Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1397: Analytic 1397

Detection of mshta.exe execution where command-line arguments reference remote or local HTA/script content (VBScript/JScript) followed by subsequent file creation, network retrieval, or process spawning that indicates payload execution outside standard Internet Explorer security context. Correlation includes parent process lineage, command-line inspection, and network connection creation to untrusted or anomalous endpoints.

EnterpriseAN1397AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because mshta.exe can execute HTA, VBScript, or JScript content in ways that may bypass the security expectations teams associate with normal browser-based script handling. For leaders, the practical issue is whether Windows monitoring can connect the initial mshta command line to what happens next: file creation, network retrieval, or child process execution. Without that correlation, suspicious script-driven activity may look like isolated low-signal events instead of an execution chain that requires investigation.

Executive priority

Prioritize this as a Windows execution-monitoring and incident-response readiness question: can the organization prove it collects enough endpoint, command-line, process-lineage, file, and network evidence to determine whether mshta.exe launched local or remote script content and then produced follow-on activity? This supports SOC triage quality, audit evidence for endpoint monitoring, and response decisions when suspicious script execution is observed.

Technical view

Validate detections for Windows mshta.exe executions where command-line arguments reference local or remote HTA/script content, including VBScript or JScript indicators. The analytic description emphasizes correlation rather than a single event: parent process lineage, command-line inspection, subsequent file creation, network connection creation to untrusted or anomalous endpoints, network retrieval, and process spawning. Because no official detection logic is supplied, teams should treat this as a detection engineering requirement to build and test locally against available telemetry.

Likely telemetry

  • Windows process creation events with full command-line capture
  • Parent/child process lineage for mshta.exe
  • Endpoint file creation events following mshta.exe execution
  • Network connection or retrieval events initiated by or near mshta.exe activity
  • Endpoint telemetry showing spawned processes after mshta.exe execution

Detection direction

  • Confirm that mshta.exe command-line arguments are captured and retained; detections without command-line visibility will be weak.
  • Correlate mshta.exe execution with follow-on file creation, network connections, network retrieval, or child process spawning rather than alerting only on process name.
  • Review parent process lineage to distinguish expected administrative or application behavior from unusual launch paths.
  • Tune for local environmental baselines because legitimate HTA/script usage may exist in some Windows environments.
  • Add endpoint and network context for remote destinations so analysts can assess whether connections are untrusted or anomalous.

Mitigation priorities

  • Inventory legitimate mshta.exe and HTA/script usage in the Windows estate before enforcing broad restrictions.
  • Harden endpoint execution controls where business use does not require mshta.exe or script-based HTA execution.
  • Ensure endpoint logging captures process command lines, parent-child relationships, file creation, and network activity needed for correlation.
  • Use SOC runbooks that require analysts to examine follow-on payload indicators after suspicious mshta.exe activity.
  • Feed validated findings into incident response procedures and compliance evidence for endpoint monitoring coverage.
Analyst notes and limits

The supplied object is a MITRE detection analytic for Windows focused on mshta.exe execution with local or remote HTA/script content and correlated follow-on activity. No ATT&CK tactics, relationships, or formal detection logic were supplied, so this take focuses on defensive validation and telemetry requirements rather than technique mapping or attribution.

Official detection content is not provided, and no relationship context is supplied. Local baselines are required to separate legitimate mshta.exe use from suspicious activity. This summary does not assert active exploitation, adversary attribution, impact, or guaranteed coverage.

Official MITRE ATT&CK definition

Analytic 1397

Detection of mshta.exe execution where command-line arguments reference remote or local HTA/script content (VBScript/JScript) followed by subsequent file creation, network retrieval, or process spawning that indicates payload execution outside standard Internet Explorer security context. Correlation includes parent process lineage, command-line inspection, and network connection creation to untrusted or anomalous endpoints.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
a0ad0087e3cd51e3...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle a0ad0087e3cd…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1397
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use