Zip-Doc - Word Launching MSHTA

Hunt Hypothesis

A SOC team should proactively hunt for this behavior as it represents a multi-stage attack vector where a protected zip file is used to deliver a Word document that generates and executes an .hta file to establish command and control. This technique is commonly used by Bazarloader to evade basic detection and establish persistence, making it a critical indicator of advanced persistent threats.

KQL Query

DeviceProcessEvents
| where InitiatingProcessFileName =~ 'WINWORD.EXE' and FileName =~ 'cmd.exe' and ProcessCommandLine has_all('hta')

Analytic Rule Definition

id: e9924adb-3f5b-4ef2-8672-89ae381226f9
name: Zip-Doc - Word Launching MSHTA
description: |
  The pw protected zip attachment -> Word doc delivery method of Bazarloader utilizes Word to create an .hta file and launch it via MSHTA to connect to a malicious domain and pull down the Bazarloader paylaod.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
tactics:
- Execution
query: |
  DeviceProcessEvents
  | where InitiatingProcessFileName =~ 'WINWORD.EXE' and FileName =~ 'cmd.exe' and ProcessCommandLine has_all('hta')

Required Data Sources

Sentinel Table	Notes
`DeviceProcessEvents`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Execution

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/Bazarloader/Zip-Doc - Word Launching MSHTA.yaml)

False Positive Guidance

Scenario: Scheduled System Maintenance Task Using MSHTA
Description: A legitimate scheduled task runs a script that uses MSHTA to execute an .hta file as part of routine system maintenance (e.g., patching or configuration updates).
Filter/Exclusion: process.parent_process_name != "schtasks.exe" or process.command_line contains "schtasks.exe"
Scenario: Admin Using MSHTA for Internal Script Execution
Description: An administrator uses MSHTA to run a trusted .hta file as part of internal administrative tasks (e.g., deploying updates or configuration scripts).
Filter/Exclusion: process.user != "admin_account" or process.command_line contains "internal_script_path"
Scenario: Legacy Application Using MSHTA for Compatibility
Description: A legacy enterprise application (e.g., Microsoft SharePoint or legacy reporting tools) uses MSHTA to execute .hta files for compatibility with older systems.
Filter/Exclusion: process.name contains "sharepoint.exe" or process.name contains "reportingtools.exe"
Scenario: Automated Deployment Tool Generating HTA for UI
Description: A deployment tool (e.g., SCCM, Puppet, or Ansible) generates an .hta file as part of a user interface for configuration deployment, which is then executed via MSHTA.
Filter/Exclusion: process.name contains "sccm.exe" or process.name contains "ansible.exe"
Scenario: Security Tool Using MSHTA for Policy Enforcement
Description: A security tool (e.g., Microsoft Intune or enterprise endpoint protection) uses MSHTA to execute an .hta file for enforcing security policies or user education.
Filter/Exclusion: process.name contains "intune.exe" or `process.name contains ”