Esc
Mshta - T1218.005

(ATT&CK® Technique)
Definition

Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code
D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.
        graph LR;

     T1218005["Mshta"] --> |invokes| CreateProcess["Create Process"]; class T1218005 OffensiveTechniqueNode;
        class CreateProcess ArtifactNode; click CreateProcess href "/dao/artifact/d3f:CreateProcess";
        click T1218005 href "/offensive-technique/attack/T1218.005/"; click CreateProcess href "/dao/artifact/d3f:CreateProcess"; T1218005["Mshta"] --> |interprets| MicrosoftHTMLApplication["Microsoft HTML Application"]; class T1218005 OffensiveTechniqueNode;
        class MicrosoftHTMLApplication ArtifactNode; click MicrosoftHTMLApplication href "/dao/artifact/d3f:MicrosoftHTMLApplication";
        click T1218005 href "/offensive-technique/attack/T1218.005/"; click MicrosoftHTMLApplication href "/dao/artifact/d3f:MicrosoftHTMLApplication";                          DecoyFile["Decoy File"] -->
          | spoofs | MicrosoftHTMLApplication["Microsoft HTML Application"];

          DecoyFile["Decoy File"] -.->
            | may-deceive | T1218005["Mshta"] ;
          class DecoyFile DefensiveTechniqueNode;
          class MicrosoftHTMLApplication ArtifactNode;
          click DecoyFile href "/technique/d3f:DecoyFile"; DynamicAnalysis["Dynamic Analysis"] -->
          | analyzes | MicrosoftHTMLApplication["Microsoft HTML Application"];

          DynamicAnalysis["Dynamic Analysis"] -.->
            | may-detect | T1218005["Mshta"] ;
          class DynamicAnalysis DefensiveTechniqueNode;
          class MicrosoftHTMLApplication ArtifactNode;
          click DynamicAnalysis href "/technique/d3f:DynamicAnalysis";                           FileEncryption["File Encryption"] -->
          | encrypts | MicrosoftHTMLApplication["Microsoft HTML Application"];

          FileEncryption["File Encryption"] -.->
            | may-harden | T1218005["Mshta"] ;
          class FileEncryption DefensiveTechniqueNode;
          class MicrosoftHTMLApplication ArtifactNode;
          click FileEncryption href "/technique/d3f:FileEncryption";              EmulatedFileAnalysis["Emulated File Analysis"] -->
          | analyzes | MicrosoftHTMLApplication["Microsoft HTML Application"];

          EmulatedFileAnalysis["Emulated File Analysis"] -.->
            | may-detect | T1218005["Mshta"] ;
          class EmulatedFileAnalysis DefensiveTechniqueNode;
          class MicrosoftHTMLApplication ArtifactNode;
          click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis";              FileIntegrityMonitoring["File Integrity Monitoring"] -->
          | analyzes | MicrosoftHTMLApplication["Microsoft HTML Application"];

          FileIntegrityMonitoring["File Integrity Monitoring"] -.->
            | may-detect | T1218005["Mshta"] ;
          class FileIntegrityMonitoring DefensiveTechniqueNode;
          class MicrosoftHTMLApplication ArtifactNode;
          click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring";              Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -->
          | restricts | CreateProcess["Create Process"];

          Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.->
            | may-isolate | T1218005["Mshta"] ;
          class Hardware-basedProcessIsolation DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; ExecutableAllowlisting["Executable Allowlisting"] -->
          | filters | CreateProcess["Create Process"];

          ExecutableAllowlisting["Executable Allowlisting"] -.->
            | may-isolate | T1218005["Mshta"] ;
          class ExecutableAllowlisting DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting";           ExecutableDenylisting["Executable Denylisting"] -->
          | filters | CreateProcess["Create Process"];

          ExecutableDenylisting["Executable Denylisting"] -.->
            | may-isolate | T1218005["Mshta"] ;
          class ExecutableDenylisting DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting";                              SystemCallAnalysis["System Call Analysis"] -->
          | analyzes | CreateProcess["Create Process"];

          SystemCallAnalysis["System Call Analysis"] -.->
            | may-detect | T1218005["Mshta"] ;
          class SystemCallAnalysis DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis"; ProcessSpawnAnalysis["Process Spawn Analysis"] -->
          | analyzes | CreateProcess["Create Process"];

          ProcessSpawnAnalysis["Process Spawn Analysis"] -.->
            | may-detect | T1218005["Mshta"] ;
          class ProcessSpawnAnalysis DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis";                           FileEviction["File Eviction"] -->
          | deletes | MicrosoftHTMLApplication["Microsoft HTML Application"];

          FileEviction["File Eviction"] -.->
            | may-evict | T1218005["Mshta"] ;
          class FileEviction DefensiveTechniqueNode;
          class MicrosoftHTMLApplication ArtifactNode;
          click FileEviction href "/technique/d3f:FileEviction";              LocalFilePermissions["Local File Permissions"] -->
          | restricts | MicrosoftHTMLApplication["Microsoft HTML Application"];

          LocalFilePermissions["Local File Permissions"] -.->
            | may-isolate | T1218005["Mshta"] ;
          class LocalFilePermissions DefensiveTechniqueNode;
          class MicrosoftHTMLApplication ArtifactNode;
          click LocalFilePermissions href "/technique/d3f:LocalFilePermissions";              SystemCallFiltering["System Call Filtering"] -->
          | filters | CreateProcess["Create Process"];

          SystemCallFiltering["System Call Filtering"] -.->
            | may-isolate | T1218005["Mshta"] ;
          class SystemCallFiltering DefensiveTechniqueNode;
          class CreateProcess ArtifactNode;
          click SystemCallFiltering href "/technique/d3f:SystemCallFiltering";              RestoreFile["Restore File"] -->
          | restores | MicrosoftHTMLApplication["Microsoft HTML Application"];

          RestoreFile["Restore File"] -.->
            | may-restore | T1218005["Mshta"] ;
          class RestoreFile DefensiveTechniqueNode;
          class MicrosoftHTMLApplication ArtifactNode;
          click RestoreFile href "/technique/d3f:RestoreFile";                            FileAnalysis["File Analysis"] -->
          | analyzes | MicrosoftHTMLApplication["Microsoft HTML Application"];

          FileAnalysis["File Analysis"] -.->
            | may-detect | T1218005["Mshta"] ;
          class FileAnalysis DefensiveTechniqueNode;
          class MicrosoftHTMLApplication ArtifactNode;
          click FileAnalysis href "/technique/d3f:FileAnalysis"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
          | isolates | MicrosoftHTMLApplication["Microsoft HTML Application"];

          RemoteFileAccessMediation["Remote File Access Mediation"] -.->
            | may-isolate | T1218005["Mshta"] ;
          class RemoteFileAccessMediation DefensiveTechniqueNode;
          class MicrosoftHTMLApplication ArtifactNode;
          click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";
json