|Tactic||Defense Evasion, Execution|
|Data Sources||Process monitoring, Process command-line parameters|
|Defense Bypassed||Application whitelisting|
|Contributors||Ricardo Dias, Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank|
Mshta.exe is a utility that executes Microsoft HTML Applications (HTA). HTA files have the file extension
.hta.1 HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser.2
Files may be executed by mshta.exe through an inline script:
They may also be executed directly from URLs:
Mshta.exe can be used to bypass application whitelisting solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer's security context, it also bypasses browser security settings.8
- FIN7 has used mshta.exe to execute VBScript to execute malicious code on victim systems.7
- MuddyWater has used Mshta.exe to execute its POWERSTATS payload.9
- POWERSTATS can use Mshta.exe to execute additional payloads on compromised hosts.9
Mshta.exe may not be necessary within a given environment since its functionality is tied to older versions of Internet Explorer which have reached end of life. Use application whitelisting configured to block execution of mshta.exe if it is not required for a given system or network to prevent potential misuse by adversaries.
Use process monitoring to monitor the execution and arguments of mshta.exe. Look for mshta.exe executing raw or obfuscated script within the command-line. Compare recent invocations of mshta.exe with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. Command arguments used before and after the mshta.exe invocation may also be useful in determining the origin and purpose of the binary being executed.
Monitor use of HTA files. If they are not typically used within an environment then execution of them may be suspicious.
- Wikipedia. (2017, October 14). HTML Application. Retrieved October 27, 2017.
- Microsoft. (n.d.). HTML Applications. Retrieved October 27, 2017.
- Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
- McCammon, K. (2015, August 14). Microsoft HTML Application (HTA) Abuse, Part Deux. Retrieved October 27, 2017.
- Berry, A., Galang, L., Jiang, G., Leathery, J., Mohandas, R. (2017, April 11). CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler. Retrieved October 27, 2017.
- Dove, A. (2016, March 23). Fileless Malware – A Behavioural Analysis Of Kovter Persistence. Retrieved December 5, 2017.
- Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
- [ Smith, C. (2017, July 14). TheList.txt. Retrieved October 27, 2017.]
- Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.