Attachment: Archive containing HTML file with file scheme link

calendar Mar 7, 2024  ·
Share on: linkedin copy

Attached archive contains an HTLM file with a file:// link, likely pointing to an SMB server. This technique can be used to steal NTLM hashes of users who open the HTML file. Known technique of TA577.

Sublime rule (View on GitHub)

 1name: "Attachment: Archive containing HTML file with file scheme link"
 2description: "Attached archive contains an HTLM file with a file:// link, likely pointing to an SMB server. This technique can be used to steal NTLM hashes of users who open the HTML file. Known technique of TA577."
 3references:
 4  - "https://www.bleepingcomputer.com/news/security/hackers-steal-windows-ntlm-authentication-hashes-in-phishing-attacks/"
 5type: "rule"
 6severity: "high"
 7source: |
 8  type.inbound
 9  and any(attachments,
10          .file_extension in $file_extensions_common_archives
11          and any(file.explode(.),
12                  (
13                    .file_extension in~ ("html", "htm", "shtml", "dhtml")
14                    or .flavors.mime == "text/html"
15                    or any(.flavors.yara, . == "html_file")
16                  )
17                  and any(.scan.url.urls, .scheme == "file")
18          )
19  )
20  and (
21    not profile.by_sender().solicited
22    or (
23      profile.by_sender().any_messages_malicious_or_spam
24      and not profile.by_sender().any_false_positives
25    )
26  )  
27
28attack_types:
29  - "Credential Phishing"
30tactics_and_techniques:
31  - "Evasion"
32  - "Exploit"
33  - "HTML smuggling"
34  - "Social engineering"
35detection_methods:
36  - "Archive analysis"
37  - "File analysis"
38  - "HTML analysis"
39id: "edf6d0d9-7d8e-5787-8467-7ca8b61a1b4c"
to-top