| ID | Technique | Tactic |
|---|---|---|
| T1218.005 | Mshta | Defense Evasion |
Detection: Cisco NVM - Rundll32 Abuse of MSHTML.DLL for Payload Download
Description
This analytic detects suspicious use of rundll32.exe in combination with mshtml.dll and the export RunHTMLApplication.
This behavior is often observed in malware to execute JavaScript or VBScript in memory, enabling payload staging or
bypassing script execution policies and bypassing the usage of the "mshta.exe" binary.
The detection leverages Cisco Network Visibility Module telemetry which offers network flow activity
along with process information such as command-line arguments
If confirmed malicious, this activity may indicate initial access or payload download.
Search
1`cisco_network_visibility_module_flowdata`
2process_name = "rundll32.exe"
3process_arguments = "*mshtml*"
4process_arguments IN ("*135*", "*RunHTMLApplication*")
5
6| stats count min(_time) as firstTime max(_time) as lastTime
7 values(parent_process_arguments) as parent_process_arguments
8 values(process_arguments) as process_arguments
9 values(parent_process_hash) as parent_process_hash
10 values(process_hash) as process_hash
11 values(module_name_list) as module_name_list
12 values(module_hash_list) as module_hash_list
13 values(dest_port) as dest_port
14 values(aliul) as additional_logged_in_users_list
15 values(dest_hostname) as dest_hostname
16 by src dest parent_process_path parent_process_integrity_level process_path process_name process_integrity_level process_id transport
17
18| `security_content_ctime(firstTime)`
19
20| `security_content_ctime(lastTime)`
21
22| table
23 parent_process_integrity_level parent_process_path parent_process_arguments parent_process_hash
24 process_integrity_level process_path process_name process_arguments process_hash process_id
25 additional_logged_in_users_list module_name_list module_hash_list
26 src dest_hostname dest dest_port transport firstTime lastTime
27
28| `cisco_nvm___rundll32_abuse_of_mshtml_dll_for_payload_download_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Cisco Network Visibility Module Flow Data |  Network |
'cisco:nvm:flowdata' |
'not_applicable' |
Macros Used
| Name | Value |
|---|---|
| cisco_network_visibility_module_flowdata | sourcetype="cisco:nvm:flowdata" |
| cisco_nvm___rundll32_abuse_of_mshtml_dll_for_payload_download_filter | search * |
cisco_nvm___rundll32_abuse_of_mshtml_dll_for_payload_download_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Exploitation
DE.AE
CIS 10
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Risk Event | True |
This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.
Implementation
This search requires Network Visibility Module logs, which includes the flow data sourcetype.
This search uses an input macro named cisco_network_visibility_module_flowdata.
We strongly recommend that you specify your environment-specific configurations
(index, source, sourcetype, etc.) for Cisco Network Visibility Module logs.
Replace the macro definition with configurations for your Splunk environment.
The search also uses a post-filter macro designed to filter out known false positives.
The logs are to be ingested using the Splunk Add-on for Cisco Endpoint Security Analytics (CESA) (https://splunkbase.splunk.com/app/4221).
Known False Positives
rundll32.exe using mshtml.dll is rare in legitimate environments. However, edge cases might exist. Tuning may be needed in environments with custom automation scripts.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
$process_path$ was executed on $src$ leveraging the mshtml.dll and the RunHTMLApplication export to download a potentially suspicious file from $dest_hostname$.
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| src | system | 40 | process_name |
References
-
https://redcanary.com/blog/threat-detection/threat-research-questions/
-
http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | not_applicable |
cisco:nvm:flowdata |
| Integration | ✅ Passing | Dataset | not_applicable |
cisco:nvm:flowdata |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1