false positives should be minimal as the presence of a network connection during such executions increases the likelihood of malicious behavior.

Techniques

Sample rules

Cisco NVM - MSHTML or MSHTA Network Execution Without URL in CLI

source: splunk
technicques:
- T1218.005
- T1059.005

Description

This analytic detects suspicious use of ‘mshta.exe’ or ‘rundll32.exe’ invoking ‘mshtml.dll’ or the ‘RunHTMLApplication’ export without including a direct HTTP/HTTPS URL in the command line. This pattern could be associated with obfuscated script execution used by threat actors during initial access or payload staging. The absence of a visible URL may indicate attempts to evade static detections by embedding the URL via string concatenation, encoding (e.g., hex), or indirect script loaders like ‘GetObject()’.

Detection logic

`cisco_network_visibility_module_flowdata`
(
  (
    process_name = "mshta.exe"
    process_arguments IN ("*javascript*", "*vbscript*")
  )
  OR
  ( process_name = "rundll32.exe" AND 
    process_arguments = "*mshtml*" AND 
    process_arguments = "*RunHTMLApplication*"
  )
)
NOT process_arguments IN ("*http://*", "*https://*")

| stats count min(_time) as firstTime max(_time) as lastTime
        values(parent_process_arguments) as parent_process_arguments
        values(process_arguments) as process_arguments
        values(parent_process_hash) as parent_process_hash
        values(process_hash) as process_hash
        values(module_name_list) as module_name_list
        values(module_hash_list) as module_hash_list
        values(dest_port) as dest_port
        values(aliul) as additional_logged_in_users_list
        values(dest_hostname) as dest_hostname
        by src dest parent_process_path parent_process_integrity_level process_path process_name process_integrity_level process_id transport

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| table
  parent_process_integrity_level parent_process_path parent_process_arguments parent_process_hash
  process_integrity_level process_path process_name process_arguments process_hash process_id
  additional_logged_in_users_list module_name_list module_hash_list
  src dest_hostname dest dest_port transport firstTime lastTime

| `cisco_nvm___mshtml_or_mshta_network_execution_without_url_in_cli_filter`