Microsoft Defender XDR • LOLBins • Process Tree Investigation

Mshta.exe Wasn't The Real Problem

The alert said mshta.exe.

That made the case look simple. A suspicious Microsoft-signed binary had launched, and everyone wanted to know why mshta.exe was running.

But Agent Foskett did not stop at the process name.

He opened the process tree and found the real story: Outlook, Word, cmd.exe, mshta.exe, PowerShell and a chain of behaviour that began long before the alert appeared.

Agent Foskett Microsoft Defender XDR mshta.exe process tree investigation
Briefing summary

Mshta.exe can be suspicious, but the process itself is rarely the whole investigation. The stronger evidence is found by asking what launched it, what it launched next and how it fits into the timeline.

Suspicious mshta.exe
Parent Process Analysis
Child PowerShell Activity
Timeline Reconstruction

The alert was not the whole case

A process name can start an investigation, but it should never finish one.
The alert named mshta.exe The suspicious binary was visible, but the alert did not explain who launched it or why.
The parent process mattered Outlook, Word, browsers, cmd.exe and script hosts can all change the meaning of the event.
The child process mattered too If mshta.exe launched PowerShell, cmd.exe or rundll32.exe, the investigation has moved beyond a single LOLBin.

Why attackers abuse mshta.exe

Mshta.exe is a legitimate Windows binary, which is exactly why attackers like it.
Signed Microsoft binary Mshta.exe is a trusted Windows component, so the process name alone may not look like custom malware.
Executes HTA content It can execute HTML Application content locally or from remote paths, giving attackers a useful execution path.
Blends into Windows activity Because it is a built-in tool, defenders need command lines, process ancestry and network context to understand intent.

Find mshta.exe executions

Start with mshta.exe, then immediately pivot into parent and child process relationships.
find-mshta-executions.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName =~ "mshta.exe"
| project Timestamp, DeviceName, AccountName,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    FileName,
    ProcessCommandLine
| order by Timestamp desc

The parent process changed the story

Mshta.exe launched by a trusted management tool is different from mshta.exe launched through a document or browser chain.
Office parent Word, Excel or PowerPoint launching mshta.exe can suggest macro abuse, embedded content or document-based execution.
Browser parent A browser-to-mshta chain may indicate a malicious link, drive-by lure or user interaction with a deceptive site.
Command shell parent Cmd.exe or PowerShell launching mshta.exe may indicate scripted execution rather than normal user behaviour.

Look for suspicious parent processes

The parent process often tells you how the attacker reached mshta.exe in the first place.
look-for-mshta-parent-processes.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
  16. 16
  17. 17
  18. 18
  19. 19
  20. 20
  21. 21
  22. 22
  23. 23
  24. 24
  25. 25
DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName =~ "mshta.exe"
| where InitiatingProcessFileName in~ (
    "outlook.exe",
    "winword.exe",
    "excel.exe",
    "powerpnt.exe",
    "chrome.exe",
    "msedge.exe",
    "explorer.exe",
    "cmd.exe",
    "powershell.exe",
    "wscript.exe",
    "cscript.exe"
)
| project Timestamp, DeviceName, AccountName,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    FileName,
    ProcessCommandLine
| order by Timestamp desc

Mshta.exe was only one link

The strongest clue is often what happened after mshta.exe executed.
PowerShell child Mshta.exe launching PowerShell can indicate a staged command or download-and-execute workflow.
Cmd.exe child Cmd.exe after mshta.exe can reveal scripted follow-on execution, environment checks or chained commands.
Rundll32 or regsvr32 Additional LOLBins after mshta.exe suggest the attacker is moving through trusted Windows tools.

Find child processes launched by mshta.exe

Do not stop at mshta.exe. Follow everything it launches next.
find-child-processes-launched-by-mshta.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
  16. 16
  17. 17
  18. 18
  19. 19
  20. 20
  21. 21
DeviceProcessEvents
| where Timestamp > ago(30d)
| where InitiatingProcessFileName =~ "mshta.exe"
| where FileName in~ (
    "powershell.exe",
    "pwsh.exe",
    "cmd.exe",
    "wscript.exe",
    "cscript.exe",
    "rundll32.exe",
    "regsvr32.exe"
)
| project Timestamp, DeviceName, AccountName,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    FileName,
    ProcessCommandLine
| order by Timestamp desc

Check for outbound connections

Remote HTA content, command retrieval and payload staging can leave network evidence.
check-mshta-network-connections.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
  16. 16
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where InitiatingProcessFileName =~ "mshta.exe"
    or InitiatingProcessCommandLine has "mshta"
| project Timestamp, DeviceName,
    InitiatingProcessAccountName,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    RemoteUrl,
    RemoteIP,
    RemotePort,
    Protocol
| order by Timestamp desc

Why mshta.exe was not the real problem

The binary was suspicious, but the behaviour chain was the evidence.
Process ancestry The investigation needed to explain what launched mshta.exe before treating it as the root cause.
Execution chain Mshta.exe was part of a sequence: document, shell, script interpreter, download and follow-on execution.
Behaviour over labels The label LOLBin is useful, but the command line and timeline explain the attack.

