Mshtml.DLL RunHTMLApplication Suspicious Usage

calendar Feb 26, 2024 · attack.defense_evasion attack.execution  ·
Share on: linkedin copy

Detects execution of commands that leverage the "mshtml.dll" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, http...)

Sigma rule (View on GitHub)

 1title: Mshtml.DLL RunHTMLApplication Suspicious Usage
 2id: 4782eb5a-a513-4523-a0ac-f3082b26ac5c
 3related:
 4    - id: 9f06447a-a33a-4cbe-a94f-a3f43184a7a3
 5      type: obsoletes
 6    - id: 73fcad2e-ff14-4c38-b11d-4172c8ac86c7
 7      type: obsoletes
 8status: test
 9description: |
10        Detects execution of commands that leverage the "mshtml.dll" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, http...)
11references:
12    - https://twitter.com/n1nj4sec/status/1421190238081277959
13    - https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART2.txt
14    - http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt
15author: Nasreddine Bencherchali (Nextron Systems),  Florian Roth (Nextron Systems), Josh Nickels, frack113, Zaw Min Htun (ZETA)
16date: 2022/08/14
17modified: 2024/02/23
18tags:
19    - attack.defense_evasion
20    - attack.execution
21logsource:
22    category: process_creation
23    product: windows
24detection:
25    selection:
26        CommandLine|contains|all:
27            - '\..\'
28            - 'mshtml'
29        CommandLine|contains:
30            - '#135'
31            - 'RunHTMLApplication'
32    condition: selection
33falsepositives:
34    - Unlikely
35level: high

References

  • Something went wrong, but don’t fret — let’s give it another shot.


    Read More

  • [+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_B...


    Read More

  • [+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt [+] twitter.com/h...


    Read More

Related rules

to-top