[Write-up] LetsDefend — Suspicious Mshta Behavior

  • inline via an argument passed in the command line to Mshta
  • file-based execution via an HTML Application (HTA) file
  • COM-based execution for lateral movement
  • by calling the RunHTMLApplication export function of mshtml.dll with rundll32.exe as an alternative to mshta.exe

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store