Build the mshta.exe investigation timeline

Correlate process, network, file and registry evidence around the endpoint and time window.
build-the-mshta-investigation-timeline.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
  16. 16
  17. 17
  18. 18
  19. 19
  20. 20
  21. 21
  22. 22
  23. 23
  24. 24
  25. 25
  26. 26
  27. 27
  28. 28
  29. 29
  30. 30
  31. 31
let InvestigationDevice = "DEVICE-NAME-HERE";
let StartTime = ago(1d);
union isfuzzy=true
(
    DeviceProcessEvents
    | where Timestamp > StartTime
    | where DeviceName =~ InvestigationDevice
    | project Timestamp, DeviceName, EvidenceType="Process", ActionType, Detail=ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
),
(
    DeviceNetworkEvents
    | where Timestamp > StartTime
    | where DeviceName =~ InvestigationDevice
    | project Timestamp, DeviceName, EvidenceType="Network", ActionType, Detail=strcat(RemoteUrl, " ", RemoteIP, ":", RemotePort), InitiatingProcessFileName, InitiatingProcessCommandLine
),
(
    DeviceFileEvents
    | where Timestamp > StartTime
    | where DeviceName =~ InvestigationDevice
    | project Timestamp, DeviceName, EvidenceType="File", ActionType, Detail=strcat(FolderPath, "\\", FileName), InitiatingProcessFileName, InitiatingProcessCommandLine
),
(
    DeviceRegistryEvents
    | where Timestamp > StartTime
    | where DeviceName =~ InvestigationDevice
    | project Timestamp, DeviceName, EvidenceType="Registry", ActionType, Detail=strcat(RegistryKey, " ", RegistryValueName, " ", RegistryValueData), InitiatingProcessFileName, InitiatingProcessCommandLine
)
| order by Timestamp asc

What investigators should ask

A good mshta.exe investigation is really a process tree investigation.
Who launched mshta.exe? Identify the parent process, command line, account and whether the parent belongs in that workflow.
What did mshta.exe launch? Look for PowerShell, cmd.exe, rundll32.exe, regsvr32.exe, script hosts and any follow-on payload activity.
Did the chain persist? Pivot into scheduled tasks, registry run keys, file writes and repeated execution after reboot or logon.

Related investigations

Continue the investigation through process trees, PowerShell downloads, persistence and timeline reconstruction.
The Child Process Shouldn't Have Existed Follow suspicious parent-child process relationships after initial execution.
Nothing Flagged The PowerShell Download Investigate quiet PowerShell download behaviour even when no alert fires.
The Scheduled Task Was The Persistence Find persistence after the initial process chain has finished.
The Script Ran From AppData Review suspicious script execution from user-writable folders.
The Browser Spawned PowerShell Investigate unexpected browser-to-PowerShell execution chains.
The Timeline Told The Story Build a defensible investigation timeline across Defender XDR evidence.
Need help investigating endpoint behaviour?
GEMXIT helps organisations understand Microsoft Defender XDR evidence, endpoint telemetry, KQL hunting, LOLBins and practical incident response.
Contact GEMXIT

Final thought

The alert named the process. The timeline explained the attack.
At GEMXIT We help organisations investigate Microsoft Defender XDR, endpoint security, LOLBins, process execution, PowerShell activity and practical threat hunting. If you want to understand how this applies to your environment, see our Microsoft Security services.
Agent Foskett mindset Do not investigate the alert in isolation. Ask what came before it, what came after it and why the chain exists.
Develop IT. Protect IT. Mshta.exe was not the beginning. It was not the end. It was simply one link in the chain. GEMXIT PTY LTD | GEMXIT UK LTD

Mshta.exe Wasn't The Real Problem

This Agent Foskett investigation explains how suspicious mshta.exe execution can be investigated in Microsoft Defender XDR by following parent processes, child processes and execution chains.

Microsoft Defender XDR Mshta.exe Investigation

DeviceProcessEvents, DeviceNetworkEvents, DeviceFileEvents and DeviceRegistryEvents can help defenders investigate mshta.exe, suspicious LOLBins, PowerShell child processes and endpoint behaviour.

KQL Hunting For Mshta.exe And LOLBins

Defenders can use KQL to hunt for mshta.exe execution, suspicious parent processes, child PowerShell activity, network connections, file writes, registry changes and timeline evidence.