Web Browser Creates Zip Archive File (Sysmon)

calendar Dec 28, 2022 · attack.s0650 attack.s0483 attack.defense_evasion attack.t1027 attack.t1027.006  ·
Share on: linkedin copy

Detects browser applications creating archive/container files such as zip, rar, or 7z, as occurs during an HTML smuggling attack where a browser decodes and executes malicious code within an HTML file. Commonly associated with QakBot and IcedID.

Sigma rule (View on GitHub)

 1title: Web Browser Creates Zip Archive File (Sysmon)
 2id: 2e88fc48-1d6c-425d-beb8-fa58047d41dd
 3status: experimental
 4description: Detects browser applications creating archive/container files such as zip, rar, or 7z, as occurs during an HTML smuggling attack where a browser decodes and executes malicious code within an HTML file. Commonly associated with QakBot and IcedID.
 5references:
 6    - https://blog.talosintelligence.com/html-smugglers-turn-to-svg-images/#:~:text=HTML%20smuggling%20is%20a%20technique,directly%20on%20the%20victim's%20device.
 7    - https://www.malwarebytes.com/blog/news/2021/11/evasive-maneuvers-html-smuggling-explained
 8author: Micah Babinski
 9date: 2022/12/15
10tags:
11    - attack.s0650
12    - attack.s0483
13    - attack.defense_evasion
14    - attack.t1027
15    - attack.t1027.006
16logsource:
17    category: create_stream_hash
18    product: windows
19detection:
20    selection:
21        Image|endswith: 
22            - '\chrome.exe'
23            - '\brave.exe'
24            - '\firefox.exe'
25            - '\iexplore.exe'
26            - '\msedge.exe'
27            - '\MicrosoftEdgeCP.exe'
28        Contents|contains: '[ZoneTransfer]  ZoneId=3'
29        TargetFilename|contains:
30            - '.zip'
31            - '.rar'
32            - '.7z'
33    condition: selection
34falsepositives:
35    - Unknown
36level: medium```

References

  • HTML smugglers turn to SVG images

    * HTML smuggling is a technique attackers use to hide an encoded malicious script within an HTML email attachment or webpage. * Once a victim receives the email and opens the attachment, their browser decodes and runs the script, which then assembles a malicious payload directly on the victim’s device. * Talos


    Read More

  • Evasive maneuvers: HTML smuggling explained

    The intelligence team at Microsoft has recently revealed that banking malware are increasingly using a tactic called HTML smuggling. What is it, and why should internet users be concerned?


    Read More

Related rules

to-top