📓
Red Team Notes
  • Introduction
  • Red Team Notes 2.0
  • Red Team
  • Initial Access
    • Spear Phishing Links
      • HTA Files
      • Binaries
      • PDF Files
      • SET(Social-Engineering Toolkit)
    • Spear Phishing Attachments
      • Macros
      • Dynamic Data Exchange
      • SCR Files
      • LNK Files
    • (+) Links and Attachments
  • Execution
    • Component Object Model and Distributed COM
    • MSHTA
    • PowerShell
    • Rundll32
    • Scheduled Tasks
    • Scripting
    • Trusted Developer Utilities
      • MSBuild
      • Regsvr32
    • Windows Remote Management
    • Windows Management Instrumentation (WMI)
  • Persistence
    • Scheduled Tasks
    • Create Account
    • DLL Search Order Hijacking
    • Hooking
    • Logon Scripts
    • Modify Existing Service
    • New Service
    • Path Interception
    • Registry Keys / StartUp Folder
    • ShortCut Modification
  • Privesc
    • Access Token Manipulation
    • DLL Search Order Hijacking
    • Exploitation for Privesc
    • File System Permissions Weakness
    • Always Install Elevated
  • Defense Evasion
  • Credential Access
    • Credential Dumping
    • Kerberoasting
    • LLMNR/NBT-NS Poisoning and Relay
  • Discovery
  • Lateral Movement
    • Pass the Ticket
    • Pass the Hash
    • Remote Desktops
    • Internal Spearphishing
    • Windows Admin Shares
    • Component Object Model and Distributed COM
    • Windows Remote Management
  • Collection
  • Command and Control
  • Exfiltration
  • Impact
  • Active Directory
    • Introduction
      • Kerberos
      • LDAP
    • Enumeration
    • Attacks
      • Unconstrained Delegation
      • Constrained Delegation
      • DCSync
      • Kerberoasting
      • Silver Tickets
      • Golden Tickets
  • Detection
    • Detection
    • Initial Access
    • Execution
      • MSHTA (Detection)
  • Resources & References
    • References & Resources
Powered by GitBook
On this page

Was this helpful?

  1. Detection
  2. Execution

MSHTA (Detection)

Microsoft HTML Application

PreviousExecutionNextReferences & Resources

Last updated 4 years ago

Was this helpful?

MSHTA a powerful tool to get our code Executed, compatible with JScript and VBScript. Some thing to take in consideration is that the HTA Engine is dependent to Internet Explorer since Windows Vista IE can be removed from Windows which will cause the HTA engine to stop working.

HTA has been supported since IE Version 5 to 9. Further versions still support HTA but some minor features have been turned off.

So let's see what happens when we execute an HTA File. Using a simple payload that calls a reverse shell via PowerShell:

Process Hacker:

We see our Parent Process mshta calling a child process powershell, with the Command Line used in execution while using PowerShell.

We see with SYsmon that MSHTA was executed even though we have Double CLicked the Application and following is the PowerShell Command executed:

And Process Hacker shows us as well that a Network Connection was established:

And to finalize what can we see in the Network with WireShark:

All the commands in Cleat Text being utilized.