LetsDefend - Suspicious MSHTA Behavior
LetsDefend Investigation: Suspicious MSHTA Behavior Overview Today we're going to deep dive into the LetsDefend Blue Team Training investigation over suspicious MSHTA behavior. But first, what exactly is MSHTA? MSHTA stands for the Microsoft HTML Application, and is a signed, native application to the Windows operating system and its operation is responsible for handling HTML Application (HTA) files, which are applications whose source code consists of HTML, Dynamic HTML and one or more scripting languages supported by Internet Explorer, such as VBScript or JScript. If you'd like to read up more on HTA files, you can do so here on CodeDocs. When you have a file which runs as a trusted document with a binary that has the ability to execute that code, you have a keen target for adversaries and having a better understanding of what we're going up against here will definitely play in our favor in determining if its usage is malicious or not. Investigation: To begin, w