Mshta (T1170)

View on ATT&CK

In Playbook

Technique & Subtechniques

  • Mshta

Associated Tactics

  • Defense Evasion
  • Execution

Defense Evasion (TA0005)

The adversary is trying to avoid being detected. Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics’ techniques are cross-listed here when those techniques include the added benefit of subverting defenses.

View on ATT&CK

Procedure Examples

Description Source(s)
Wikipedia. (2017, October 14). HTML Application. Retrieved October 27, 2017. Wikipedia HTML Application
Microsoft. (n.d.). HTML Applications. Retrieved October 27, 2017. MSDN HTML Applications
Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021. Cylance Dust Storm
McCammon, K. (2015, August 14). Microsoft HTML Application (HTA) Abuse, Part Deux. Retrieved October 27, 2017. Red Canary HTA Abuse Part Deux
Berry, A., Galang, L., Jiang, G., Leathery, J., Mohandas, R. (2017, April 11). CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler. Retrieved October 27, 2017. FireEye Attacks Leveraging HTA
Dove, A. (2016, March 23). Fileless Malware – A Behavioural Analysis Of Kovter Persistence. Retrieved December 5, 2017. Airbus Security Kovter Analysis
Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017. FireEye FIN7 April 2017
LOLBAS. (n.d.). Mshta.exe. Retrieved July 31, 2019. LOLBAS Mshta