Phoenix
Sigma IntelligenceBeta
Phoenix Studio

Convert indexed Sigma rules into analyst-ready detections.

This studio is built around Phoenix's own rule corpus, not a blank editor. Search by title or rule id, choose a live sigma-cli backend, then reveal pipelines only when you actually need them.

Browse RulesExplore Ecosystem

Indexed Rules

3,707

Ready to search

Backends

17

Live from sigconverter.io

CLI Versions

10

Newest: 2.0.2

Translation Workspace

Shape the rule before it leaves Phoenix

Tune Translation

Active Rule

MSHTA Execution with Suspicious File Extensions

Target Profile

Splunk

Splunk SPL & tstats data model queries

Format Mode

Default

Plain SPL queries

Conversion Output

MSHTA Execution with Suspicious File Extensions

Using Splunk · Default · sigma-cli 2.0.2

Translation controls

Adjust the rule on the left, then regenerate when you want a fresh backend-native query.

BackendSplunkFormatDefaultVersion2.0.2
title: MSHTA Execution with Suspicious File Extensions
id: cc7abbd0-762b-41e3-8a26-57ad50d2eea3
status: test
description: |
    Detects execution of mshta.exe with file types that looks like they do not typically represent HTA (HTML Application) content,
    such as .png, .jpg, .zip, .pdf, and others, which are often polyglots. MSHTA is a legitimate Windows utility for executing HTML Applications
    containing VBScript or JScript. Threat actors often abuse this lolbin utility to download and
    execute malicious scripts disguised as benign files or hosted under misleading extensions to evade detection.
references:
    - http://blog.sevagas.com/?Hacking-around-HTA-files
    - https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356
    - https://learn.microsoft.com/en-us/previous-versions/dotnet/framework/data/xml/xslt/xslt-stylesheet-scripting-using-msxsl-script
    - https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997
    - https://twitter.com/mattifestation/status/1326228491302563846
    - https://www.virustotal.com/gui/file/c1f27d9795a2eba630db8a043580a0761798f06370fb1317067805f8a845b00c
author: Diego Perez (@darkquassar), Markus Neis, Swisscom (Improve Rule), Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2019-02-22
modified: 2025-05-12
tags:
    - attack.defense-evasion
    - attack.t1140
    - attack.t1218.005
    - attack.execution
    - attack.t1059.007
    - cve.2020-1599
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\mshta.exe'
        - OriginalFileName: 'mshta.exe'
    selection_cli:
        CommandLine|contains:
            - '.7z'
            - '.avi'
            - '.bat'
            - '.bmp'
            - '.conf'
            - '.csv'
            - '.dll'
            - '.doc'
            - '.gif'
            - '.gz'
            - '.ini'
            - '.jpe'
            - '.jpg'
            - '.json'
            - '.lnk'
            - '.log'
            - '.mkv'
            - '.mp3'
            - '.mp4'
            - '.pdf'
            - '.png'
            - '.ppt'
            - '.rar'
            - '.rtf'
            - '.svg'
            - '.tar'
            - '.tmp'
            - '.txt'
            - '.xls'
            - '.xml'
            - '.yaml'
            - '.yml'
            - '.zip'
            - 'vbscript'
            # - '.chm'  # could be prone to false positives
            # - '.exe'
    condition: all of selection_*
falsepositives:
    - False positives depend on scripts and administrative tools used in the monitored environment
level: high

CLI command

Copy the exact command to reproduce this translation locally.

sigma convert --without-pipeline -t splunk -f default rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml