Skip to content

seb1k/block-mshta-with-intune

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
 
 

Repository files navigation

Block outbound connections for mshta.exe using Intune Firewall Rules

Windows Intune Security MITRE LOLBAS


This configuration validates the Microsoft Secure Score recommendation:

Block outbound network connections from Microsoft HTML Application Host (mshta.exe)

Why block mshta.exe?

mshta.exe is frequently abused by attackers to execute malicious HTA payloads and establish outbound connections.

Blocking outbound traffic helps reduce the attack surface and improves Microsoft Secure Score compliance.

Go to Intune > Endpoint security | Firewall

https://intune.microsoft.com/?ref=AdminCenter#view/Microsoft_Intune_Workflows/SecurityManagementMenu/~/firewall

  • Create Policy
image
  • Platform : Windows
  • Profile : Windows Firewall Rules
image

Basics

  • Name : Block mshta.exe
  • Description : Block outbound network connections from Microsoft HTML Application Host (mshta.exe)

Configuration Settings

  • Add 2 firewall rules:
    • Block C:\Windows\SysWOW64\mshta.exe
    • Block C:\Windows\System32\mshta.exe
  • Set the action to Block for both rules.
image

Rule 1 Click Edit instance :

  • Enable : Enabled
  • Interfaces types : All
  • File Path: Click ConfigureC:\Windows\SysWOW64\mshta.exe
image
image

Rule 2 Click Edit instance :

  • Enable : Enabled
  • Interfaces types : All
  • File Path : Click configureeC:\Windows\System32\mshta.exe
image
image

Scope Tags

Nothing

Assignments

  • All devices
image

Review + create

image

Validation

Test the policy with:

Get-NetFirewallRule  -PolicyStore ActiveStore | Where-Object {$_.DisplayName -like "*mshta*"}

Releases

No releases published

Packages

 
 
 

Contributors