Attachment: SVG file execution

Detects file execution attempts in SVG files. ActiveXObject is used to invoke WScript.Shell and run a program.

Sublime rule (View on GitHub)

 1name: "Attachment: SVG file execution"
 2description: |
 3    Detects file execution attempts in SVG files. ActiveXObject is used to invoke WScript.Shell and run a program.
 4references:
 5  - "https://delivr.to/payloads?id=511ae995-5401-4c60-ae50-08a5b12b3f4b"
 6type: "rule"
 7severity: "high"
 8source: |
 9  type.inbound
10  and any(attachments,
11          (
12            .file_extension =~ "svg"
13            or .file_extension in $file_extensions_common_archives
14            or .file_type == "svg"
15          )
16          and any(file.explode(.),
17                  .file_extension == "svg"
18                  // Author Matt harr0ey @harr0ey
19                  // Topic: SVG file Execution
20                  // WScript inside SVG
21                  // <script language="JScript">
22                  // <![CDATA[
23                  // var r = new ActiveXObject("WScript.Shell").Run("calc.exe")
24                  // ]]>
25                  // </script>
26                  and any(.scan.strings.strings,
27                          strings.icontains(., "ActiveXObject")
28                  )
29                  and any(.scan.strings.strings,
30                          strings.icontains(., "WScript.Shell")
31                  )
32                  and any(.scan.strings.strings,
33                          strings.like(., "*Run*", "*Execute*")
34                  )
35          )
36  )  
37attack_types:
38  - "Malware/Ransomware"
39tactics_and_techniques:
40  - "Scripting"
41detection_methods:
42  - "Archive analysis"
43  - "Content analysis"
44  - "File analysis"
45id: "084b0cde-4352-5624-b1e8-2d9ecd1f7218"
to-top