Attachment: HTML smuggling with concatenation obfuscation
Recursively scans files and archives to detect HTML smuggling techniques.
Sublime rule (View on GitHub)
1name: "Attachment: HTML smuggling with concatenation obfuscation"
2description: |
3 Recursively scans files and archives to detect HTML smuggling techniques.
4references:
5type: "rule"
6severity: "high"
7authors:
8 - twitter: "vector_sec"
9source: |
10 type.inbound
11 and any(attachments,
12 (
13 .file_extension in~ ("html", "htm", "shtml", "dhtml")
14 or .file_extension in~ $file_extensions_common_archives
15 or .file_type == "html"
16 )
17 and any(file.explode(.),
18 any(.scan.strings.strings,
19 strings.ilike(., "*CJzYyIuY29uY2F0KCJyaXB0Iik*", '*"sc".concat("ript")*')
20 )
21 )
22 )
23attack_types:
24 - "Credential Phishing"
25 - "Malware/Ransomware"
26tactics_and_techniques:
27 - "Evasion"
28 - "HTML smuggling"
29 - "Scripting"
30detection_methods:
31 - "Archive analysis"
32 - "Content analysis"
33 - "File analysis"
34 - "HTML analysis"
35id: "108ab346-bc11-5f96-916c-678891332ae8"