Suspicious HTML File Creation

  1[metadata]
  2creation_date = "2022/07/03"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2024/05/21"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the execution of a browser process to open an HTML file with high entropy and size. Adversaries may smuggle
 11data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files.
 12"""
 13from = "now-9m"
 14index = ["logs-endpoint.events.process-*", "logs-endpoint.events.file-*"]
 15language = "eql"
 16license = "Elastic License v2"
 17name = "Suspicious HTML File Creation"
 18risk_score = 47
 19rule_id = "f0493cb4-9b15-43a9-9359-68c23a7f2cf3"
 20setup = """## Setup
 21
 22If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
 23events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
 24Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
 25`event.ingested` to @timestamp.
 26For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
 27"""
 28severity = "medium"
 29tags = [
 30    "Domain: Endpoint",
 31    "OS: Windows",
 32    "Use Case: Threat Detection",
 33    "Tactic: Initial Access",
 34    "Data Source: Elastic Defend",
 35]
 36type = "eql"
 37
 38query = '''
 39sequence by user.id with maxspan=5m
 40 [file where host.os.type == "windows" and event.action in ("creation", "rename") and
 41  file.extension : ("htm", "html") and
 42   file.path : ("?:\\Users\\*\\Downloads\\*",
 43                "?:\\Users\\*\\Content.Outlook\\*",
 44                "?:\\Users\\*\\AppData\\Local\\Temp\\Temp?_*",
 45                "?:\\Users\\*\\AppData\\Local\\Temp\\7z*",
 46                "?:\\Users\\*\\AppData\\Local\\Temp\\Rar$*") and
 47   ((file.Ext.entropy >= 5 and file.size >= 150000) or file.size >= 1000000)]
 48 [process where host.os.type == "windows" and event.action == "start" and
 49  (
 50   (process.name in ("chrome.exe", "msedge.exe", "brave.exe", "whale.exe", "browser.exe", "dragon.exe", "vivaldi.exe", "opera.exe")
 51    and process.args == "--single-argument") or
 52   (process.name == "iexplore.exe" and process.args_count == 2) or
 53   (process.name in ("firefox.exe", "waterfox.exe") and process.args == "-url")
 54  )
 55  and process.args : ("?:\\Users\\*\\Downloads\\*.htm*",
 56                      "?:\\Users\\*\\Content.Outlook\\*.htm*",
 57                      "?:\\Users\\*\\AppData\\Local\\Temp\\Temp?_*.htm*",
 58                      "?:\\Users\\*\\AppData\\Local\\Temp\\7z*.htm*",
 59                      "?:\\Users\\*\\AppData\\Local\\Temp\\Rar$*.htm*")]
 60'''
 61
 62
 63[[rule.threat]]
 64framework = "MITRE ATT&CK"
 65[[rule.threat.technique]]
 66id = "T1566"
 67name = "Phishing"
 68reference = "https://attack.mitre.org/techniques/T1566/"
 69[[rule.threat.technique.subtechnique]]
 70id = "T1566.001"
 71name = "Spearphishing Attachment"
 72reference = "https://attack.mitre.org/techniques/T1566/001/"
 73
 74[[rule.threat.technique.subtechnique]]
 75id = "T1566.002"
 76name = "Spearphishing Link"
 77reference = "https://attack.mitre.org/techniques/T1566/002/"
 78
 79
 80
 81[rule.threat.tactic]
 82id = "TA0001"
 83name = "Initial Access"
 84reference = "https://attack.mitre.org/tactics/TA0001/"
 85[[rule.threat]]
 86framework = "MITRE ATT&CK"
 87[[rule.threat.technique]]
 88id = "T1027"
 89name = "Obfuscated Files or Information"
 90reference = "https://attack.mitre.org/techniques/T1027/"
 91[[rule.threat.technique.subtechnique]]
 92id = "T1027.006"
 93name = "HTML Smuggling"
 94reference = "https://attack.mitre.org/techniques/T1027/006/"
 95
 96
 97
 98[rule.threat.tactic]
 99id = "TA0005"
100name = "Defense Evasion"
101reference = "https://attack.mitre.org/tactics/TA0005/"