New Rule (Attachment): HTML smuggling 'body onload' with high entropy…

… and suspicious text (#814) Co-authored-by: ID Generator <[email protected]> Co-authored-by: Sam Scholten <[email protected]>
sublime-security · Sep 25, 2023 · 8a09102 · 8a09102
1 parent de9bfce
commit 8a09102
Showing 1 changed file with 39 additions and 0 deletions.
diff --git a/detection-rules/attachment_html_smuggling_suspicious_onload.yml b/detection-rules/attachment_html_smuggling_suspicious_onload.yml
@@ -0,0 +1,39 @@
+name: "Attachment: HTML smuggling 'body onload' with high entropy and suspicious text"
+description: |
+  Potential HTML Smuggling. This rule inspects HTML attachments that contain "body unload", high entropy, and suspicious text.
+type: "rule"
+severity: "high"
+source: |
+  type.inbound
+  and any(attachments,
+          (
+            .file_extension in~ ("html", "htm", "shtml", "dhtml", "xhtml")
+            or (
+              .file_extension is null
+              and .file_type == "unknown"
+              and .content_type == "application/octet-stream"
+            )
+            or .file_extension in~ $file_extensions_common_archives
+            or .file_type == "html"
+            or .content_type == "text/html"
+          )
+          and any(file.explode(.),
+              .scan.entropy.entropy >= 5
+              and any(.scan.strings.strings, strings.ilike(., "*body onload*"))
+              and any(.scan.strings.strings, regex.icontains(., 'data:image/.*;base64'))
+              and any(.scan.strings.strings, strings.ilike(., "*document pass*"))
+          )
+  )
+attack_types:
+  - "Credential Phishing"
+  - "Malware/Ransomware"
+tactics_and_techniques:
+  - "Evasion"
+  - "HTML smuggling"
+  - "Scripting"
+detection_methods:
+  - "Archive analysis"
+  - "Content analysis"
+  - "File analysis"
+  - "HTML analysis"
+id: "329ac12d-f74e-577c-936c-1db80ccf860e"