Attachment: HTML smuggling with atob and high entropy
Recursively scans files and archives to detect HTML smuggling techniques using Javascript atob functions.
Sublime rule (View on GitHub)
1name: "Attachment: HTML smuggling with atob and high entropy"
2description: |
3 Recursively scans files and archives to detect HTML smuggling techniques using Javascript atob functions.
4references:
5 - "https://delivr.to/payloads?id=7dbf0d83-1557-4345-bf67-d18c4256b0c1"
6type: "rule"
7severity: "high"
8source: |
9 type.inbound
10 and any(attachments,
11 (
12 .file_extension in~ ("html", "htm", "shtml", "dhtml", "eml")
13 or .file_extension in~ $file_extensions_common_archives
14 or .file_type == "html"
15 or .content_type == "message/rfc822"
16 )
17 and any(file.explode(.),
18 .scan.entropy.entropy >= 5
19 and (
20 length(filter(.scan.javascript.identifiers,
21 strings.like(., "document", "write", "atob")
22 )
23 ) == 3
24 // usage: document['write'](atob)
25 or any(.scan.strings.strings, regex.icontains(., "document.{0,10}write.{0,10}atob"))
26 // usage: some_var = atob();
27 or any(.scan.strings.strings, regex.icontains(., "=.?atob.*;"))
28 // usage: atob(atob
29 or any(.scan.strings.strings, strings.ilike(., "*atob?atob*"))
30 // usage: eval(atob)
31 or any(.scan.strings.strings, strings.ilike(., "*eval?atob*"))
32 // usage: atob(_0x)
33 or any(.scan.strings.strings, strings.ilike(., "*atob(?0x*"))
34 // usage: obfuscating "atob"
35 or any(.scan.javascript.identifiers, strings.ilike(., '*ato\u0062*'))
36 // usage: document.head.insertAdjacentHTML("beforeend", atob(...
37 or any(.scan.strings.strings,
38 strings.ilike(.,
39 "*document*insertAdjacentHTML*atob*"
40 )
41 )
42 )
43 )
44 )
45 // negate highly trusted sender domains unless they fail DMARC authentication
46 and (
47 (
48 sender.email.domain.root_domain in $high_trust_sender_root_domains
49 and (
50 any(distinct(headers.hops, .authentication_results.dmarc is not null),
51 strings.ilike(.authentication_results.dmarc, "*fail")
52 )
53 )
54 )
55 or sender.email.domain.root_domain not in $high_trust_sender_root_domains
56 )
57
58attack_types:
59 - "Credential Phishing"
60 - "Malware/Ransomware"
61tactics_and_techniques:
62 - "HTML smuggling"
63 - "Scripting"
64detection_methods:
65 - "Archive analysis"
66 - "Content analysis"
67 - "File analysis"
68 - "HTML analysis"
69 - "Javascript analysis"
70 - "Sender analysis"
71 - "URL analysis"
72id: "03fcac11-ffc9-5a9c-9e1e-c866e683b48e"