diff --git a/rules/initial_access_suspicious_file_delivery_via_html_smuggling.yml b/rules/initial_access_suspicious_file_delivery_via_html_smuggling.yml new file mode 100644 index 000000000..d8ab8a9f8 --- /dev/null +++ b/rules/initial_access_suspicious_file_delivery_via_html_smuggling.yml @@ -0,0 +1,47 @@ +name: Suspicious file delivery via HTML smuggling +id: b93b5203-78da-4ffa-9b9d-4bd50b3eca1c +version: 1.0.0 +description: | + Detects suspicious file delivery via HTML smuggling, a phishing technique + where malicious payloads are embedded inside HTML files and reconstructed + on the victim system using browser-side JavaScript. + Adversaries abuse spearphishing attachments for initial access while bypassing + traditional email and network-based security controls. +labels: + tactic.id: TA0001 + tactic.name: Initial Access + tactic.ref: https://attack.mitre.org/tactics/TA0001/ + technique.id: T1566 + technique.name: Phishing + technique.ref: https://attack.mitre.org/techniques/T1566/ + subtechnique.id: T1566.001 + subtechnique.name: Spearphishing Attachment + subtechnique.ref: https://attack.mitre.org/techniques/T1566/001/ +references: + - https://www.ired.team/offensive-security/defense-evasion/file-smuggling-with-html-and-javascript + +condition: > + sequence + maxspan 45s + by ps.name + |spawn_process and + ps.parent.name ~= 'explorer.exe' and ps.name iin web_browser_binaries and + (ps.args iin ('-url', '--single-element') or (ps.name ~= 'iexplore.exe' and length(ps.args) = 2)) and + ps.cmdline imatches + ( + '*?:\\Users\\*\\Downloads\\*.htm*', + '*?:\\Users\\*\\AppData\\Local\\Temp\\*.htm*', + '*?:\\Users\\*\\Content.Outlook\\*.htm*' + ) + | + |create_file and + file.extension iin ('.exe', '.iso', '.zip', '.rar', '.7z', '.img', '.vhd', '.js', '.bat', + '.com', '.vbs', '.vbe', '.ps1', '.wsh', '.hta', '.cpl', '.jse', '.scr') and + file.path imatches '?:\\Users\\*\\Downloads\\*' + | +action: + - name: kill + +severity: high + +min-engine-version: 3.0.0