EXPLORE

← Back to Explore

T1218.005

Mshta

Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code (Citation: Cylance Dust Storm) (Citation: Red Canary HTA Abuse Part Deux) (Citation: FireEye Attacks Leveraging HTA) (Citation: Airbus Security Kovter Analysis) (Citation: FireEye FIN7 April 2017) Mshta.exe is a utility that execut...

Windows

46

Detections

4

Sources

17

Threat Actors

BY SOURCE

26elastic12splunk_escu7sigma1crowdstrike_cql

PROCEDURES (29)

Script Execution Monitoring4 detections

Auto-extracted: 4 detections for script execution monitoring

Download3 detections

Auto-extracted: 3 detections for download

Child Process3 detections

Auto-extracted: 3 detections for child process

Privilege2 detections

Auto-extracted: 2 detections for privilege

Parent Process2 detections

Auto-extracted: 2 detections for parent process

Remote2 detections

Auto-extracted: 2 detections for remote

Exfiltrat2 detections

Auto-extracted: 2 detections for exfiltrat

Bypass2 detections

Auto-extracted: 2 detections for bypass

Network Connection Monitoring2 detections

Auto-extracted: 2 detections for network connection monitoring

Phish2 detections

Auto-extracted: 2 detections for phish

Powershell2 detections

Auto-extracted: 2 detections for powershell

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Process Creation Monitoring2 detections

Auto-extracted: 2 detections for process creation monitoring

Parent Process1 detections

Auto-extracted: 1 detections for parent process

Persist1 detections

Auto-extracted: 1 detections for persist

Http1 detections

Auto-extracted: 1 detections for http

Persist1 detections

Auto-extracted: 1 detections for persist

Bypass1 detections

Auto-extracted: 1 detections for bypass

Privilege1 detections

Auto-extracted: 1 detections for privilege

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Persist1 detections

Auto-extracted: 1 detections for persist

Lateral1 detections

Auto-extracted: 1 detections for lateral

Http1 detections

Auto-extracted: 1 detections for http

Parent Process1 detections

Auto-extracted: 1 detections for parent process

Inject1 detections

Auto-extracted: 1 detections for inject

Http1 detections

Auto-extracted: 1 detections for http

Inject1 detections

Auto-extracted: 1 detections for inject

Remote1 detections

Auto-extracted: 1 detections for remote

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

THREAT ACTORS (17)

APT29 APT32 APT38 Confucius Earth Lusca FIN7 Gamaredon Group Inception Kimsuky Lazarus Group LazyScripter MuddyWater Mustang Panda SideCopy Sidewinder TA2541 TA551

DETECTIONS (46)

Cisco NVM - MSHTML or MSHTA Network Execution Without URL in CLI

Cisco NVM - Rundll32 Abuse of MSHTML.DLL for Payload Download

Command and Scripting Interpreter via Windows Scripts

Csc.EXE Execution Form Potentially Suspicious Parent

Delayed Execution via Ping

Detect mshta inline hta execution

Detect mshta renamed

Detect MSHTA Url in Command Line

Detect Rundll32 Inline HTA Execution

Execution from Unusual Directory - Command Line

Execution of a Downloaded Windows Script

Execution of Persistent Suspicious Program

HackTool - CACTUSTORCH Remote Thread Creation

Incoming DCOM Lateral Movement via MSHTA

crowdstrike_cql

Microsoft Build Engine Started by a Script Process

MSHTA Execution with Suspicious File Extensions

Mshta Making Network Connections

Mshta spawning Rundll32 OR Regsvr32 Process

Potential Execution via FileFix Phishing Attack

Potential Fake CAPTCHA Phishing Attack

Potential LethalHTA Technique Execution

Process Activity via Compiled HTML File

Remotely Hosted HTA File Executed Via Mshta.EXE

Script Execution via Microsoft HTML Application

Service Control Spawned via Script Interpreter

Suspicious .NET Code Compilation

Suspicious Execution from a Mounted Device

Suspicious Execution from VS Code Extension

Suspicious Explorer Child Process

Suspicious JavaScript Execution Via Mshta.EXE

Suspicious JetBrains TeamCity Child Process

Suspicious Managed Code Hosting Process

Suspicious Microsoft HTML Application Child Process

Suspicious MS Office Child Process

Suspicious MS Outlook Child Process

Suspicious mshta child process

Suspicious MSHTA Child Process

Suspicious mshta spawn

Suspicious PDF Reader Child Process

Suspicious ScreenConnect Client Child Process

Suspicious Windows Command Shell Arguments

Unusual Network Activity from a Windows System Binary

Windows Mshta Execution In Registry

Windows MSHTA Writing to World Writable Path

Windows Process Writing File to World Writable Path