<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Mshtml - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/mshtml/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 30 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/mshtml/feed.xml" rel="self" type="application/rss+xml"/><item><title>Suspicious MSHTML/MSHTA Network Execution Without Direct URL</title><link>https://feed.craftedsignal.io/briefs/2024-01-30-mshta-mshtml-network-execution/</link><pubDate>Tue, 30 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-30-mshta-mshtml-network-execution/</guid><description>This analytic detects the anomalous execution of mshta.exe or rundll32.exe invoking mshtml.dll without a direct HTTP/HTTPS URL in the command line, potentially indicating obfuscated script execution by threat actors for initial access or payload staging while evading static detections.</description><content:encoded><![CDATA[<p>This threat brief focuses on detecting suspicious usage of MSHTA (Microsoft HTML Application Host) and MSHTML (Microsoft HTML engine) for executing code over a network without explicitly providing a URL in the command line arguments. Attackers may leverage these Windows utilities to bypass application control policies and execute malicious scripts. The technique involves using <code>mshta.exe</code> or <code>rundll32.exe</code> to load <code>mshtml.dll</code> and execute HTML applications, often containing JavaScript or VBScript. The absence of a clear URL in the command-line suggests that the attacker is trying to hide the source of the payload by using string concatenation, encoding, or indirect script loaders. The detection method relies on identifying process executions that use these utilities with network activity and script execution patterns, but without specifying a direct URL in the arguments. This approach is relevant to defenders because it highlights potential initial access or payload staging attempts, which are critical phases of an attack. The observed behavior has been documented since at least 2017 and continues to be a relevant technique.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains initial access, potentially through phishing or other means.</li>
<li>The attacker executes <code>mshta.exe</code> with arguments containing JavaScript or VBScript, but without a visible HTTP/HTTPS URL.</li>
<li>Alternatively, the attacker executes <code>rundll32.exe</code> to invoke <code>mshtml.dll</code> and the <code>RunHTMLApplication</code> export function, also without a direct URL.</li>
<li>The executed script uses <code>GetObject()</code> or similar techniques to fetch and execute code from a remote server, hiding the URL.</li>
<li>The script establishes a network connection to a remote server to download additional payloads or execute commands.</li>
<li>The downloaded payload may be a backdoor, downloader, or other malicious tool.</li>
<li>The attacker uses the downloaded payload to establish persistence or escalate privileges.</li>
<li>The attacker performs reconnaissance, lateral movement, and data exfiltration or deploys ransomware.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack using this technique can lead to initial access, payload staging, and subsequent compromise of the target system. This can result in data theft, system disruption, or ransomware deployment. While the specific number of victims and sectors targeted are unknown, this technique is widely applicable and poses a significant risk to organizations across all sectors.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable and monitor Cisco Network Visibility Module logs to capture process execution details and network connections (<code>cisco_network_visibility_module_flowdata</code> macro).</li>
<li>Deploy the Sigma rule &quot;Detect MSHTML/MSHTA Network Execution Without Direct URL&quot; to identify suspicious process executions.</li>
<li>Investigate any alerts generated by the Sigma rule, focusing on the parent processes and network destinations.</li>
<li>Monitor endpoint process creation events for suspicious executions of <code>mshta.exe</code> and <code>rundll32.exe</code> with related script arguments (Sysmon or similar EDR).</li>
<li>Review and update application control policies to restrict the execution of <code>mshta.exe</code> and <code>rundll32.exe</code> where appropriate.</li>
<li>Consider implementing network segmentation to limit the impact of a successful compromise.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>mshta</category><category>mshtml</category><category>rundll32</category><category>lolbas</category><category>defense-evasion</category><category>initial-access</category><category>network-execution</category></item></channel></rss>