HTA Startup Persistence | SOC Hunt Feed

Hunt Hypothesis

Adversaries may use HTA files to establish persistence by placing them in startup folders, allowing malicious code to execute upon system boot. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate potential long-term persistence mechanisms that could evade traditional detection methods.

KQL Query

DeviceFileEvents
| where FolderPath contains @"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\"
| where FileName endswith ".hta"

Analytic Rule Definition

id: 10d275ce-bb52-41b7-b67e-05b974ed1179
name: HTA Startup Persistence
description: |
  Use this query to locate persistence in Startup with HTA files.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceFileEvents
tactics:
- Ransomware
query: |
  DeviceFileEvents
  | where FolderPath contains @"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\"
  | where FileName endswith ".hta"

Required Data Sources

Sentinel Table	Notes
`DeviceFileEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Ransomware

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Ransomware/HTA Startup Persistence.yaml)

False Positive Guidance

Scenario: A system administrator is using PowerShell to schedule a legitimate maintenance task via a .hta file for system cleanup.
Filter/Exclusion: Exclude processes initiated by powershell.exe with command-line arguments containing "schtasks" or "schedule".
Scenario: A user is running a Microsoft Word macro that is embedded in an HTA file to automate document processing.
Filter/Exclusion: Exclude processes with parent process winword.exe or where the command line includes "word" or "doc".
Scenario: A Windows Task Scheduler job is configured to run a .hta file as part of a legitimate system update or patching process.
Filter/Exclusion: Exclude processes launched by schtasks.exe or where the command line contains "schtasks" or "task".
Scenario: A remote desktop session is used to execute an HTA file for remote administration, such as deploying software updates.
Filter/Exclusion: Exclude processes with parent process tsclient.exe or mstsc.exe and where the command line includes "remote" or "rdp".
Scenario: A system diagnostic tool like Process Monitor or Procmon.exe is used to generate an HTA file for logging purposes.
Filter/Exclusion: Exclude processes with parent process procmon.exe or where the command line includes "procmon" or "Process Monitor".