{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/html-application/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["HTML Application"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","script-execution","mshta"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eAttackers leverage Microsoft HTML Applications (HTA) to execute scripts in a trusted environment, often using \u003ccode\u003erundll32.exe\u003c/code\u003e or \u003ccode\u003emshta.exe\u003c/code\u003e, to evade defenses. This technique, observed in various campaigns since at least 2020, involves proxying malicious script execution through signed binaries, making detection challenging. The scope of this threat extends to any Windows environment where users can execute HTML applications. Defenders must monitor for suspicious command-line arguments and parent-child process relationships involving \u003ccode\u003emshta.exe\u003c/code\u003e and \u003ccode\u003erundll32.exe\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe user downloads a malicious HTA file, often disguised as a legitimate document, from a phishing email or compromised website.\u003c/li\u003e\n\u003cli\u003eThe user executes the downloaded HTA file, which triggers the execution of \u003ccode\u003emshta.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003emshta.exe\u003c/code\u003e interprets and executes the embedded script within the HTA file.\u003c/li\u003e\n\u003cli\u003eThe script may contain obfuscated or encoded commands to evade detection.\u003c/li\u003e\n\u003cli\u003eThe script utilizes techniques such as \u003ccode\u003eGetObject\u003c/code\u003e, \u003ccode\u003eWScript.Shell\u003c/code\u003e, or \u003ccode\u003eRegWrite\u003c/code\u003e to perform malicious actions.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003emshta.exe\u003c/code\u003e executes commands to download and execute additional payloads.\u003c/li\u003e\n\u003cli\u003eThe downloaded payloads establish persistence, escalate privileges, and perform lateral movement.\u003c/li\u003e\n\u003cli\u003eThe final objective includes data exfiltration, deploying ransomware, or establishing a persistent backdoor.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to complete system compromise, data theft, and ransomware deployment. Affected systems can be leveraged for further attacks within the network, impacting all connected devices. Victims may experience significant financial losses, reputational damage, and operational disruption. The broad scope of Windows environments makes this a widespread threat, particularly affecting organizations that rely on user-executed scripts and applications.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process execution for \u003ccode\u003erundll32.exe\u003c/code\u003e and \u003ccode\u003emshta.exe\u003c/code\u003e with command-line arguments containing suspicious script-related keywords using the Sigma rules provided.\u003c/li\u003e\n\u003cli\u003eInvestigate instances of \u003ccode\u003emshta.exe\u003c/code\u003e executing from common download locations such as the \u003ccode\u003eDownloads\u003c/code\u003e folder, as highlighted in the rule logic.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unsigned or untrusted HTA files.\u003c/li\u003e\n\u003cli\u003eAudit and review parent-child process relationships involving \u003ccode\u003emshta.exe\u003c/code\u003e and \u003ccode\u003erundll32.exe\u003c/code\u003e to identify anomalous behavior.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T15:00:00Z","date_published":"2024-01-03T15:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-script-execution-via-mshta/","summary":"Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed binaries by using rundll32.exe or mshta.exe to execute scripts via HTML applications.","title":"Script Execution via Microsoft HTML Application","url":"https://feed.craftedsignal.io/briefs/2024-01-03-script-execution-via-mshta/"}],"language":"en","title":"CraftedSignal Threat Feed - HTML Application","version":"https://jsonfeed.org/version/1.1"}