MITRE ATT&CK detection coverage

← Back to main site

Home/ MITRE Matrix/ Defense Evasion/ T1218.005

T1218.005Mshta

T1218.005 — Mshta is a MITRE ATT&CK technique in the Defense Evasion tactic. Clankerusecase tracks 14 detection use cases covering it and 1 threat-intel article citing it.

Defense Evasion

View on the matrix → Filter Detection Library MITRE official spec ↗

14Use cases

1Articles

0Sub-techniques

1Tactic

↑ Parent technique: T1218 · System Binary Proxy Execution

Use cases covering this technique (14)

[WEEKLY] Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes Internal delivery · alerting DSPDD Cisco NVM - MSHTML or MSHTA Network Execution Without URL in CLI ESCU actions · hunting P Cisco NVM - Rundll32 Abuse of MSHTML.DLL for Payload Download ESCU actions · hunting P Detect mshta inline hta execution ESCU actions · alerting P Detect mshta renamed ESCU actions · hunting P Detect MSHTA Url in Command Line ESCU actions · alerting P Detect Rundll32 Inline HTA Execution ESCU actions · alerting P Mshta spawning Rundll32 OR Regsvr32 Process ESCU actions · alerting P Suspicious mshta child process ESCU actions · alerting P Suspicious mshta spawn ESCU actions · alerting P Windows Mshta Execution In Registry ESCU actions · alerting P Windows MSHTA Writing to World Writable Path ESCU actions · alerting P Windows Process Writing File to World Writable Path ESCU actions · hunting P [LLM] Earth Dahu / Gamaredon HTA-to-VBScript chain (mshta.exe spawning wscript/cscript) Bespoke delivery · alerting DSΣPDDCS

Articles citing this technique (1)

crit WinRAR Flaw Exploited by Russia-Aligned Groups to Deploy Stealers in Ukraine art-86