{ "id": "3c686940-d931-4bb6-b075-55f46049939f", "created_at": "2026-04-06T02:11:08.295429Z", "updated_at": "2026-04-10T03:21:49.968386Z", "deleted_at": null, "sha1_hash": "6b7c5b3932a73dd5219a5cd4eb3b31da746f2b5a", "title": "Microsoft HTML Application (HTA) Abuse, Part Deux", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 312155, "plain_text": "Microsoft HTML Application (HTA) Abuse, Part Deux\r\nBy Keith McCammon, Chief Security Officer\r\nPublished: 2015-08-14 · Archived: 2026-04-06 01:51:00 UTC\r\nIn our most recent Detection Profile, we looked at a red team’s post-exploitation activity as detected by Red\r\nCanary. The tool was identified through open sources as PoshRat, a PowerShell-based remote access tool that\r\ntakes advantage of a security policy bypass in Microsoft HTML Applications (HTA) to establish a reverse shell.\r\nUnfortunately, HTA abuse is widespread and not limited to use by red teams. The Red Canary SOC continues to\r\nobserve HTA abuse in the wild as well. Here we’ll look at one such detection, wherein a malicious HTA file\r\nis leveraged to complete an exploitation chain without dropping any binary files to disk.\r\nFirst, we see mshta.exe called with a tell-tale command line containing both overt calls and some encoded values:\r\n\"c:\\windows\\system32\\mshta.exe\" javascript:bz0pbzykh=\"qoethfr1\";jo9=new%20activexobject(\"wscript.shel\r\nhttps://www.redcanary.com/blog/microsoft-html-application-hta-abuse-part-deux/\r\nPage 1 of 3\n\nNote the call to regread(), wherein the routine picks up a binary object from registry key\r\nhklm\\software\\wow6432node\\88b21b0b\\7f490d53. This entry would have been dropped by a preceding process,\r\nlikely rundll32.exe.\r\nThe product of this encoded routine is a Powershell child process used to execute a script using iex, an alias for\r\nthe Invoke-Expression cmdlet. The iex cmdlet takes the next bit of input, a command that is stored in an obscure\r\nenvironment variable, and executes it. What we see coming from the Carbon Black sensor is:\r\n\"c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe\" iex $env:veckxeg\r\nThe entire sequence of events is repeated a second time almost immediately, though the second iteration uses\r\nrunonce.exe as the triggering process.\r\nhttps://www.redcanary.com/blog/microsoft-html-application-hta-abuse-part-deux/\r\nPage 2 of 3\n\nThe specific malware family observed is subject to some interpretation. The techniques described above are\r\nindicative of known variants of Poweliks as well Win32/Xswkit (a.k.a. Gookit). Both of these malware families\r\nare notable because they reside in the registry or in memory, and do not rely on typical exploitation chains that\r\nutilize overt dropper binaries before migrating into system processes. They also tend to evolve rapidly, and thus\r\nantivirus or even anti-exploitation tools cannot be relied upon for prevention.\r\nAnother win for a solid visibility tool coupled with broad detection, particularly observation of trusted system\r\nprocesses.\r\nSource: https://www.redcanary.com/blog/microsoft-html-application-hta-abuse-part-deux/\r\nhttps://www.redcanary.com/blog/microsoft-html-application-hta-abuse-part-deux/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.redcanary.com/blog/microsoft-html-application-hta-abuse-part-deux/" ], "report_names": [ "microsoft-html-application-hta-abuse-part-deux" ], "threat_actors": [], "ts_created_at": 1775441468, "ts_updated_at": 1775791309, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6b7c5b3932a73dd5219a5cd4eb3b31da746f2b5a.pdf", "text": "https://archive.orkl.eu/6b7c5b3932a73dd5219a5cd4eb3b31da746f2b5a.txt", "img": "https://archive.orkl.eu/6b7c5b3932a73dd5219a5cd4eb3b31da746f2b5a.jpg" } }