Attachment: HTML smuggling with high entropy and other signals
Recursively scans files and archives to detect HTML smuggling techniques.
Sublime rule (View on GitHub)
1name: "Attachment: HTML smuggling with high entropy and other signals"
2description: |
3 Recursively scans files and archives to detect HTML smuggling techniques.
4references:
5 - "https://www.microsoft.com/security/blog/2021/11/11/html-smuggling-surges-highly-evasive-loader-technique-increasingly-used-in-banking-malware-targeted-attacks/"
6type: "rule"
7severity: "high"
8source: |
9 type.inbound
10 and any(attachments,
11 (
12 .file_extension in~ ("html", "htm", "shtml", "dhtml")
13 or .file_extension in~ $file_extensions_common_archives
14 or .file_type == "html"
15 )
16 and any(file.explode(.),
17 .scan.entropy.entropy >= 5
18 and any(.scan.strings.strings,
19 regex.icontains(., "fromCharCode")
20 and regex.icontains(., "parseInt")
21 and regex.icontains(., "charCodeAt")
22 and regex.icontains(., '(\\x0.*?){50}')
23 )
24 )
25 )
26attack_types:
27 - "Malware/Ransomware"
28tactics_and_techniques:
29 - "Evasion"
30 - "HTML smuggling"
31 - "Scripting"
32detection_methods:
33 - "Archive analysis"
34 - "Content analysis"
35 - "File analysis"
36 - "HTML analysis"
37id: "be157288-1955-5ad1-bd6e-4e862248274b"