Suspicious HTML File Creation

 1[metadata]
 2creation_date = "2022/07/03"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies the execution of a browser process to open an HTML file with high entropy and size. Adversaries may smuggle
13data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Suspicious HTML File Creation"
20note = """## Setup
21
22If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
23"""
24risk_score = 47
25rule_id = "f0493cb4-9b15-43a9-9359-68c23a7f2cf3"
26severity = "medium"
27tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Defend"]
28type = "eql"
29
30query = '''
31sequence by user.id with maxspan=5m
32 [file where host.os.type == "windows" and event.action in ("creation", "rename") and
33  file.extension : ("htm", "html") and
34   file.path : ("?:\\Users\\*\\Downloads\\*",
35                "?:\\Users\\*\\Content.Outlook\\*",
36                "?:\\Users\\*\\AppData\\Local\\Temp\\Temp?_*",
37                "?:\\Users\\*\\AppData\\Local\\Temp\\7z*",
38                "?:\\Users\\*\\AppData\\Local\\Temp\\Rar$*") and
39   ((file.Ext.entropy >= 5 and file.size >= 150000) or file.size >= 1000000)]
40 [process where host.os.type == "windows" and event.action == "start" and
41  (
42   (process.name in ("chrome.exe", "msedge.exe", "brave.exe", "whale.exe", "browser.exe", "dragon.exe", "vivaldi.exe", "opera.exe")
43    and process.args == "--single-argument") or
44   (process.name == "iexplore.exe" and process.args_count == 2) or
45   (process.name in ("firefox.exe", "waterfox.exe") and process.args == "-url")
46  )
47  and process.args : ("?:\\Users\\*\\Downloads\\*.htm*",
48                      "?:\\Users\\*\\Content.Outlook\\*.htm*",
49                      "?:\\Users\\*\\AppData\\Local\\Temp\\Temp?_*.htm*",
50                      "?:\\Users\\*\\AppData\\Local\\Temp\\7z*.htm*",
51                      "?:\\Users\\*\\AppData\\Local\\Temp\\Rar$*.htm*")]
52'''
53
54
55[[rule.threat]]
56framework = "MITRE ATT&CK"
57[[rule.threat.technique]]
58id = "T1566"
59name = "Phishing"
60reference = "https://attack.mitre.org/techniques/T1566/"
61[[rule.threat.technique.subtechnique]]
62id = "T1566.001"
63name = "Spearphishing Attachment"
64reference = "https://attack.mitre.org/techniques/T1566/001/"
65
66[[rule.threat.technique.subtechnique]]
67id = "T1566.002"
68name = "Spearphishing Link"
69reference = "https://attack.mitre.org/techniques/T1566/002/"
70
71
72
73[rule.threat.tactic]
74id = "TA0001"
75name = "Initial Access"
76reference = "https://attack.mitre.org/tactics/TA0001/"
77[[rule.threat]]
78framework = "MITRE ATT&CK"
79[[rule.threat.technique]]
80id = "T1027"
81name = "Obfuscated Files or Information"
82reference = "https://attack.mitre.org/techniques/T1027/"
83[[rule.threat.technique.subtechnique]]
84id = "T1027.006"
85name = "HTML Smuggling"
86reference = "https://attack.mitre.org/techniques/T1027/006/"
87
88
89
90[rule.threat.tactic]
91id = "TA0005"
92name = "Defense Evasion"
93reference = "https://attack.mitre.org/tactics/TA0005/"