Script Execution via Microsoft HTML Application
Identifies the execution of scripts via HTML applications using Windows utilities rundll32.exe or mshta.exe. Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed binaries.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/09/09"
3integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender"]
4maturity = "production"
5min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
6min_stack_version = "8.14.0"
7updated_date = "2024/10/15"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the execution of scripts via HTML applications using Windows utilities rundll32.exe or mshta.exe.
13Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed
14binaries.
15"""
16from = "now-9m"
17index = [
18 "winlogbeat-*",
19 "logs-windows.*",
20 "logs-system.security*",
21 "logs-windows.sysmon_operational-*",
22 "logs-sentinel_one_cloud_funnel.*",
23 "logs-m365_defender.event-*"
24]
25language = "eql"
26license = "Elastic License v2"
27name = "Script Execution via Microsoft HTML Application"
28risk_score = 73
29rule_id = "181f6b23-3799-445e-9589-0018328a9e46"
30severity = "high"
31tags = [
32 "Domain: Endpoint",
33 "OS: Windows",
34 "Use Case: Threat Detection",
35 "Tactic: Defense Evasion",
36 "Data Source: System",
37 "Data Source: Sysmon",
38 "Data Source: SentinelOne",
39 "Data Source: Microsoft Defender for Endpoint"
40]
41timestamp_override = "event.ingested"
42type = "eql"
43
44query = '''
45process where host.os.type == "windows" and event.type == "start" and
46 process.name : ("rundll32.exe", "mshta.exe") and
47 (
48 (process.command_line :
49 (
50 "*script*eval(*",
51 "*script*GetObject*",
52 "*.regread(*",
53 "*WScript.Shell*",
54 "*.run(*",
55 "*).Exec()*",
56 "*mshta*http*",
57 "*mshtml*RunHTMLApplication*",
58 "*mshtml*,#135*",
59 "*StrReverse*",
60 "*.RegWrite*",
61 /* Issue #379 */
62 "*window.close(*",
63 "* Chr(*"
64 )
65 and not process.parent.executable :
66 ("?:\\Program Files (x86)\\Citrix\\System32\\wfshell.exe",
67 "?:\\Program Files (x86)\\Microsoft Office\\Office*\\MSACCESS.EXE",
68 "?:\\Program Files\\Quokka.Works GTInstaller\\GTInstaller.exe")
69 ) or
70
71 (process.name : "mshta.exe" and
72 not process.command_line : ("*.hta*", "*.htm*", "-Embedding") and process.args_count >=2) or
73
74 /* Execution of HTA file downloaded from the internet */
75 (process.name : "mshta.exe" and process.command_line : "*\\Users\\*\\Downloads\\*.hta*") or
76
77 /* Execution of HTA file from archive */
78 (process.name : "mshta.exe" and
79 process.args : ("?:\\Users\\*\\Temp\\7z*", "?:\\Users\\*\\Temp\\Rar$*", "?:\\Users\\*\\Temp\\Temp?_*", "?:\\Users\\*\\Temp\\BNZ.*"))
80 )
81'''
82
83
84[[rule.threat]]
85framework = "MITRE ATT&CK"
86[[rule.threat.technique]]
87id = "T1218"
88name = "System Binary Proxy Execution"
89reference = "https://attack.mitre.org/techniques/T1218/"
90
91[[rule.threat.technique.subtechnique]]
92id = "T1218.005"
93name = "Mshta"
94reference = "https://attack.mitre.org/techniques/T1218/005/"
95[[rule.threat.technique.subtechnique]]
96id = "T1218.011"
97name = "Rundll32"
98reference = "https://attack.mitre.org/techniques/T1218/011/"
99
100
101
102[rule.threat.tactic]
103id = "TA0005"
104name = "Defense Evasion"
105reference = "https://attack.mitre.org/tactics/TA0005/"
Related rules
- Execution from Unusual Directory - Command Line
- Suspicious Endpoint Security Parent Process
- Alternate Data Stream Creation/Execution at Volume Root Directory
- Code Signing Policy Modification Through Registry
- Command Shell Activity Started via RunDLL32