Merge PR SigmaHQ#4719 from @joshnck - Update Rules Related To RunHTML…

…Application Abuse

update: Mshtml.DLL RunHTMLApplication Suspicious Usage - Merge overlapping rules and enhance logic to account for new reported bypass
remove: Rundll32 JS RunHTMLApplication Pattern
remove: Suspicious Rundll32 Script in CommandLine 
---------

Co-authored-by: nasbench <[email protected]>

rules/windows/process_creation/proc_creation_win_rundll32_js_runhtmlapplication.yml → deprecated/windows/proc_creation_win_rundll32_js_runhtmlapplication.yml

@@ -1,11 +1,12 @@
 title: Rundll32 JS RunHTMLApplication Pattern
 id: 9f06447a-a33a-4cbe-a94f-a3f43184a7a3
-status: test
+status: deprecated
 description: Detects suspicious command line patterns used when rundll32 is used to run JavaScript code
 references:
     - http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt
+    - https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART2.txt
 author: Florian Roth (Nextron Systems)
-date: 2022/01/14
+date: 2024/02/23
 tags:
     - attack.defense_evasion
 logsource:
@@ -16,7 +17,8 @@ detection:
         CommandLine|contains|all:
             - 'rundll32'
             - 'javascript'
-            - '..\..\mshtml,RunHTMLApplication'
+            - '..\..\mshtml,'
+            - 'RunHTMLApplication'
     selection2:
         CommandLine|contains: ';document.write();GetObject("script'
     condition: 1 of selection*

rules/windows/process_creation/proc_creation_win_rundll32_script_run.yml → deprecated/windows/proc_creation_win_rundll32_script_run.yml

@@ -1,13 +1,13 @@
 title: Suspicious Rundll32 Script in CommandLine
 id: 73fcad2e-ff14-4c38-b11d-4172c8ac86c7
-status: test
+status: deprecated
 description: Detects suspicious process related to rundll32 based on arguments
 references:
     - https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52
     - https://github.com/redcanaryco/atomic-red-team/blob/cd3690b100a495885c407282d0c94c85f48a8a2e/atomics/T1218.011/T1218.011.md
 author: frack113, Zaw Min Htun (ZETA)
 date: 2021/12/04
-modified: 2023/02/03
+modified: 2024/02/23
 tags:
     - attack.defense_evasion
     - attack.t1218.011

rules/windows/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml

@@ -1,16 +1,23 @@
-title: Mshtml DLL RunHTMLApplication Abuse
+title: Mshtml.DLL RunHTMLApplication Suspicious Usage
 id: 4782eb5a-a513-4523-a0ac-f3082b26ac5c
 related:
     - id: 9f06447a-a33a-4cbe-a94f-a3f43184a7a3
-      type: derived
+      type: obsoletes
+    - id: 73fcad2e-ff14-4c38-b11d-4172c8ac86c7
+      type: obsoletes
 status: test
-description: Detects suspicious command line using the "mshtml.dll" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, htpp...)
+description: |
+    Detects execution of commands that leverage the "mshtml.dll" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, http...)
 references:
     - https://twitter.com/n1nj4sec/status/1421190238081277959
-author: Nasreddine Bencherchali (Nextron Systems)
+    - https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART2.txt
+    - http://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt
+author: Nasreddine Bencherchali (Nextron Systems),  Florian Roth (Nextron Systems), Josh Nickels, frack113, Zaw Min Htun (ZETA)
 date: 2022/08/14
+modified: 2024/02/23
 tags:
     - attack.defense_evasion
+    - attack.execution
 logsource:
     category: process_creation
     product: windows
@@ -19,6 +26,8 @@ detection:
         CommandLine|contains|all:
             - '\..\'
             - 'mshtml'
+        CommandLine|contains:
+            - '#135'
             - 'RunHTMLApplication'
     condition: selection
 falsepositives: