Skip to content
Threat Feed
high advisory

Suspicious MSHTML/MSHTA Network Execution Without Direct URL

This analytic detects the anomalous execution of mshta.exe or rundll32.exe invoking mshtml.dll without a direct HTTP/HTTPS URL in the command line, potentially indicating obfuscated script execution by threat actors for initial access or payload staging while evading static detections.

This threat brief focuses on detecting suspicious usage of MSHTA (Microsoft HTML Application Host) and MSHTML (Microsoft HTML engine) for executing code over a network without explicitly providing a URL in the command line arguments. Attackers may leverage these Windows utilities to bypass application control policies and execute malicious scripts. The technique involves using mshta.exe or rundll32.exe to load mshtml.dll and execute HTML applications, often containing JavaScript or VBScript. The absence of a clear URL in the command-line suggests that the attacker is trying to hide the source of the payload by using string concatenation, encoding, or indirect script loaders. The detection method relies on identifying process executions that use these utilities with network activity and script execution patterns, but without specifying a direct URL in the arguments. This approach is relevant to defenders because it highlights potential initial access or payload staging attempts, which are critical phases of an attack. The observed behavior has been documented since at least 2017 and continues to be a relevant technique.

Attack Chain

  1. The attacker gains initial access, potentially through phishing or other means.
  2. The attacker executes mshta.exe with arguments containing JavaScript or VBScript, but without a visible HTTP/HTTPS URL.
  3. Alternatively, the attacker executes rundll32.exe to invoke mshtml.dll and the RunHTMLApplication export function, also without a direct URL.
  4. The executed script uses GetObject() or similar techniques to fetch and execute code from a remote server, hiding the URL.
  5. The script establishes a network connection to a remote server to download additional payloads or execute commands.
  6. The downloaded payload may be a backdoor, downloader, or other malicious tool.
  7. The attacker uses the downloaded payload to establish persistence or escalate privileges.
  8. The attacker performs reconnaissance, lateral movement, and data exfiltration or deploys ransomware.

Impact

A successful attack using this technique can lead to initial access, payload staging, and subsequent compromise of the target system. This can result in data theft, system disruption, or ransomware deployment. While the specific number of victims and sectors targeted are unknown, this technique is widely applicable and poses a significant risk to organizations across all sectors.

Recommendation

  • Enable and monitor Cisco Network Visibility Module logs to capture process execution details and network connections (cisco_network_visibility_module_flowdata macro).
  • Deploy the Sigma rule "Detect MSHTML/MSHTA Network Execution Without Direct URL" to identify suspicious process executions.
  • Investigate any alerts generated by the Sigma rule, focusing on the parent processes and network destinations.
  • Monitor endpoint process creation events for suspicious executions of mshta.exe and rundll32.exe with related script arguments (Sysmon or similar EDR).
  • Review and update application control policies to restrict the execution of mshta.exe and rundll32.exe where appropriate.
  • Consider implementing network segmentation to limit the impact of a successful compromise.

Detection coverage 2

Detect MSHTML/MSHTA Network Execution Without Direct URL

high

Detects suspicious execution of mshta.exe or rundll32.exe invoking mshtml.dll without a direct HTTP/HTTPS URL in the command line, indicating potential obfuscated script execution.

sigma tactics: defense_evasion, initial_access techniques: T1059.005, T1218.005 sources: process_creation, windows

Detect MSHTA with Obfuscated Command Line

medium

Detects mshta.exe execution with command-line arguments indicative of obfuscation, such as long strings or unusual characters.

sigma tactics: defense_evasion techniques: T1218.005 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →