Attachment: HTML smuggling with atob and high entropy

Recursively scans files and archives to detect HTML smuggling techniques using Javascript atob functions.

Sublime rule (View on GitHub)

 1name: "Attachment: HTML smuggling with atob and high entropy"
 2description: |
 3    Recursively scans files and archives to detect HTML smuggling techniques using Javascript atob functions.
 4references:
 5  - "https://delivr.to/payloads?id=7dbf0d83-1557-4345-bf67-d18c4256b0c1"
 6type: "rule"
 7severity: "high"
 8source: |
 9  type.inbound
10  and any(attachments,
11          (
12            .file_extension in~ ("html", "htm", "shtml", "dhtml", "eml")
13            or .file_extension in~ $file_extensions_common_archives
14            or .file_type == "html"
15            or .content_type == "message/rfc822"
16          )
17          and any(file.explode(.),
18                  .scan.entropy.entropy >= 5
19                  and (
20                    length(filter(.scan.javascript.identifiers,
21                                  strings.like(., "document", "write", "atob")
22                           )
23                    ) == 3
24                    // usage: document['write'](atob)
25                    or any(.scan.strings.strings, regex.icontains(., "document.{0,10}write.{0,10}atob"))
26                    // usage: some_var = atob();
27                    or any(.scan.strings.strings, regex.icontains(., "=.?atob.*;"))
28                    // usage: atob(atob
29                    or any(.scan.strings.strings, strings.ilike(., "*atob?atob*"))
30                    // usage: eval(atob)
31                    or any(.scan.strings.strings, strings.ilike(., "*eval?atob*"))
32                      // usage: atob(_0x)
33                    or any(.scan.strings.strings, strings.ilike(., "*atob(?0x*"))
34                    // usage: obfuscating "atob"
35                    or any(.scan.javascript.identifiers, strings.ilike(., '*ato\u0062*'))
36                    // usage: document.head.insertAdjacentHTML("beforeend", atob(...
37                    or any(.scan.strings.strings,
38                           strings.ilike(.,
39                                         "*document*insertAdjacentHTML*atob*"
40                           )
41                    )
42                  )
43          )
44  )
45  // negate highly trusted sender domains unless they fail DMARC authentication
46  and (
47    (
48      sender.email.domain.root_domain in $high_trust_sender_root_domains
49      and not headers.auth_summary.dmarc.pass
50    )
51    or sender.email.domain.root_domain not in $high_trust_sender_root_domains
52  )  
53
54attack_types:
55  - "Credential Phishing"
56  - "Malware/Ransomware"
57tactics_and_techniques:
58  - "HTML smuggling"
59  - "Scripting"
60detection_methods:
61  - "Archive analysis"
62  - "Content analysis"
63  - "File analysis"
64  - "HTML analysis"
65  - "Javascript analysis"
66  - "Sender analysis"
67  - "URL analysis"
68id: "03fcac11-ffc9-5a9c-9e1e-c866e683b48e"
to-top