Attachment: HTML smuggling with hex strings

calendar Aug 21, 2023  ยท
Share on: linkedin copy

Recursively scans files and archives to detect HTML smuggling using hex-encoded string content.

Sublime rule (View on GitHub)

 1name: "Attachment: HTML smuggling with hex strings"
 2description: |
 3    Recursively scans files and archives to detect HTML smuggling using hex-encoded string content.
 4references:
 5  - "https://delivr.to/payloads?id=e86dc61b-6d12-49f2-a298-31a3ce1f0158"
 6  - "https://app.docguard.io/ad10f40d3b3c6b4961a1c849948e76f513702405a8588d69b6661dbef6253b48/results/dashboard"
 7authors:
 8  - twitter: "ajpc500"
 9type: "rule"
10severity: "medium"
11source: |
12  type.inbound
13  and any(attachments,
14          (
15            .file_extension in~ ("html", "htm", "shtml", "dhtml")
16            or .file_extension in~ $file_extensions_common_archives
17            or .file_type == "html"
18          )
19          and any(file.explode(.),
20                  any(.scan.strings.strings,
21                      // ["\x00\x00\x00\xAA..."]
22                      regex.icontains(., '(\\x([a-zA-Z0-9]{2})){100}')
23                  )
24          )
25  )  
26attack_types:
27  - "Credential Phishing"
28  - "Malware/Ransomware"
29tactics_and_techniques:
30  - "Evasion"
31  - "HTML smuggling"
32detection_methods:
33  - "Archive analysis"
34  - "Content analysis"
35  - "File analysis"
36  - "HTML analysis"
37  - "Javascript analysis"
38id: "b4208ed6-fdde-5165-a5ca-1fe469c64046"
to-top