EXPLORE
Sign In
← Back to Explore
crowdstrike_cqlHunting

LOLBin Mshta

This query detects the use of mshta.exe. Mshta.exe – A Windows utility for executing HTML Applications (`.hta`) — often abused to run embedded or remote VBScript, JScript, or download-and-execute payloads via alternate data streams or web URLs. [LOLBAS - Mshta.exe](https://lolbas-project.github.io/lolbas/Binaries/Mshta/)

MITRE ATT&CK

T1218.005T1105
defense-evasioncommand-and-control

Detection Query

in(#event_simpleName, values=["ProcessRollup2","ProcessBlocked"])
| event_platform=Win and ImageFileName=/mshta.exe/i
| CommandLine=/mshta(?:\.exe)?\"?\s+\"?(?<HtaPath>(?:.*?\.hta|(?=\").*?(?=\")|.*?(?=(?:\s|$))))/i
| HtaPath=/(?<HtaFolder>.*)(\\\\|\/)/i
| HtaPath=/(.*(\\\\|\/))?(?<HtaFile>.*)$/i

Author

ByteRay GmbH

Data Sources

Endpoint

Platforms

windows

Tags

Huntingcs_module:Insight
Raw Content
# --- Query Metadata ---
# Human-readable name for the query. Will be displayed as the title.
name: LOLBin Mshta

# MITRE ATT&CK technique IDs
mitre_ids:
  - T1218.005
  - T1105

# Description of what the query does and its purpose.
description: |
  This query detects the use of mshta.exe.

# The author or team that created the query.
author: ByteRay GmbH

# The required log sources to run this query successfully in Next-Gen SIEM.
# This will be displayed in the UI to inform the user.
log_sources:
  - Endpoint

# Tags for filtering and categorization.
# Include relevant techniques, tactics, or platforms.
tags:
  - Hunting

cs_required_modules: 
  - Insight

# --- Query Content ---
# The actual CrowdStrike Query Language (CQL) code.
# Using the YAML block scalar `|` allows for multi-line strings.
cql: |
  in(#event_simpleName, values=["ProcessRollup2","ProcessBlocked"])
  | event_platform=Win and ImageFileName=/mshta.exe/i
  | CommandLine=/mshta(?:\.exe)?\"?\s+\"?(?<HtaPath>(?:.*?\.hta|(?=\").*?(?=\")|.*?(?=(?:\s|$))))/i
  | HtaPath=/(?<HtaFolder>.*)(\\\\|\/)/i
  | HtaPath=/(.*(\\\\|\/))?(?<HtaFile>.*)$/i

# Explanation of the query.
# Using the YAML block scalar `|` allows for multi-line strings.
# Uses markdown for formatting on the webpage.
explanation: |
  Mshta.exe – A Windows utility for executing HTML Applications (`.hta`) — often abused to run embedded or remote VBScript, JScript, or download-and-execute payloads via alternate data streams or web URLs.
  
  [LOLBAS - Mshta.exe](https://lolbas-project.github.io/lolbas/Binaries/Mshta/)