Suspicious HTML File Creation

  1[metadata]
  2creation_date = "2022/07/03"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the execution of a browser process to open an HTML file with high entropy and size. Adversaries may smuggle
 11data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files.
 12"""
 13from = "now-9m"
 14index = ["logs-endpoint.events.process-*", "logs-endpoint.events.file-*"]
 15language = "eql"
 16license = "Elastic License v2"
 17name = "Suspicious HTML File Creation"
 18note = """## Triage and analysis
 19
 20> **Disclaimer**:
 21> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 22
 23### Investigating Suspicious HTML File Creation
 24
 25HTML files, typically used for web content, can be exploited by adversaries to smuggle malicious payloads past security filters. By embedding harmful data within seemingly benign HTML files, attackers can bypass traditional defenses. The detection rule identifies such threats by monitoring the creation of HTML files with unusual characteristics, such as high entropy or large size, in common download and temporary directories. It also tracks browser processes that open these files, ensuring that any suspicious activity is flagged for further investigation. This approach helps in identifying potential phishing attempts and other initial access tactics used by attackers.
 26
 27### Possible investigation steps
 28
 29- Review the file creation or rename event details to confirm the file extension is .htm or .html and check if the file's entropy is 5 or higher or if the file size is 150,000 bytes or more.
 30- Verify the file path to ensure it is located in one of the common download or temporary directories specified in the rule, such as "?:\\Users\\*\\Downloads\\*" or "?:\\Users\\*\\AppData\\Local\\Temp\\*".
 31- Examine the process start event to identify the browser process involved, ensuring it matches one of the specified browsers like chrome.exe or firefox.exe, and check if the process arguments align with the rule's conditions.
 32- Investigate the user.id associated with the sequence to determine if the activity aligns with the user's typical behavior or if it appears suspicious.
 33- Check for any recent phishing attempts or suspicious emails received by the user that could have led to the download and execution of the HTML file.
 34- Analyze the content of the HTML file for any embedded scripts or links that could indicate malicious intent or payload delivery.
 35
 36### False positive analysis
 37
 38- Legitimate large HTML files downloaded from trusted sources may trigger the rule. Users can create exceptions for specific trusted domains or file hashes to prevent these from being flagged.
 39- HTML files generated by certain applications or services, such as email clients or document converters, might have high entropy due to embedded data. Identify these applications and exclude their file creation paths from monitoring.
 40- Temporary HTML files created during software updates or installations in the AppData or Temp directories can be mistaken for suspicious activity. Monitor and whitelist known update processes to reduce false positives.
 41- Browser extensions or plugins that save web content locally might create HTML files with characteristics similar to those flagged by the rule. Review and whitelist extensions that are known to be safe and necessary for business operations.
 42- Automated scripts or tools that process web content and save it as HTML files could be misidentified. Ensure these scripts are documented and their file paths are excluded from the rule's scope.
 43
 44### Response and remediation
 45
 46- Isolate the affected system from the network to prevent further spread of the potential threat and to contain any malicious activity.
 47- Terminate any suspicious browser processes identified in the alert to stop the execution of potentially harmful HTML files.
 48- Quarantine the suspicious HTML files detected in the specified directories to prevent accidental execution or further access by users.
 49- Conduct a thorough scan of the affected system using updated antivirus and anti-malware tools to identify and remove any additional threats or malicious payloads.
 50- Review and analyze the system and network logs to identify any lateral movement or additional compromised systems, escalating findings to the security team for further investigation.
 51- Restore any affected files or systems from known good backups to ensure the integrity and availability of data and services.
 52- Implement additional monitoring and alerting for similar activities, focusing on high entropy and large HTML files in common download and temporary directories to enhance detection capabilities.
 53
 54This rule may have a low to medium performance impact due variety of file paths potentially matching each EQL sequence."""
