title: Mshta Network Connections
description: Identifies suspicious mshta.exe commands.
status: experimental
author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame)
date: 2019/10/24
tags:
    - attack.execution
    - attack.defense_evasion
    - attack.t1170
detection:
    selection:
        Image:
            - '*mshta.exe'
        CommandLine:
            - '* javascript*'
    condition: selection
falsepositives:
    - unknown
level: high
logsource:
    category: process_creation
    product: windows