T1027.006 HTML Smuggling Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType == "FileCreated"
| where FileName endswith ".iso" or FileName endswith ".img" or FileName endswith ".zip"
    or FileName endswith ".exe" or FileName endswith ".js" or FileName endswith ".hta"
    or FileName endswith ".lnk" or FileName endswith ".bat" or FileName endswith ".vbs"
| where InitiatingProcessFileName in~ ("msedge.exe", "chrome.exe", "firefox.exe",
    "iexplore.exe", "brave.exe", "opera.exe")
| where FolderPath has_any ("\\Downloads\\", "\\Temp\\", "\\AppData\\")
| extend IsISO = FileName endswith ".iso" or FileName endswith ".img"
| extend IsArchive = FileName endswith ".zip" or FileName endswith ".rar" or FileName endswith ".7z"
| extend IsExecutable = FileName endswith ".exe" or FileName endswith ".hta" or FileName endswith ".js"
    or FileName endswith ".bat" or FileName endswith ".vbs" or FileName endswith ".lnk"
| where IsISO or IsExecutable
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         IsISO, IsArchive, IsExecutable
| sort by Timestamp desc

high severity high confidence

Data Sources

File: File Creation Microsoft Defender for Endpoint

Required Tables

DeviceFileEvents

False Positives

Legitimate ISO downloads from software vendor websites (Microsoft, VMware, Linux distributions) via browsers
Users intentionally downloading executable installers from known-good vendor sites
Developers downloading JavaScript bundles or build artifacts that happen to use download attribute
Browser extensions or web applications that legitimately generate and download files via JavaScript Blob API

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
  (TargetFilename="*\\Downloads\\*.iso"
   OR TargetFilename="*\\Downloads\\*.img"
   OR TargetFilename="*\\Downloads\\*.hta"
   OR TargetFilename="*\\Downloads\\*.js"
   OR TargetFilename="*\\Downloads\\*.vbs"
   OR TargetFilename="*\\Downloads\\*.lnk"
   OR TargetFilename="*\\Temp\\*.iso"
   OR TargetFilename="*\\Temp\\*.hta")
  (Image="*\\msedge.exe" OR Image="*\\chrome.exe" OR Image="*\\firefox.exe"
   OR Image="*\\iexplore.exe" OR Image="*\\brave.exe")
| eval IsISO=if(match(TargetFilename, "(\.iso|\.img)$"), 1, 0)
| eval IsScript=if(match(TargetFilename, "(\.hta|\.js|\.vbs|\.bat|\.lnk)$"), 1, 0)
| table _time, host, User, TargetFilename, Image, IsISO, IsScript
| sort - _time

high severity high confidence

Data Sources

File: File Creation Sysmon Event ID 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate ISO downloads from software distribution sites via browsers (Microsoft Visual Studio, Linux ISOs)
Web-based development tools that generate and download JavaScript, batch, or VBScript files
HTA-based configuration utilities that organizations deliver via their internal web portals
LNK files generated by web applications for shortcut creation workflows

Elastic Security (EQL)

eql

file where event.action == "creation" and
  process.name : ("msedge.exe", "chrome.exe", "firefox.exe", "iexplore.exe", "brave.exe", "opera.exe") and
  file.extension : ("iso", "img", "hta", "js", "vbs", "lnk", "bat", "exe", "zip") and
  file.path : ("*\\Downloads\\*", "*\\Temp\\*", "*\\AppData\\*")

high severity high confidence

Data Sources

Elastic Endpoint Security Agent Winlogbeat with Sysmon module Elastic Agent (endpoint integration)

Required Tables

logs-endpoint.events.file-* winlogbeat-* .ds-logs-system.security-*

False Positives

Enterprise software deployment portals where browsers download legitimate ISO or EXE packages from internal SCCM/Intune distribution points
Developer workflows involving browser-based CI/CD artifact downloads from GitHub Releases, Jenkins, or Artifactory fetching ZIP or EXE assets to the Downloads directory
IT administrators using browser-based hypervisor management consoles (VMware vSphere, Proxmox) that serve ISO images for OS provisioning

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  LOGSOURCENAME(logsourceid) AS log_source,
  sourceip,
  username,
  "TargetFilename",
  "Image",
  CATEGORYNAME(category) AS event_category
FROM events
WHERE LOGSOURCETYPE(logsourceid) ILIKE '%Microsoft Windows%'
  AND eventid = 11
  AND (
    "TargetFilename" ILIKE '%\\Downloads\\%.iso'
    OR "TargetFilename" ILIKE '%\\Downloads\\%.img'
    OR "TargetFilename" ILIKE '%\\Downloads\\%.hta'
    OR "TargetFilename" ILIKE '%\\Downloads\\%.js'
    OR "TargetFilename" ILIKE '%\\Downloads\\%.vbs'
    OR "TargetFilename" ILIKE '%\\Downloads\\%.lnk'
    OR "TargetFilename" ILIKE '%\\Downloads\\%.bat'
    OR "TargetFilename" ILIKE '%\\Downloads\\%.exe'
    OR "TargetFilename" ILIKE '%\\Temp\\%.iso'
    OR "TargetFilename" ILIKE '%\\Temp\\%.hta'
    OR "TargetFilename" ILIKE '%\\AppData\\%.hta'
    OR "TargetFilename" ILIKE '%\\AppData\\%.iso'
  )
  AND (
    "Image" ILIKE '%\\msedge.exe'
    OR "Image" ILIKE '%\\chrome.exe'
    OR "Image" ILIKE '%\\firefox.exe'
    OR "Image" ILIKE '%\\iexplore.exe'
    OR "Image" ILIKE '%\\brave.exe'
    OR "Image" ILIKE '%\\opera.exe'
  )
LAST 24 HOURS
ORDER BY starttime DESC

