Skip to content
Threat Feed
high advisory

MSHTA Executing Inline HTA Script

Detection of mshta.exe executing with inline script protocols like JavaScript or VBScript, often used for malicious script execution and defense evasion.

This brief focuses on the abuse of mshta.exe, a legitimate Microsoft program, to execute malicious HTML Application (HTA) files inline. Attackers leverage mshta.exe to bypass traditional application whitelisting and execute arbitrary code using scripting languages like JavaScript or VBScript. This technique is often employed for defense evasion and initial access. Observed activity involves command-line arguments containing inline protocol handlers such as "JavaScript", "VBScript", and "About". This behavior poses a significant threat because successful exploitation enables attackers to execute unauthorized code, escalate privileges, and establish persistence, potentially leading to full system compromise. The detection logic is sourced from Splunk ES_CU, detection ID a0873b32-5b68-11eb-ae93-0242ac130002.

Attack Chain

  1. Initial Access: An attacker gains initial access through various means (not specified in source), such as phishing or exploiting a vulnerability.
  2. Fileless Execution: The attacker leverages mshta.exe to execute HTA code directly from the command line, avoiding writing malicious files to disk.
  3. Inline Script Execution: mshta.exe is invoked with arguments specifying inline scripting protocols like javascript: or vbscript:, embedding the malicious code within the command.
  4. Code Execution: mshta.exe interprets and executes the embedded malicious script, potentially downloading further payloads or executing arbitrary commands.
  5. Privilege Escalation: The executed script may attempt to escalate privileges by exploiting vulnerabilities or using built-in Windows tools.
  6. Persistence: The attacker establishes persistence by creating scheduled tasks, modifying registry keys, or using other techniques to ensure continued access.
  7. Lateral Movement: The attacker moves laterally within the network by compromising other systems using stolen credentials or exploiting vulnerabilities.
  8. Objective: The attacker achieves their objective, such as data exfiltration, ransomware deployment, or espionage.

Impact

Successful exploitation allows attackers to execute arbitrary code, escalate privileges, and establish persistence, which can lead to full system compromise, data theft, or ransomware deployment. The impact can range from individual system compromise to widespread network breaches, potentially affecting hundreds or thousands of machines, depending on the scope of the attack. Sectors commonly targeted by these techniques include finance, healthcare, and government.

Recommendation

  • Enable Sysmon process creation logging (Event ID 1) and Windows Event Logging (Security 4688) to capture command-line arguments for mshta.exe executions to enable the rules below.
  • Deploy the Sigma rule MSHTA Inline HTA Execution to your SIEM to detect suspicious command-line arguments containing scripting protocols and tune for your environment.
  • Investigate any alerts generated by the Sigma rule, focusing on the parent process of mshta.exe and the specific inline script being executed.
  • Implement application control policies to restrict the execution of mshta.exe or limit its ability to execute arbitrary scripts.
  • Review and update endpoint detection and response (EDR) configurations to ensure they are capable of detecting and blocking fileless attacks using mshta.exe.

Detection coverage 2

MSHTA Inline HTA Execution

high

Detects mshta.exe executing with inline scripting protocols like JavaScript or VBScript

sigma tactics: defense_evasion techniques: T1218.005 sources: process_creation, windows

MSHTA Spawning Suspicious Child Process

medium

Detects mshta.exe spawning suspicious child processes like cmd.exe or powershell.exe

sigma tactics: execution techniques: T1218.005 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →