Attachment: HTML smuggling with hex strings
Recursively scans files and archives to detect HTML smuggling using hex-encoded string content.
Sublime rule (View on GitHub)
1name: "Attachment: HTML smuggling with hex strings"
2description: |
3 Recursively scans files and archives to detect HTML smuggling using hex-encoded string content.
4references:
5 - "https://delivr.to/payloads?id=e86dc61b-6d12-49f2-a298-31a3ce1f0158"
6 - "https://app.docguard.io/ad10f40d3b3c6b4961a1c849948e76f513702405a8588d69b6661dbef6253b48/results/dashboard"
7authors:
8 - twitter: "ajpc500"
9type: "rule"
10severity: "medium"
11source: |
12 type.inbound
13 and any(attachments,
14 (
15 .file_extension in~ ("html", "htm", "shtml", "dhtml")
16 or .file_extension in~ $file_extensions_common_archives
17 or .file_type == "html"
18 )
19 and any(file.explode(.),
20 any(.scan.strings.strings,
21 // ["\x00\x00\x00\xAA..."]
22 regex.icontains(., '(\\x([a-zA-Z0-9]{2})){100}')
23 )
24 )
25 )
26attack_types:
27 - "Credential Phishing"
28 - "Malware/Ransomware"
29tactics_and_techniques:
30 - "Evasion"
31 - "HTML smuggling"
32detection_methods:
33 - "Archive analysis"
34 - "Content analysis"
35 - "File analysis"
36 - "HTML analysis"
37 - "Javascript analysis"
38id: "b4208ed6-fdde-5165-a5ca-1fe469c64046"