Execution of Remotely Hosted MSHTA File via UNC Path

Rule Info

Name
Execution of Remotely Hosted MSHTA File via UNC Path
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects execution of mshta.exe with a remote UNC path in the command line (e.g., \\host\share\file.hta). This behavior is commonly associated with threat actors delivering HTA-based payloads hosted on remote systems to gain initial access or for persistence or to perform lateral movement.
Reference
https://www.virustotal.com/gui/file/c1f27d9795a2eba630db8a043580a0761798f06370fb1317067805f8a845b00c
Date
2025-05-07 00:00:00
Modified
None
Id
af66f614-53a4-4d28-8b01-ede5ed6171af
Tags
attack.execution attack.t1218.005 attack.initial-access
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022