Query Details
Suspicious MSHTA Usage
Query
// I have found in the various environments I have been in that mshta in the modern world is far and few between. // More often than not, it is used for malicious activity over odd edge cases. // Edge cases can be tuned out and this could become an effective detection for most environments. DeviceProcessEvents | where ProcessCommandLine contains "mshta.exe" | project Timestamp, AccountName, InitiatingProcessFileName, ProcessCommandLine, DeviceId, ReportId | sort by Timestamp desc
Explanation
This query is designed to detect potentially malicious activity involving the use of "mshta.exe," a program that is rarely used in modern environments except for malicious purposes. Here's a simple breakdown of what the query does:
-
Data Source: It looks at events related to processes on devices (
DeviceProcessEvents). -
Filter: It specifically searches for any process command lines that include "mshta.exe," which is often associated with suspicious activity.
-
Select Information: The query selects and displays specific details about these events, including:
Timestamp: When the event occurred.AccountName: The user account associated with the process.InitiatingProcessFileName: The name of the process that started "mshta.exe."ProcessCommandLine: The full command line used to start "mshta.exe."DeviceId: The identifier for the device where the event occurred.ReportId: An identifier for the report or event.
-
Sort: The results are sorted by the timestamp in descending order, showing the most recent events first.
Overall, this query helps identify and investigate suspicious use of "mshta.exe" in an environment, which could indicate malicious activity.
Details
Steven Lim
Released: June 24, 2025
Tables
Keywords
Operators