Script Execution via Microsoft HTML Application
Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed binaries by using rundll32.exe or mshta.exe to execute scripts via HTML applications.
Attackers leverage Microsoft HTML Applications (HTA) to execute scripts in a trusted environment, often using rundll32.exe or mshta.exe, to evade defenses. This technique, observed in various campaigns since at least 2020, involves proxying malicious script execution through signed binaries, making detection challenging. The scope of this threat extends to any Windows environment where users can execute HTML applications. Defenders must monitor for suspicious command-line arguments and parent-child process relationships involving mshta.exe and rundll32.exe.
Attack Chain
- The user downloads a malicious HTA file, often disguised as a legitimate document, from a phishing email or compromised website.
- The user executes the downloaded HTA file, which triggers the execution of
mshta.exe. mshta.exeinterprets and executes the embedded script within the HTA file.- The script may contain obfuscated or encoded commands to evade detection.
- The script utilizes techniques such as
GetObject,WScript.Shell, orRegWriteto perform malicious actions. mshta.exeexecutes commands to download and execute additional payloads.- The downloaded payloads establish persistence, escalate privileges, and perform lateral movement.
- The final objective includes data exfiltration, deploying ransomware, or establishing a persistent backdoor.
Impact
Successful exploitation can lead to complete system compromise, data theft, and ransomware deployment. Affected systems can be leveraged for further attacks within the network, impacting all connected devices. Victims may experience significant financial losses, reputational damage, and operational disruption. The broad scope of Windows environments makes this a widespread threat, particularly affecting organizations that rely on user-executed scripts and applications.
Recommendation
- Monitor process execution for
rundll32.exeandmshta.exewith command-line arguments containing suspicious script-related keywords using the Sigma rules provided. - Investigate instances of
mshta.exeexecuting from common download locations such as theDownloadsfolder, as highlighted in the rule logic. - Implement application control policies to restrict the execution of unsigned or untrusted HTA files.
- Audit and review parent-child process relationships involving
mshta.exeandrundll32.exeto identify anomalous behavior. - Deploy the Sigma rules in this brief to your SIEM and tune for your environment.
Detection coverage 3
Suspicious Mshta Execution with Script Keywords
highDetects mshta.exe executing with command lines containing suspicious script keywords indicative of malicious activity.
Mshta Execution from Downloads Directory
mediumDetects mshta.exe being executed with a command line pointing to a file within the user's Downloads directory, a common location for downloaded malicious files.
Rundll32 Script Execution
highDetects rundll32.exe executing with command lines that contain script-like arguments.
Detection queries are available on the platform. Get full rules →