From c6ebc2ac0ead4594e228ecabd242f6637a4b43de Mon Sep 17 00:00:00 2001
From: rabbitstack <rabbitstack7@gmail.com>
Date: Tue, 3 Feb 2026 18:29:24 +0100
Subject: [PATCH] feat(rules): Add Suspicious MSHTA execution via HTML
 smuggling rule

Identifies suspicious execution of mshta process initiated by a web browser as part of an HTML smuggling attack chain.
This behavior is strongly associated with multi-stage malware delivery and execution via phishing-driven HTML smuggling.
---
 ...ous_mshta_execution_via_html_smuggling.yml | 46 +++++++++++++++++++
 rules/macros/macros.yml                       |  2 +-
 2 files changed, 47 insertions(+), 1 deletion(-)
 create mode 100644 rules/execution_suspicious_mshta_execution_via_html_smuggling.yml

diff --git a/rules/execution_suspicious_mshta_execution_via_html_smuggling.yml b/rules/execution_suspicious_mshta_execution_via_html_smuggling.yml
new file mode 100644
index 000000000..b15ccb6b5
--- /dev/null
+++ b/rules/execution_suspicious_mshta_execution_via_html_smuggling.yml
@@ -0,0 +1,46 @@
+name: Suspicious MSHTA execution via HTML smuggling
+id: 2d7c76e9-1e59-4413-9ff3-624b9d71e6d0
+version: 1.0.0
+description: |
+  Identifies suspicious execution of mshta process initiated by a web browser as
+  part of an HTML smuggling attack chain.
+  This behavior is strongly associated with multi-stage malware delivery and execution
+  via phishing-driven HTML smuggling.
+labels:
+  tactic.id: TA0002
+  tactic.name: Execution
+  tactic.ref: https://attack.mitre.org/tactics/TA0002/
+  technique.id: T1204
+  technique.name: User Execution
+  technique.ref: https://attack.mitre.org/techniques/T1204/
+  subtechnique.id: T1204.001
+  subtechnique.name: Malicious Link
+  subtechnique.ref: https://attack.mitre.org/techniques/T1204/001/
+references:
+  - https://www.securonix.com/blog/jssmuggler-multi-stage-hidden-iframes-obfuscated-javascript-silent-redirectors-netsupport-rat-delivery/
+
+condition: >
+  sequence
+  maxspan 2m
+  by ps.uuid
+    |spawn_process and
+     ps.name ~= 'mshta.exe' and ps.parent.name iin web_browser_binaries and
+     ps.cmdline imatches ('*http://*', '*https://*', '*\\webdav\\*', '*\\DavWWWRoot\\*', '\\\\*@*\\*')
+    |
+    |create_file and
+     file.path imatches
+               (
+                  '?:\\Users\\*\\AppData\\Local\\*',
+                  '?:\\Users\\*\\AppData\\Roaming\\*',
+                  '?:\\Users\\*\\AppData\\Local\\Temp\\*',
+                  '?:\\Windows\\Temp\\*',
+                  '?:\\Users\\Public\\*'
+               )
+    |
+    |spawn_process and ps.name iin ('powershell.exe', 'pwsh.exe', 'cmd.exe', 'rundll32.exe', 'mshta.exe', 'regsvr32.exe')|
+action:
+  - name: kill
+
+severity: high
+
+min-engine-version: 3.0.0
diff --git a/rules/macros/macros.yml b/rules/macros/macros.yml
index f8169a236..f49d920a5 100644
--- a/rules/macros/macros.yml
+++ b/rules/macros/macros.yml
@@ -202,7 +202,7 @@
 - macro: web_browser_binaries
   list: [
     chrome.exe, firefox.exe, msedge.exe, iexplore.exe, opera.exe,
-    brave.exe, microsoftedge.exe, chromium.exe, safari.exe
+    brave.exe, microsoftedge.exe, chromium.exe, safari.exe, vivaldi.exe
     ]
 
 - macro: web_browser_cred_stores