Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0506: Detecting Mshta-based Proxy Execution via Suspicious HTA or Script Invocation

DET0506 is a detection strategy for suspicious mshta-based proxy execution. Its business value is in validating whether the SOC can see and investigate abu...

EnterpriseDET0506Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0506 is a detection strategy for suspicious mshta-based proxy execution. Its business value is in validating whether the SOC can see and investigate abuse of a trusted Windows utility that may run HTA, JavaScript, or VBScript content in a way that can blend into normal endpoint activity. For leaders, this is a coverage question: can teams prove that living-off-the-land execution through mshta.exe would generate usable evidence before an incident escalates?

Executive priority

Prioritize this as an endpoint visibility and response-readiness control check for Windows environments, based on its relationship to ATT&CK technique T1218.005 Mshta. The decision point is not just whether an alert exists, but whether process execution evidence, command-line detail, and investigation workflows are sufficient to distinguish legitimate HTA/script use from suspicious proxy execution. This supports SOC maturity, incident response preparedness, application-control decisions, and audit evidence for monitoring of trusted utility abuse.

Technical view

MITRE provides no official detection logic or description for DET0506, so defenders should anchor validation to the related technique: mshta.exe abuse to proxy execution of malicious .hta files and JavaScript or VBScript through a trusted Windows utility. SOC teams should test whether telemetry captures mshta.exe execution, command-line arguments, parent and child process context, script or HTA invocation indicators, and follow-on activity. Because the related technique is associated with stealth, detection engineering should account for low-noise behaviors that may appear as legitimate Windows utility use.

Likely telemetry

  • Windows process creation events including executable name, full command line, parent process, child process, user, host, and timestamp
  • Endpoint detection and response telemetry for mshta.exe execution and related process lineage
  • File activity involving HTA or script content where collected
  • Script execution or interpreter telemetry for JavaScript or VBScript where available
  • Network connection telemetry associated with mshta.exe or its child processes where collected

Detection direction

  • Confirm that command-line and process lineage fields are actually collected on Windows endpoints; detection quality will be weak if mshta.exe events lack arguments or parent/child context.
  • Build or validate analytics for suspicious HTA or script invocation through mshta.exe, rather than relying only on the presence of mshta.exe, which may create false positives in environments with legitimate HTA use.
  • Baseline approved mshta.exe and HTA usage before enforcing high-severity alerting, especially in legacy application environments.
  • Correlate mshta.exe execution with surrounding activity such as file creation, script execution, child processes, and network connections to improve triage confidence.
  • Review alert suppression and allowlisting carefully; trusted utility abuse can be hidden by broad exclusions for signed Windows binaries.

Mitigation priorities

  • Inventory legitimate business use of mshta.exe and HTA-based workflows before changing controls.
  • Where business use is not required, consider restricting or controlling mshta.exe execution through approved application-control mechanisms.
  • Strengthen endpoint logging so process creation, command-line, and lineage data are available for investigation.
  • Tune detections around suspicious mshta-based HTA or script invocation and validate them through controlled testing in the local environment.
  • Ensure incident response playbooks include triage steps for trusted utility proxy execution, including process lineage review and related file/script activity.
Analyst notes and limits

This take is based on the DET0506 metadata, its MITRE external reference, and the relationship indicating that it detects T1218.005 Mshta. The detection strategy object itself has no official description, no official detection text, no listed platforms, and no listed tactics. Windows relevance comes from the related Mshta technique, not from the DET0506 platform field.

The supplied ATT&CK fields do not include detection pseudocode, data sources, mitigations, software, groups, campaigns, prevalence, or active exploitation claims. Local environment data is required to determine legitimate mshta.exe use, acceptable false-positive levels, and whether telemetry is sufficient for reliable detection.

Official MITRE ATT&CK definition

Detecting Mshta-based Proxy Execution via Suspicious HTA or Script Invocation

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1218.005 Mshta Sub-technique This object detects Mshta.
Relationship explorer

All related ATT&CK context

detects · Technique T1218.005: Mshta Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
2edaeea6a54afc6f...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 2edaeea6a54a…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0506
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use