HTA Attacks

notes
Written By Alyssa Snow

HTA (HTML Application) is a Microsoft document type that contains HTML. Documents with the extension .hta are treated as any other executable. Similar to document macros, HTA attacks can leverage ActiveXObjects and Wscript to enable the user to run OS commands. Take this simple HTA document for example:


hta-html.png



What you see is a basic HTML file. Between the script tags, we have some javascript. We define a variable runMe and set it to our payload (calc.exe). Next, we spawn an ActiveXObject to run our payload. This will spawn the calculator application on our target machine.


Let's serve this file using a simple Python web server, a method for uploading files to remote machines we learned in this post.

download-hta.png




Now, from our victim machine, we will navigate to the web server via our browser and download this file, index.hta . This malicious file download may trigger Windows Defender. If this happens, then we can temporarily disable real-time monitoring and download the file.




download-file.png


Now, if we run the file our payload will spawn the calculator application.

spawn-calc.png

Spawning the calculator binary may not be inherently malicious, but it does demonstrate the ability to run OS commands using HTA documents.

Alyssa Snow
Previous

Getting Started With Covenant
Next

Creating Malicious Macros