PAY-HTA-VBSExecution

HTA / VBS / WSF Execution

mshta.exe runs HTA payloads outside browser sandboxing — historical staple still effective on unhardened endpoints.

§ Where this technique fits

PAY-HTA-VBS is catalogued under the Execution tactic of the offensive-security kill-chain. It appears in 2 approved dossiers in the registry, typically at step 3.5 on average.

§ Dossiers chaining this technique

ISO container → LNK → stage from CDN → C2
Email attaches an ISO. Windows mounts it as a drive, bypassing Mark-of-the-Web. LNK inside runs a hidden binary that pulls the real stager from a CDN — Defender often misses the chain.
step 3 / 6
OneNote .one attachment → embedded payload → C2
OneNote .one file with a friendly 'Double-click to view' overlay hides an embedded HTA / VBS / EXE. Effective initial access vector after Microsoft blocked internet macros in 2022.
step 4 / 6

§ What commonly comes next

01
Application Layer Protocol
T1071 · Command and Control
seen 2×

§ Where this technique fits

§ Dossiers chaining this technique

ISO container → LNK → stage from CDN → C2

OneNote .one attachment → embedded payload → C2

§ What commonly comes next