Attachment: HTML smuggling with auto-downloaded file
HTML attachments containing files that are automatically downloaded with Javascript.
Sublime rule (View on GitHub)
1name: "Attachment: HTML smuggling with auto-downloaded file"
2description: |
3 HTML attachments containing files that are automatically downloaded with Javascript.
4references:
5 - "https://delivr.to/payloads?id=40f2f908-b7ea-4dc8-9b72-4280c9005fdd"
6type: "rule"
7severity: "high"
8source: |
9 type.inbound
10 and any(attachments,
11 (
12 .file_extension in~ ("html", "htm", "shtml", "dhtml")
13 or .file_extension in~ $file_extensions_common_archives
14 or .file_type == "html"
15 )
16 and any(file.explode(.),
17 any(.scan.javascript.identifiers, strings.ilike(., 'click'))
18 and any(.scan.javascript.identifiers,
19 strings.ilike(., 'addEventListener')
20 )
21 and (
22 length(filter(.scan.javascript.identifiers,
23 strings.like(., "document", "write", "atob")
24 )
25 ) == 3
26 // usage: document['write'](atob)
27 or any(.scan.strings.strings,
28 strings.ilike(., "*document*write*atob*")
29 )
30 // usage: some_var = atob();
31 or any(.scan.strings.strings, strings.ilike(., "*=*atob*;"))
32 // usage: obfuscating "atob"
33 or any(.scan.javascript.identifiers,
34 strings.ilike(., '*ato\u0062*')
35 )
36 // usage: document.head.insertAdjacentHTML("beforeend", atob(...
37 or any(.scan.strings.strings,
38 strings.ilike(.,
39 "*document*write*atob*",
40 "*document*insertAdjacentHTML*atob*"
41 )
42 )
43 )
44 )
45 )
46attack_types:
47 - "Credential Phishing"
48 - "Malware/Ransomware"
49tactics_and_techniques:
50 - "HTML smuggling"
51 - "Scripting"
52detection_methods:
53 - "Archive analysis"
54 - "Content analysis"
55 - "File analysis"
56 - "HTML analysis"
57 - "Javascript analysis"
58 - "Sender analysis"
59 - "URL analysis"
60id: "abf724f5-d59e-546c-aec2-3f1bc0e2f14b"