious activity.
  • Technique: It relates to the MITRE ATT&CK technique T1218.005, which involves using system binaries like mshta.exe for proxy execution.
  • Risk: Malicious actors can use mshta.exe to deploy harmful payloads on a system.
  • Functionality: The query checks for processes initiated by mshta.exe and can be refined to focus on suspicious child processes, such as cmd.exe, powershell.exe, and others.
  • Output: The query outputs a reordered list of relevant details, including timestamps, device names, command lines, and user accounts involved in the process execution.

This query can be used in both Microsoft Defender XDR and Microsoft Sentinel environments to enhance threat detection capabilities.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: December 22, 2025

Tables

DeviceProcessEvents

Keywords

DeviceProcessEventsTimestampDeviceNameProcessCommandLineInitiatingProcessCommandLineAccountUpnProcessVersionInfoOriginalFileName

Operators

letdynamicwhere=~orproject-reorderin~

Actions