Attachment: HTML smuggling with atob and high entropy
Recursively scans files and archives to detect HTML smuggling techniques.
Sublime rule (View on GitHub)
1name: "Attachment: HTML smuggling with atob and high entropy"
2description: |
3 Recursively scans files and archives to detect HTML smuggling techniques.
4references:
5 - "https://delivr.to/payloads?id=7dbf0d83-1557-4345-bf67-d18c4256b0c1"
6type: "rule"
7severity: "high"
8source: |
9 type.inbound
10 and any(attachments,
11 (
12 .file_extension in~ ("html", "htm", "shtml", "dhtml")
13 or .file_extension in~ $file_extensions_common_archives
14 or .file_type == "html"
15 )
16 and any(file.explode(.),
17 .scan.entropy.entropy >= 5
18 and (
19 length(filter(.scan.javascript.identifiers,
20 strings.like(., "document", "write", "atob")
21 )
22 ) == 3
23 // usage: document['write'](atob)
24 or any(.scan.strings.strings, strings.ilike(., "*document*write*atob*"))
25 // usage: some_var = atob();
26 or any(.scan.strings.strings, strings.ilike(., "*=*atob*;"))
27 // usage: obfuscating "atob"
28 or any(.scan.javascript.identifiers, strings.ilike(., '*ato\u0062*'))
29 // usage: document.head.insertAdjacentHTML("beforeend", atob(...
30 or any(.scan.strings.strings,
31 strings.ilike(.,
32 "*document*write*atob*",
33 "*document*insertAdjacentHTML*atob*"
34 )
35 )
36 )
37 )
38 )
39attack_types:
40 - "Credential Phishing"
41 - "Malware/Ransomware"
42tactics_and_techniques:
43 - "HTML smuggling"
44 - "Scripting"
45detection_methods:
46 - "Archive analysis"
47 - "Content analysis"
48 - "File analysis"
49 - "HTML analysis"
50 - "Javascript analysis"
51 - "Sender analysis"
52 - "URL analysis"
53id: "03fcac11-ffc9-5a9c-9e1e-c866e683b48e"