Attachment: SVG file execution
Detects file execution attempts in SVG files. ActiveXObject is used to invoke WScript.Shell and run a program.
Sublime rule (View on GitHub)
1name: "Attachment: SVG file execution"
2description: |
3 Detects file execution attempts in SVG files. ActiveXObject is used to invoke WScript.Shell and run a program.
4references:
5 - "https://delivr.to/payloads?id=511ae995-5401-4c60-ae50-08a5b12b3f4b"
6type: "rule"
7severity: "high"
8source: |
9 type.inbound
10 and any(attachments,
11 (
12 .file_extension =~ "svg"
13 or .file_extension in $file_extensions_common_archives
14 or .file_type == "svg"
15 )
16 and any(file.explode(.),
17 .file_extension == "svg"
18 // Author Matt harr0ey @harr0ey
19 // Topic: SVG file Execution
20 // WScript inside SVG
21 // <script language="JScript">
22 // <![CDATA[
23 // var r = new ActiveXObject("WScript.Shell").Run("calc.exe")
24 // ]]>
25 // </script>
26 and any(.scan.strings.strings,
27 strings.icontains(., "ActiveXObject")
28 )
29 and any(.scan.strings.strings,
30 strings.icontains(., "WScript.Shell")
31 )
32 and any(.scan.strings.strings,
33 strings.like(., "*Run*", "*Execute*")
34 )
35 )
36 )
37attack_types:
38 - "Malware/Ransomware"
39tactics_and_techniques:
40 - "Scripting"
41detection_methods:
42 - "Archive analysis"
43 - "Content analysis"
44 - "File analysis"
45id: "084b0cde-4352-5624-b1e8-2d9ecd1f7218"