Skip to content

Hide Navigation Hide TOC

MSHTA Execution with Suspicious File Extensions (cc7abbd0-762b-41e3-8a26-57ad50d2eea3)

Detects execution of mshta.exe with file types that looks like they do not typically represent HTA (HTML Application) content, such as .png, .jpg, .zip, .pdf, and others, which are often polyglots. MSHTA is a legitimate Windows utility for executing HTML Applications containing VBScript or JScript. Threat actors often abuse this lolbin utility to download and execute malicious scripts disguised as benign files or hosted under misleading extensions to evade detection.

Cluster A Galaxy A Cluster B Galaxy B Level
MSHTA Execution with Suspicious File Extensions (cc7abbd0-762b-41e3-8a26-57ad50d2eea3) Sigma-Rules Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern 1
MSHTA Execution with Suspicious File Extensions (cc7abbd0-762b-41e3-8a26-57ad50d2eea3) Sigma-Rules JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern 1
MSHTA Execution with Suspicious File Extensions (cc7abbd0-762b-41e3-8a26-57ad50d2eea3) Sigma-Rules Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 1
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern 2