Suspicious HTML File Creation

 1[metadata]
 2creation_date = "2022/07/03"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2024/04/08"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies the execution of a browser process to open an HTML file with high entropy and size. Adversaries may smuggle
13data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.process-*", "logs-endpoint.events.file-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Suspicious HTML File Creation"
20risk_score = 47
21rule_id = "f0493cb4-9b15-43a9-9359-68c23a7f2cf3"
22setup = """## Setup
23
24If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
25events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
26Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
27`event.ingested` to @timestamp.
28For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
29"""
30severity = "medium"
31tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Defend"]
32type = "eql"
33
34query = '''
35sequence by user.id with maxspan=5m
36 [file where host.os.type == "windows" and event.action in ("creation", "rename") and
37  file.extension : ("htm", "html") and
38   file.path : ("?:\\Users\\*\\Downloads\\*",
39                "?:\\Users\\*\\Content.Outlook\\*",
40                "?:\\Users\\*\\AppData\\Local\\Temp\\Temp?_*",
41                "?:\\Users\\*\\AppData\\Local\\Temp\\7z*",
42                "?:\\Users\\*\\AppData\\Local\\Temp\\Rar$*") and
43   ((file.Ext.entropy >= 5 and file.size >= 150000) or file.size >= 1000000)]
44 [process where host.os.type == "windows" and event.action == "start" and
45  (
46   (process.name in ("chrome.exe", "msedge.exe", "brave.exe", "whale.exe", "browser.exe", "dragon.exe", "vivaldi.exe", "opera.exe")
47    and process.args == "--single-argument") or
48   (process.name == "iexplore.exe" and process.args_count == 2) or
49   (process.name in ("firefox.exe", "waterfox.exe") and process.args == "-url")
50  )
51  and process.args : ("?:\\Users\\*\\Downloads\\*.htm*",
52                      "?:\\Users\\*\\Content.Outlook\\*.htm*",
53                      "?:\\Users\\*\\AppData\\Local\\Temp\\Temp?_*.htm*",
54                      "?:\\Users\\*\\AppData\\Local\\Temp\\7z*.htm*",
55                      "?:\\Users\\*\\AppData\\Local\\Temp\\Rar$*.htm*")]
56'''
57
58
59[[rule.threat]]
60framework = "MITRE ATT&CK"
61[[rule.threat.technique]]
62id = "T1566"
63name = "Phishing"
64reference = "https://attack.mitre.org/techniques/T1566/"
65[[rule.threat.technique.subtechnique]]
66id = "T1566.001"
67name = "Spearphishing Attachment"
68reference = "https://attack.mitre.org/techniques/T1566/001/"
69
70[[rule.threat.technique.subtechnique]]
71id = "T1566.002"
72name = "Spearphishing Link"
73reference = "https://attack.mitre.org/techniques/T1566/002/"
74
75
76
77[rule.threat.tactic]
78id = "TA0001"
79name = "Initial Access"
80reference = "https://attack.mitre.org/tactics/TA0001/"
81[[rule.threat]]
82framework = "MITRE ATT&CK"
83[[rule.threat.technique]]
84id = "T1027"
85name = "Obfuscated Files or Information"
86reference = "https://attack.mitre.org/techniques/T1027/"
87[[rule.threat.technique.subtechnique]]
88id = "T1027.006"
89name = "HTML Smuggling"
90reference = "https://attack.mitre.org/techniques/T1027/006/"
91
92
93
94[rule.threat.tactic]
95id = "TA0005"
96name = "Defense Evasion"
97reference = "https://attack.mitre.org/tactics/TA0005/"