Mshta.exe Wasn't The Real Problem
The alert said mshta.exe.
That made the case look simple. A suspicious Microsoft-signed binary had launched, and everyone wanted to know why mshta.exe was running.
But Agent Foskett did not stop at the process name.
He opened the process tree and found the real story: Outlook, Word, cmd.exe, mshta.exe, PowerShell and a chain of behaviour that began long before the alert appeared.

Briefing summary
Mshta.exe can be suspicious, but the process itself is rarely the whole investigation. The stronger evidence is found by asking what launched it, what it launched next and how it fits into the timeline.
The alert was not the whole case
Why attackers abuse mshta.exe
Find mshta.exe executions
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName =~ "mshta.exe"
| project Timestamp, DeviceName, AccountName,
InitiatingProcessFileName,
InitiatingProcessCommandLine,
FileName,
ProcessCommandLine
| order by Timestamp desc
The parent process changed the story
Look for suspicious parent processes
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
DeviceProcessEvents
| where Timestamp > ago(30d)
| where FileName =~ "mshta.exe"
| where InitiatingProcessFileName in~ (
"outlook.exe",
"winword.exe",
"excel.exe",
"powerpnt.exe",
"chrome.exe",
"msedge.exe",
"explorer.exe",
"cmd.exe",
"powershell.exe",
"wscript.exe",
"cscript.exe"
)
| project Timestamp, DeviceName, AccountName,
InitiatingProcessFileName,
InitiatingProcessCommandLine,
FileName,
ProcessCommandLine
| order by Timestamp desc
Mshta.exe was only one link
Find child processes launched by mshta.exe
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
DeviceProcessEvents
| where Timestamp > ago(30d)
| where InitiatingProcessFileName =~ "mshta.exe"
| where FileName in~ (
"powershell.exe",
"pwsh.exe",
"cmd.exe",
"wscript.exe",
"cscript.exe",
"rundll32.exe",
"regsvr32.exe"
)
| project Timestamp, DeviceName, AccountName,
InitiatingProcessFileName,
InitiatingProcessCommandLine,
FileName,
ProcessCommandLine
| order by Timestamp desc
Check for outbound connections
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where InitiatingProcessFileName =~ "mshta.exe"
or InitiatingProcessCommandLine has "mshta"
| project Timestamp, DeviceName,
InitiatingProcessAccountName,
InitiatingProcessFileName,
InitiatingProcessCommandLine,
RemoteUrl,
RemoteIP,
RemotePort,
Protocol
| order by Timestamp desc
Why mshta.exe was not the real problem
Build the mshta.exe investigation timeline
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
let InvestigationDevice = "DEVICE-NAME-HERE";
let StartTime = ago(1d);
union isfuzzy=true
(
DeviceProcessEvents
| where Timestamp > StartTime
| where DeviceName =~ InvestigationDevice
| project Timestamp, DeviceName, EvidenceType="Process", ActionType, Detail=ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
),
(
DeviceNetworkEvents
| where Timestamp > StartTime
| where DeviceName =~ InvestigationDevice
| project Timestamp, DeviceName, EvidenceType="Network", ActionType, Detail=strcat(RemoteUrl, " ", RemoteIP, ":", RemotePort), InitiatingProcessFileName, InitiatingProcessCommandLine
),
(
DeviceFileEvents
| where Timestamp > StartTime
| where DeviceName =~ InvestigationDevice
| project Timestamp, DeviceName, EvidenceType="File", ActionType, Detail=strcat(FolderPath, "\\", FileName), InitiatingProcessFileName, InitiatingProcessCommandLine
),
(
DeviceRegistryEvents
| where Timestamp > StartTime
| where DeviceName =~ InvestigationDevice
| project Timestamp, DeviceName, EvidenceType="Registry", ActionType, Detail=strcat(RegistryKey, " ", RegistryValueName, " ", RegistryValueData), InitiatingProcessFileName, InitiatingProcessCommandLine
)
| order by Timestamp asc
What investigators should ask
Related investigations
Final thought
Mshta.exe Wasn't The Real Problem
This Agent Foskett investigation explains how suspicious mshta.exe execution can be investigated in Microsoft Defender XDR by following parent processes, child processes and execution chains.
Microsoft Defender XDR Mshta.exe Investigation
DeviceProcessEvents, DeviceNetworkEvents, DeviceFileEvents and DeviceRegistryEvents can help defenders investigate mshta.exe, suspicious LOLBins, PowerShell child processes and endpoint behaviour.
KQL Hunting For Mshta.exe And LOLBins
Defenders can use KQL to hunt for mshta.exe execution, suspicious parent processes, child PowerShell activity, network connections, file writes, registry changes and timeline evidence.
