HTA File Dropped by MSHTA in INetCache Directory

Rule Info

Name
HTA File Dropped by MSHTA in INetCache Directory
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects the .hta files being dropped by mshta.exe process in \Windows\INetCache. This could be indication of native Windows mshta.exe utility used to execute remote hta file. Adversaries may abuse the living off the land functionality of mshta.exe to execute remotely hosted malicious .hta file.
Reference
https://thedfirreport.com/2025/02/24/confluence-exploit-leads-to-lockbit-ransomware/
Date
2025-02-24 00:00:00
Modified
None
Id
3caeb8e6-4e3f-4c6e-8d01-cd88693232be
Tags
attack.execution attack.t1218.005 attack.t1055
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022