
Summary
This detection rule targets the suspicious execution of 'mshta.exe' or 'rundll32.exe' with 'mshtml.dll' or 'RunHTMLApplication' exports, specifically when no direct HTTP/HTTPS URL is present in the command-line arguments. This behavior signals potential obfuscated scripting techniques frequently employed by cyber adversaries for initial access or staging payloads. By keeping URLs hidden or disguised through concatenation or encoding, attackers can bypass traditional static detection methods. The analytic utilizes flow data derived from Cisco's Network Visibility Module to identify these behaviors, which are suggestive of malicious intent, and provides statistical insights and logging of associated processes and their parameters.
Categories
- Endpoint
- Network
Data Sources
- Network Traffic
- Process
ATT&CK Techniques
- T1218
- T1218.005
- T1059.005
Created: 2025-07-03