27 lines
902 B
YAML
27 lines
902 B
YAML
Name: Mshta.exe
|
|
Description: Used to execute .HTA files
|
|
Author: Test Author
|
|
Created: 2025-01-15
|
|
Commands:
|
|
- Command: mshta.exe evilfile.hta
|
|
Description: Open an HTA file from disk
|
|
Usecase: Execute arbitrary HTA scripts
|
|
Category: Execute
|
|
Privileges: User
|
|
MitreID: T1218.005
|
|
OperatingSystem: Windows 10, Windows 11
|
|
- Command: mshta.exe vbscript:Execute("CreateObject(""Wscript.Shell"").Run(""calc.exe"")")
|
|
Description: Execute VBScript via mshta
|
|
Usecase: Execute inline VBScript
|
|
Category: Execute
|
|
Privileges: User
|
|
MitreID: T1059.005
|
|
OperatingSystem: Windows 10, Windows 11
|
|
Full_Path:
|
|
- Path: C:\Windows\System32\mshta.exe
|
|
- Path: C:\Windows\SysWOW64\mshta.exe
|
|
Detection:
|
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_mshta.yml
|
|
Resources:
|
|
- Link: https://lolbas-project.github.io/#/mshta
|