Adversaries may use Microsoft HTA files to execute malicious code under the guise of legitimate scripts, leveraging HTA’s ability to run without user interaction. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential Ursnif (Gozi) malware activity and prevent data exfiltration or persistence.
KQL Query
// mshta.exe script launching processes
DeviceProcessEvents
| where Timestamp > ago(7d)
and InitiatingProcessFileName =~ 'mshta.exe'
and InitiatingProcessCommandLine contains '<script>'
id: 9462573d-09e3-4878-a118-db5c964228e0
name: detect-suspicious-mshta-usage
description: |
This query was originally published in the threat analytics report, Ursnif (Gozi) continues to evolve.
Microsoft HTML Applications, or HTAs, are executable files that use the same technologies and models as Internet Explorer, but do not run inside of a web browser.
Mshta.exe is a Windows utility that provides a host for HTA files to run in. Although it has legitimate uses, attackers can use mshta.exe to run malicious Javascript or VBScript commands. The MITRE ATT&CK framework includes Mshta among its list of enterprise attack techniques.
The following query detects when mshta.exe has been run, which might include illegitimate usage by attackers.
References:
https://docs.microsoft.com/previous-versions/ms536496(v=vs.85)
https://attack.mitre.org/techniques/T1170/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Execution
- Execution
query: |
// mshta.exe script launching processes
DeviceProcessEvents
| where Timestamp > ago(7d)
and InitiatingProcessFileName =~ 'mshta.exe'
and InitiatingProcessCommandLine contains '<script>'
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task Using HTA
Description: A legitimate system maintenance task, such as a scheduled PowerShell script or a Windows Task Scheduler job, may use an HTA file to display a GUI interface for user confirmation or logging.
Filter/Exclusion: Exclude processes where the HTA file is located in the system directory (e.g., C:\Windows\System32\) or is associated with a known maintenance tool (e.g., schtasks.exe, taskhost.exe).
Scenario: Admin Using HTA for Custom GUI Scripts
Description: A system administrator may use an HTA file to create a custom GUI for administrative tasks, such as configuring network settings or managing user accounts.
Filter/Exclusion: Exclude processes initiated by admin accounts (e.g., Administrator) where the HTA file is located in a known admin tools directory (e.g., C:\AdminTools\) or is signed by a trusted internal certificate.
Scenario: Legacy Application Using HTA for Compatibility
Description: An older enterprise application may use HTA files to maintain compatibility with older systems or to provide a simple GUI interface for user interaction.
Filter/Exclusion: Exclude processes where the HTA file is part of a known legacy application (e.g., LegacyApp.exe) or is located in a directory associated with that application (e.g., C:\LegacyApp\).
Scenario: HTA Used for Internal Helpdesk Tools
Description: An internal helpdesk tool may use HTA files to provide a simple interface for users to submit support requests or view status updates.
Filter/Exclusion: Exclude processes where the HTA file is located in a known internal helpdesk directory (e.g., C:\Helpdesk\) or is executed by a helpdesk service account (e.g., `