Suspicious HTML File Creation
Identifies the execution of a browser process to open an HTML file with high entropy and size. Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2022/07/03"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies the execution of a browser process to open an HTML file with high entropy and size. Adversaries may smuggle
11data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.process-*", "logs-endpoint.events.file-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Suspicious HTML File Creation"
18risk_score = 47
19rule_id = "f0493cb4-9b15-43a9-9359-68c23a7f2cf3"
20setup = """## Setup
21
22If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
23events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
24Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
25`event.ingested` to @timestamp.
26For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
27"""
28severity = "medium"
29tags = [
30 "Domain: Endpoint",
31 "OS: Windows",
32 "Use Case: Threat Detection",
33 "Tactic: Initial Access",
34 "Data Source: Elastic Defend",
35]
36type = "eql"
37
38query = '''
39sequence by user.id with maxspan=5m
40 [file where host.os.type == "windows" and event.action in ("creation", "rename") and
41 file.extension : ("htm", "html") and
42 file.path : ("?:\\Users\\*\\Downloads\\*",
43 "?:\\Users\\*\\Content.Outlook\\*",
44 "?:\\Users\\*\\AppData\\Local\\Temp\\Temp?_*",
45 "?:\\Users\\*\\AppData\\Local\\Temp\\7z*",
46 "?:\\Users\\*\\AppData\\Local\\Temp\\Rar$*") and
47 ((file.Ext.entropy >= 5 and file.size >= 150000) or file.size >= 1000000)]
48 [process where host.os.type == "windows" and event.action == "start" and
49 (
50 (process.name in ("chrome.exe", "msedge.exe", "brave.exe", "whale.exe", "browser.exe", "dragon.exe", "vivaldi.exe", "opera.exe")
51 and process.args == "--single-argument") or
52 (process.name == "iexplore.exe" and process.args_count == 2) or
53 (process.name in ("firefox.exe", "waterfox.exe") and process.args == "-url")
54 )
55 and process.args : ("?:\\Users\\*\\Downloads\\*.htm*",
56 "?:\\Users\\*\\Content.Outlook\\*.htm*",
57 "?:\\Users\\*\\AppData\\Local\\Temp\\Temp?_*.htm*",
58 "?:\\Users\\*\\AppData\\Local\\Temp\\7z*.htm*",
59 "?:\\Users\\*\\AppData\\Local\\Temp\\Rar$*.htm*")]
60'''
61
62
63[[rule.threat]]
64framework = "MITRE ATT&CK"
65[[rule.threat.technique]]
66id = "T1566"
67name = "Phishing"
68reference = "https://attack.mitre.org/techniques/T1566/"
69[[rule.threat.technique.subtechnique]]
70id = "T1566.001"
71name = "Spearphishing Attachment"
72reference = "https://attack.mitre.org/techniques/T1566/001/"
73
74[[rule.threat.technique.subtechnique]]
75id = "T1566.002"
76name = "Spearphishing Link"
77reference = "https://attack.mitre.org/techniques/T1566/002/"
78
79
80
81[rule.threat.tactic]
82id = "TA0001"
83name = "Initial Access"
84reference = "https://attack.mitre.org/tactics/TA0001/"
85[[rule.threat]]
86framework = "MITRE ATT&CK"
87[[rule.threat.technique]]
88id = "T1027"
89name = "Obfuscated Files or Information"
90reference = "https://attack.mitre.org/techniques/T1027/"
91[[rule.threat.technique.subtechnique]]
92id = "T1027.006"
93name = "HTML Smuggling"
94reference = "https://attack.mitre.org/techniques/T1027/006/"
95
96
97
98[rule.threat.tactic]
99id = "TA0005"
100name = "Defense Evasion"
101reference = "https://attack.mitre.org/tactics/TA0005/"
Related rules
- Command Execution via SolarWinds Process
- Execution from a Removable Media with Network Connection
- First Time Seen Removable Device
- Microsoft Exchange Server UM Spawning Suspicious Processes
- Microsoft Exchange Server UM Writing Suspicious Files