{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/mshtml/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Windows"],"_cs_severities":["high"],"_cs_tags":["mshta","mshtml","rundll32","lolbas","defense-evasion","initial-access","network-execution"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief focuses on detecting suspicious usage of MSHTA (Microsoft HTML Application Host) and MSHTML (Microsoft HTML engine) for executing code over a network without explicitly providing a URL in the command line arguments. Attackers may leverage these Windows utilities to bypass application control policies and execute malicious scripts. The technique involves using \u003ccode\u003emshta.exe\u003c/code\u003e or \u003ccode\u003erundll32.exe\u003c/code\u003e to load \u003ccode\u003emshtml.dll\u003c/code\u003e and execute HTML applications, often containing JavaScript or VBScript. The absence of a clear URL in the command-line suggests that the attacker is trying to hide the source of the payload by using string concatenation, encoding, or indirect script loaders. The detection method relies on identifying process executions that use these utilities with network activity and script execution patterns, but without specifying a direct URL in the arguments. This approach is relevant to defenders because it highlights potential initial access or payload staging attempts, which are critical phases of an attack. The observed behavior has been documented since at least 2017 and continues to be a relevant technique.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access, potentially through phishing or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003emshta.exe\u003c/code\u003e with arguments containing JavaScript or VBScript, but without a visible HTTP/HTTPS URL.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker executes \u003ccode\u003erundll32.exe\u003c/code\u003e to invoke \u003ccode\u003emshtml.dll\u003c/code\u003e and the \u003ccode\u003eRunHTMLApplication\u003c/code\u003e export function, also without a direct URL.\u003c/li\u003e\n\u003cli\u003eThe executed script uses \u003ccode\u003eGetObject()\u003c/code\u003e or similar techniques to fetch and execute code from a remote server, hiding the URL.\u003c/li\u003e\n\u003cli\u003eThe script establishes a network connection to a remote server to download additional payloads or execute commands.\u003c/li\u003e\n\u003cli\u003eThe downloaded payload may be a backdoor, downloader, or other malicious tool.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the downloaded payload to establish persistence or escalate privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker performs reconnaissance, lateral movement, and data exfiltration or deploys ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack using this technique can lead to initial access, payload staging, and subsequent compromise of the target system. This can result in data theft, system disruption, or ransomware deployment. While the specific number of victims and sectors targeted are unknown, this technique is widely applicable and poses a significant risk to organizations across all sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable and monitor Cisco Network Visibility Module logs to capture process execution details and network connections (\u003ccode\u003ecisco_network_visibility_module_flowdata\u003c/code\u003e macro).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect MSHTML/MSHTA Network Execution Without Direct URL\u0026quot; to identify suspicious process executions.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the parent processes and network destinations.\u003c/li\u003e\n\u003cli\u003eMonitor endpoint process creation events for suspicious executions of \u003ccode\u003emshta.exe\u003c/code\u003e and \u003ccode\u003erundll32.exe\u003c/code\u003e with related script arguments (Sysmon or similar EDR).\u003c/li\u003e\n\u003cli\u003eReview and update application control policies to restrict the execution of \u003ccode\u003emshta.exe\u003c/code\u003e and \u003ccode\u003erundll32.exe\u003c/code\u003e where appropriate.\u003c/li\u003e\n\u003cli\u003eConsider implementing network segmentation to limit the impact of a successful compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-30T12:00:00Z","date_published":"2024-01-30T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-30-mshta-mshtml-network-execution/","summary":"This analytic detects the anomalous execution of mshta.exe or rundll32.exe invoking mshtml.dll without a direct HTTP/HTTPS URL in the command line, potentially indicating obfuscated script execution by threat actors for initial access or payload staging while evading static detections.","title":"Suspicious MSHTML/MSHTA Network Execution Without Direct URL","url":"https://feed.craftedsignal.io/briefs/2024-01-30-mshta-mshtml-network-execution/"}],"language":"en","title":"CraftedSignal Threat Feed - Mshtml","version":"https://jsonfeed.org/version/1.1"}