 55risk_score = 47
 56rule_id = "f0493cb4-9b15-43a9-9359-68c23a7f2cf3"
 57setup = """## Setup
 58
 59If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
 60events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
 61Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
 62`event.ingested` to @timestamp.
 63For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
 64"""
 65severity = "medium"
 66tags = [
 67    "Domain: Endpoint",
 68    "OS: Windows",
 69    "Use Case: Threat Detection",
 70    "Tactic: Initial Access",
 71    "Data Source: Elastic Defend",
 72    "Resources: Investigation Guide",
 73]
 74type = "eql"
 75
 76query = '''
 77sequence by user.id with maxspan=2m
 78
 79 [file where host.os.type == "windows" and event.action in ("creation", "rename") and
 80
 81  /* Check for HTML files with high entropy and size */
 82  file.extension : ("htm", "html") and ((file.Ext.entropy >= 5 and file.size >= 150000) or file.size >= 1000000) and
 83
 84  /* Check for file paths in common download and temporary directories */
 85  file.path : (
 86    "?:\\Users\\*\\Downloads\\*",
 87    "?:\\Users\\*\\Content.Outlook\\*",
 88    "?:\\Users\\*\\AppData\\Local\\Temp\\Temp?_*",
 89    "?:\\Users\\*\\AppData\\Local\\Temp\\7z*",
 90    "?:\\Users\\*\\AppData\\Local\\Temp\\Rar$*")]
 91 [process where host.os.type == "windows" and event.action == "start" and
 92  (
 93   /* Check for browser processes opening HTML files with single argument */
 94   (process.name in ("chrome.exe", "msedge.exe", "brave.exe", "whale.exe", "browser.exe", "dragon.exe", "vivaldi.exe", "opera.exe")
 95    and process.args == "--single-argument") or
 96
 97   /* Optionally, check for browser processes opening HTML files with two arguments */
 98   (process.name == "iexplore.exe" and process.args_count == 2) or
 99
100   /* Optionally, check for browser processes opening HTML files with URL argument */
101   (process.name in ("firefox.exe", "waterfox.exe") and process.args == "-url")
102  )
103  /* Check for file paths in common download and temporary directories targeted in the process arguments */
104  and process.args : ("?:\\Users\\*\\Downloads\\*.htm*",
105                      "?:\\Users\\*\\Content.Outlook\\*.htm*",
106                      "?:\\Users\\*\\AppData\\Local\\Temp\\Temp?_*.htm*",
107                      "?:\\Users\\*\\AppData\\Local\\Temp\\7z*.htm*",
108                      "?:\\Users\\*\\AppData\\Local\\Temp\\Rar$*.htm*")]
109'''
110
111
112[[rule.threat]]
113framework = "MITRE ATT&CK"
114[[rule.threat.technique]]
115id = "T1566"
116name = "Phishing"
117reference = "https://attack.mitre.org/techniques/T1566/"
118[[rule.threat.technique.subtechnique]]
119id = "T1566.001"
120name = "Spearphishing Attachment"
121reference = "https://attack.mitre.org/techniques/T1566/001/"
122
123[[rule.threat.technique.subtechnique]]
124id = "T1566.002"
125name = "Spearphishing Link"
126reference = "https://attack.mitre.org/techniques/T1566/002/"
127
128
129
130[rule.threat.tactic]
131id = "TA0001"
132name = "Initial Access"
133reference = "https://attack.mitre.org/tactics/TA0001/"
134[[rule.threat]]
135framework = "MITRE ATT&CK"
136[[rule.threat.technique]]
137id = "T1027"
138name = "Obfuscated Files or Information"
139reference = "https://attack.mitre.org/techniques/T1027/"
140[[rule.threat.technique.subtechnique]]
141id = "T1027.006"
142name = "HTML Smuggling"
143reference = "https://attack.mitre.org/techniques/T1027/006/"
144
145
146
147[rule.threat.tactic]
148id = "TA0005"
149name = "Defense Evasion"
150reference = "https://attack.mitre.org/tactics/TA0005/"