Mshtml.DLL RunHTMLApplication Suspicious Usage
Detects execution of commands that leverage the "mshtml.dll" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, http...)
Sigma rule (View on GitHub)
1title: Mshtml.DLL RunHTMLApplication Suspicious Usage
2id: 4782eb5a-a513-4523-a0ac-f3082b26ac5c
3related:
4 - id: 9f06447a-a33a-4cbe-a94f-a3f43184a7a3
5 type: obsoletes
6 - id: 73fcad2e-ff14-4c38-b11d-4172c8ac86c7
7 type: obsoletes
8status: test
9description: |
10 Detects execution of commands that leverage the "mshtml.dll" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, http...)
11references:
12 - https://twitter.com/n1nj4sec/status/1421190238081277959
13 - https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART2.txt
14 - http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt
15author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems), Josh Nickels, frack113, Zaw Min Htun (ZETA)
16date: 2022/08/14
17modified: 2024/02/23
18tags:
19 - attack.defense_evasion
20 - attack.execution
21logsource:
22 category: process_creation
23 product: windows
24detection:
25 selection:
26 CommandLine|contains|all:
27 - '\..\'
28 - 'mshtml'
29 CommandLine|contains:
30 - '#135'
31 - 'RunHTMLApplication'
32 condition: selection
33falsepositives:
34 - Unlikely
35level: high
References
Related rules
- Weak or Abused Passwords In CLI
- Custom Cobalt Strike Command Execution
- Network Connection Initiated By Regsvr32.EXE
- Network Connection Initiated Via Notepad.EXE
- Potential Compromised 3CXDesktopApp Execution