MSHTA Executing Inline HTA Script
Detection of mshta.exe executing with inline script protocols like JavaScript or VBScript, often used for malicious script execution and defense evasion.
This brief focuses on the abuse of mshta.exe, a legitimate Microsoft program, to execute malicious HTML Application (HTA) files inline. Attackers leverage mshta.exe to bypass traditional application whitelisting and execute arbitrary code using scripting languages like JavaScript or VBScript. This technique is often employed for defense evasion and initial access. Observed activity involves command-line arguments containing inline protocol handlers such as "JavaScript", "VBScript", and "About". This behavior poses a significant threat because successful exploitation enables attackers to execute unauthorized code, escalate privileges, and establish persistence, potentially leading to full system compromise. The detection logic is sourced from Splunk ES_CU, detection ID a0873b32-5b68-11eb-ae93-0242ac130002.
Attack Chain
- Initial Access: An attacker gains initial access through various means (not specified in source), such as phishing or exploiting a vulnerability.
- Fileless Execution: The attacker leverages
mshta.exeto execute HTA code directly from the command line, avoiding writing malicious files to disk. - Inline Script Execution:
mshta.exeis invoked with arguments specifying inline scripting protocols likejavascript:orvbscript:, embedding the malicious code within the command. - Code Execution:
mshta.exeinterprets and executes the embedded malicious script, potentially downloading further payloads or executing arbitrary commands. - Privilege Escalation: The executed script may attempt to escalate privileges by exploiting vulnerabilities or using built-in Windows tools.
- Persistence: The attacker establishes persistence by creating scheduled tasks, modifying registry keys, or using other techniques to ensure continued access.
- Lateral Movement: The attacker moves laterally within the network by compromising other systems using stolen credentials or exploiting vulnerabilities.
- Objective: The attacker achieves their objective, such as data exfiltration, ransomware deployment, or espionage.
Impact
Successful exploitation allows attackers to execute arbitrary code, escalate privileges, and establish persistence, which can lead to full system compromise, data theft, or ransomware deployment. The impact can range from individual system compromise to widespread network breaches, potentially affecting hundreds or thousands of machines, depending on the scope of the attack. Sectors commonly targeted by these techniques include finance, healthcare, and government.
Recommendation
- Enable Sysmon process creation logging (Event ID 1) and Windows Event Logging (Security 4688) to capture command-line arguments for
mshta.exeexecutions to enable the rules below. - Deploy the Sigma rule
MSHTA Inline HTA Executionto your SIEM to detect suspicious command-line arguments containing scripting protocols and tune for your environment. - Investigate any alerts generated by the Sigma rule, focusing on the parent process of
mshta.exeand the specific inline script being executed. - Implement application control policies to restrict the execution of
mshta.exeor limit its ability to execute arbitrary scripts. - Review and update endpoint detection and response (EDR) configurations to ensure they are capable of detecting and blocking fileless attacks using
mshta.exe.
Detection coverage 2
MSHTA Inline HTA Execution
highDetects mshta.exe executing with inline scripting protocols like JavaScript or VBScript
MSHTA Spawning Suspicious Child Process
mediumDetects mshta.exe spawning suspicious child processes like cmd.exe or powershell.exe
Detection queries are available on the platform. Get full rules →