```yaml title: Anomalous MSHTA Usage id: edr-win-exec-anomalous-mshta status: stable description: > Triggers when mshta.exe exhibits suspicious behavior: execution without expected extensions (.html, .hta, .bat), launch from Downloads or archive paths, execution of COM automation primitives (WScript.Shell, GetObject, Exec), or spawning of shell/scripting children (cmd, powershell, rundll32, regsvr32, cscript, wscript). Covers ClickFix delivery, archive-delivered HTA payloads, and interpreter chaining. references: - https://attack.mitre.org/techniques/T1218/005/ author: ShroudCloud date: 2026/04/16 tags: - attack.execution - attack.defense_evasion - attack.t1218.005 logsource: category: process_creation product: windows detection: selection_mshta: Image|endswith: '\mshta.exe' CommandLine|contains: - '\Downloads\' - '\Temp\7z' - '\Temp\Rar - '\Temp\Temp?_' - '\Temp\BNZ.' - 'GetObject' - 'WScript.Shell' - '.run(' - ').Exec(' - 'mshtml' - 'StrReverse' - '.RegWrite' - 'window.close(' - ' Chr(' - 'http' filter_mshta: CommandLine|contains: - '.html' - '.hta' - '.bat' selection_spawn: ParentImage|endswith: '\mshta.exe' Image|endswith: - '\cmd.exe' - '\powershell.exe' - '\pwsh.exe' - '\rundll32.exe' - '\regsvr32.exe' - '\cscript.exe' - '\wscript.exe' filter_spawn: CommandLine|contains: - '\HP\' - 'printui.dll' condition: (selection_mshta and not filter_mshta) or (selection_spawn and not filter_spawn) falsepositives: - Legitimate HTA-based admin tools or vendor installers using mshta level: high ```