Mshta Executing from Registry

Mar 18, 2025 · attack.defense-evasion attack.t1218.005 ·

Detects a Mshta executing code from the registry

Sigma rule (View on GitHub)

 1title: Mshta Executing from Registry
 2id: 8f6de20d-0616-4cf1-875e-24ccabb2e78c
 3status: Experimental
 4description: Detects a Mshta executing code from the registry
 5author: TheDFIRReport
 6references:
 7    - https://lolbas-project.github.io/lolbas/Binaries/Mshta/
 8    - https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts
 9date: 2023-01-08
10logsource:
11    category: process_creation
12    product: windows
13detection:
14    selection:
15        CommandLine|contains|all:
16            - 'wscript.shell'
17            - 'new ActiveXObject'
18            - 'regread'
19        Image|endswith: 'mshta.exe'
20    condition: selection
21fields:
22    - CommandLine
23falsepositives:
24    - Unknown
25level: high
26tags:
27    - attack.defense-evasion
28    - attack.t1218.005

References

Mshta on LOLBAS

Mshta.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.

Read More
Unwrapping Ursnifs Gifts

In late August 2022, we investigated an incident involving Ursnif malware, which resulted in Cobalt Strike being deployed. This was followed by the threat actors moving laterally throughout the env…

Read More

Mshta Executing from Registry

Sigma rule (View on GitHub)

References

Mshta on LOLBAS

Unwrapping Ursnifs Gifts

Related rules