Attachment: HTML With Suspicious Comments
Detects HTML files under 100KB that contain duplicate or padding text in the form of literary quotes or common sayings within HTML comments.
Sublime rule (View on GitHub)
1name: "Attachment: HTML With Suspicious Comments"
2description: "Detects HTML files under 100KB that contain duplicate or padding text in the form of literary quotes or common sayings within HTML comments."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and any(attachments,
8 (
9 (
10 .file_type == "html"
11 or .file_extension in ("html", "xhtml", "mhtml")
12 or .content_type == "text/html"
13 )
14 and .size < 100000
15 )
16 and (
17 (
18 // targeting comments that pad the file with quotes from literature
19 // examples: "// Echoes of the past linger in silence.", "// The wind whispered secrets unknown.", "// Shadows tell stories in the dark."
20
21 // count all HTML code comments that match our pattern
22 regex.count(file.parse_text(.).text, '// [A-Z][ a-z ]+\.') /
23 // divide by the count of all UNIQUE HTML code comments that match our pattern
24 length(distinct(regex.extract(file.parse_text(.).text,
25 '// [A-Z][ a-z ]+\.'
26 ),
27 .full_match
28 )
29 )
30 // at least 50% of the comments are duplicates
31 >= 2
32 )
33 or (
34 // targeting comments that pad the file with sayings
35 // examples: "<!-- <span> No gain without pain. </span> -->", "<!-- <p> Beauty is only skin deep. </p> -->", "<!-- <span> Actions speak louder than words. </span> -->"
36 regex.count(file.parse_text(.).text,
37 '<!-- <[a-z]+> [A-Z][ a-z ]+\. </[a-z]+> -->'
38 )
39 ) > 2
40 )
41 )
42tags:
43 - "Attack surface reduction"
44attack_types:
45 - "Credential Phishing"
46 - "Malware/Ransomware"
47tactics_and_techniques:
48 - "HTML smuggling"
49 - "Evasion"
50detection_methods:
51 - "File analysis"
52 - "HTML analysis"
53 - "Content analysis"
54id: "93061d17-730a-5b33-955d-8f8f6cc5cca9"