MSHTA Execution via Explorer

Rule Info

Name
MSHTA Execution via Explorer
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects MSHTA.exe execution spawned by explorer.exe, which could indicate malicious activity. MSHTA.exe is a utility that executes Microsoft HTML Applications (HTA) files. While legitimate in the past, its usage in modern environments is rare and often associated with malicious activities. Attackers frequently abuse MSHTA.exe to execute malicious scripts and bypass application allowlisting. It is commonly used to download and execute remote payloads. Nowadays, it has been commonly observed being executed through LNK files or ClickFix campaigns, making it easier for attackers to deliver and run malicious payloads with minimal user interaction.
Reference
https://www.virustotal.com/gui/file/c1f27d9795a2eba630db8a043580a0761798f06370fb1317067805f8a845b00c
Date
2025-05-07 00:00:00
Modified
None
Id
2689ce2d-4f91-4682-a9f3-82c6a31261d6
Tags
attack.execution attack.t1218.005 attack.initial-access
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022