| ID | Technique | Tactic |
|---|---|---|
| T1218.005 | Mshta | Defense Evasion |
| T1059.005 | Visual Basic | Execution |
Detection: Cisco NVM - MSHTML or MSHTA Network Execution Without URL in CLI
Description
This analytic detects suspicious use of 'mshta.exe' or 'rundll32.exe' invoking 'mshtml.dll' or the 'RunHTMLApplication' export without including a direct HTTP/HTTPS URL in the command line. This pattern could be associated with obfuscated script execution used by threat actors during initial access or payload staging. The absence of a visible URL may indicate attempts to evade static detections by embedding the URL via string concatenation, encoding (e.g., hex), or indirect script loaders like 'GetObject()'.
Search
1`cisco_network_visibility_module_flowdata`
2(
3 (
4 process_name = "mshta.exe"
5 process_arguments IN ("*javascript*", "*vbscript*")
6 )
7 OR
8 ( process_name = "rundll32.exe" AND
9 process_arguments = "*mshtml*" AND
10 process_arguments = "*RunHTMLApplication*"
11 )
12)
13NOT process_arguments IN ("*http://*", "*https://*")
14
15| stats count min(_time) as firstTime max(_time) as lastTime
16 values(parent_process_arguments) as parent_process_arguments
17 values(process_arguments) as process_arguments
18 values(parent_process_hash) as parent_process_hash
19 values(process_hash) as process_hash
20 values(module_name_list) as module_name_list
21 values(module_hash_list) as module_hash_list
22 values(dest_port) as dest_port
23 values(aliul) as additional_logged_in_users_list
24 values(dest_hostname) as dest_hostname
25 by src dest parent_process_path parent_process_integrity_level process_path process_name process_integrity_level process_id transport
26
27| `security_content_ctime(firstTime)`
28
29| `security_content_ctime(lastTime)`
30
31| table
32 parent_process_integrity_level parent_process_path parent_process_arguments parent_process_hash
33 process_integrity_level process_path process_name process_arguments process_hash process_id
34 additional_logged_in_users_list module_name_list module_hash_list
35 src dest_hostname dest dest_port transport firstTime lastTime
36
37| `cisco_nvm___mshtml_or_mshta_network_execution_without_url_in_cli_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Cisco Network Visibility Module Flow Data |  Network |
'cisco:nvm:flowdata' |
'not_applicable' |
Macros Used
| Name | Value |
|---|---|
| cisco_network_visibility_module_flowdata | sourcetype="cisco:nvm:flowdata" |
| cisco_nvm___mshtml_or_mshta_network_execution_without_url_in_cli_filter | search * |
cisco_nvm___mshtml_or_mshta_network_execution_without_url_in_cli_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Exploitation
Installation
DE.AE
CIS 10
APT29
APT32
APT33
APT37
APT38
APT39
APT42
BRONZE BUTLER
Cobalt Group
Confucius
Earth Lusca
FIN13
FIN4
FIN7
Gamaredon Group
Gorgon Group
HEXANE
Higaisa
Inception
Kimsuky
Lazarus Group
LazyScripter
Leviathan
Machete
Magic Hound
Malteiro
Molerats
MuddyWater
Mustang Panda
OilRig
Patchwork
Rancor
RedCurl
Sandworm Team
SideCopy
Sidewinder
Silence
TA2541
TA459
TA505
TA551
Transparent Tribe
Turla
WIRTE
Windshift
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Risk Event | True |
This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.
Implementation
This search requires Network Visibility Module logs, which includes the flow data sourcetype.
This search uses an input macro named cisco_network_visibility_module_flowdata.
We strongly recommend that you specify your environment-specific configurations
(index, source, sourcetype, etc.) for Cisco Network Visibility Module logs.
Replace the macro definition with configurations for your Splunk environment.
The search also uses a post-filter macro designed to filter out known false positives.
The logs are to be ingested using the Splunk Add-on for Cisco Endpoint Security Analytics (CESA) (https://splunkbase.splunk.com/app/4221).
Known False Positives
False positives should be minimal as the presence of a network connection during such executions increases the likelihood of malicious behavior.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
The host $src$ executed $process_name$ with potential obfuscated logic and initiated a network connection to $dest_hostname$ / $dest$ over $dest_port$.
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| src | system | 40 | process_name |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | not_applicable |
cisco:nvm:flowdata |
| Integration | ✅ Passing | Dataset | not_applicable |
cisco:nvm:flowdata |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1