feat(rules): Add Suspicious MSHTA execution via HTML smuggling rule

rabbitstack · rabbitstack · commit 6b827f196f77 · 2026-03-03T19:48:11.000+01:00
Identifies suspicious execution of mshta process initiated by a web browser as part of an HTML smuggling attack chain.
This behavior is strongly associated with multi-stage malware delivery and execution via phishing-driven HTML smuggling.
diff --git a/rules/execution_suspicious_mshta_execution_via_html_smuggling.yml b/rules/execution_suspicious_mshta_execution_via_html_smuggling.yml
@@ -0,0 +1,46 @@
+name: Suspicious MSHTA execution via HTML smuggling
+id: 2d7c76e9-1e59-4413-9ff3-624b9d71e6d0
+version: 1.0.0
+description: |
+  Identifies suspicious execution of mshta process initiated by a web browser as
+  part of an HTML smuggling attack chain.
+  This behavior is strongly associated with multi-stage malware delivery and execution
+  via phishing-driven HTML smuggling.
+labels:
+  tactic.id: TA0002
+  tactic.name: Execution
+  tactic.ref: https://attack.mitre.org/tactics/TA0002/
+  technique.id: T1204
+  technique.name: User Execution
+  technique.ref: https://attack.mitre.org/techniques/T1204/
+  subtechnique.id: T1204.001
+  subtechnique.name: Malicious Link
+  subtechnique.ref: https://attack.mitre.org/techniques/T1204/001/
+references:
+  - https://www.securonix.com/blog/jssmuggler-multi-stage-hidden-iframes-obfuscated-javascript-silent-redirectors-netsupport-rat-delivery/
+
+condition: >
+  sequence
+  maxspan 2m
+  by ps.uuid
+    |spawn_process and
+     ps.name ~= 'mshta.exe' and ps.parent.name iin web_browser_binaries and
+     ps.cmdline imatches ('*http://*', '*https://*', '*\\webdav\\*', '*\\DavWWWRoot\\*', '\\\\*@*\\*')
+    |
+    |create_file and
+     file.path imatches
+               (
+                  '?:\\Users\\*\\AppData\\Local\\*',
+                  '?:\\Users\\*\\AppData\\Roaming\\*',
+                  '?:\\Users\\*\\AppData\\Local\\Temp\\*',
+                  '?:\\Windows\\Temp\\*',
+                  '?:\\Users\\Public\\*'
+               )
+    |
+    |spawn_process and ps.name iin ('powershell.exe', 'pwsh.exe', 'cmd.exe', 'rundll32.exe', 'mshta.exe', 'regsvr32.exe')|
+action:
+  - name: kill
+
+severity: high
+
+min-engine-version: 3.0.0
diff --git a/rules/macros/macros.yml b/rules/macros/macros.yml
@@ -212,7 +212,7 @@
 - macro: web_browser_binaries
   list: [
     chrome.exe, firefox.exe, msedge.exe, iexplore.exe, opera.exe,
-    brave.exe, microsoftedge.exe, chromium.exe, safari.exe
+    brave.exe, microsoftedge.exe, chromium.exe, safari.exe, vivaldi.exe
     ]
 
 - macro: web_browser_cred_stores

Original file line number	Diff line number	Diff line change
`@@ -212,7 +212,7 @@`
`212`	`212`	`- macro: web_browser_binaries`
`213`	`213`	`list: [`
`214`	`214`	`chrome.exe, firefox.exe, msedge.exe, iexplore.exe, opera.exe,`
`215`		`- brave.exe, microsoftedge.exe, chromium.exe, safari.exe`
	`215`	`+ brave.exe, microsoftedge.exe, chromium.exe, safari.exe, vivaldi.exe`
`216`	`216`	`]`
`217`	`217`
`218`	`218`	`- macro: web_browser_cred_stores`