MITRE ATT&CK™ Analysis - T1218.005 Mshta

less than 1 minute read

Mshta

Citing MITRE:

“Mshta.exe is a utility that executes Microsoft HTML Applications (HTA). TAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser.”

“Adversaries can use mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code.”

Mshta Analysis

Lab Example

RED TEAM: ATTACK

In this example we’ve utilised Mshta.exe to pull a remote file and execute it on the host operating system.

T1170 - Mshta

Looking closer into this from our attacking machine we can see just how easy it is to create a basic HTA payload and serve it up.

T1170 - Mshta

BLUE TEAM: DEFEND

By monitoring network connection events we can see this anomalous behavior. In addition by using process execution logs around this timeframe we may be able to see exactly what caused this malicious HTA file to be executed.

T1170 - Mshta

Further we can seek to disable or delete Mshta.exe alltogether considering this was originally meant to be used with older versions of IE which should no longer be in use.

Share on

Twitter Facebook LinkedIn

MITRE ATT&CK

MITRE ATT&CK™ Analysis - T1218.005 Mshta

Mshta

Mshta Analysis

Lab Example

RED TEAM: ATTACK

BLUE TEAM: DEFEND

Share on

You may also enjoy

AsyncRAT Injector - Malware Analysis Lab

IDAT Loader - Malware Analysis Lab

Fakebat Malware - Malware Analysis Lab

Duvet Stealer - Malware Analysis Lab