high severity medium confidence

Data Sources

Microsoft Windows Sysmon (Event ID 11) IBM QRadar WinCollect Agent QRadar Windows Event Log DSM

Required Tables

events

False Positives

Enterprise internal web portals serving browser-initiated downloads of approved software packages (EXE or ZIP) from authenticated inventory management systems
Security tooling or EDR product updates where the agent's embedded browser component downloads installer EXE files into Temp or AppData directories
Automated browser-based test frameworks (Selenium, Playwright) running in CI pipelines that download ZIP artifacts as part of test fixture setup

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon OR _sourceCategory=*sysmon*
| parse regex "\<EventID\>(?<EventID>\d+)\<\/EventID\>"
| where EventID = "11"
| parse regex "\<Data Name='TargetFilename'\>(?<TargetFilename>[^<]+)\<\/Data\>"
| parse regex "\<Data Name='Image'\>(?<Image>[^<]+)\<\/Data\>"
| parse regex "\<Data Name='User'\>(?<UserName>[^<]+)\<\/Data\>" nodrop
| parse regex "\<Computer\>(?<Computer>[^<]+)\<\/Computer\>" nodrop
| where (
    TargetFilename matches "*\\Downloads\\*.iso"
    OR TargetFilename matches "*\\Downloads\\*.img"
    OR TargetFilename matches "*\\Downloads\\*.hta"
    OR TargetFilename matches "*\\Downloads\\*.js"
    OR TargetFilename matches "*\\Downloads\\*.vbs"
    OR TargetFilename matches "*\\Downloads\\*.lnk"
    OR TargetFilename matches "*\\Downloads\\*.bat"
    OR TargetFilename matches "*\\Temp\\*.iso"
    OR TargetFilename matches "*\\Temp\\*.hta"
    OR TargetFilename matches "*\\AppData\\*.hta"
  )
| where (
    Image matches "*\\msedge.exe"
    OR Image matches "*\\chrome.exe"
    OR Image matches "*\\firefox.exe"
    OR Image matches "*\\iexplore.exe"
    OR Image matches "*\\brave.exe"
    OR Image matches "*\\opera.exe"
  )
| if(TargetFilename matches "*.iso" OR TargetFilename matches "*.img", "ISO_IMG", 
    if(TargetFilename matches "*.hta" OR TargetFilename matches "*.js" OR TargetFilename matches "*.vbs" OR TargetFilename matches "*.lnk" OR TargetFilename matches "*.bat", "Script", "Executable")
  ) as FileCategory
| fields _messageTime, Computer, UserName, TargetFilename, Image, FileCategory
| sort by _messageTime desc

high severity medium confidence

Data Sources

Sumo Logic Installed Collector (Windows) Sysmon XML Event Logs via Sumo Logic Sumo Logic Cloud SIEM Enterprise (CSE)

Required Tables

_sourceCategory=windows/sysmon

False Positives

Automated browser-based backup or sync clients (OneDrive, Box Drive, Dropbox) that use an embedded browser engine to download ISO or ZIP archive files from cloud storage
Enterprise managed browser policies permitting ISO media downloads from approved internal software repositories for OS imaging or VM template distribution
Security analyst workstations in sandbox environments where analysts intentionally download malware samples via browser for triage or reverse engineering

Google Chronicle / SecOps

yaral

rule html_smuggling_browser_drops_suspicious_file {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects HTML Smuggling T1027.006: browser process creating ISO/IMG disk images or script/executable payloads in user-writable directories"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1027.006"
    mitre_attack_subtechnique = "HTML Smuggling"
    reference = "https://attack.mitre.org/techniques/T1027/006/"
    severity = "HIGH"
    priority = "HIGH"

  events:
    $e.metadata.event_type = "FILE_CREATION"
    $e.principal.process.file.full_path =
      /(?i)(\\|\/)((msedge|chrome|firefox|iexplore|brave|opera)\.exe)$/
    $e.target.file.full_path =
      /(?i)\\(Downloads|Temp|AppData)\\/
    $e.target.file.full_path =
      /(?i)\.(iso|img|hta|js|vbs|lnk|bat|exe|zip)$/

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle SIEM (UDM) Chronicle Forwarder (Windows endpoints) CrowdStrike Falcon Chronicle Integration Carbon Black Chronicle Integration BindPlane ingestion pipeline

Required Tables

UDM Events — FILE_CREATION event type

False Positives

Browser extensions leveraging the downloads API to write JS configuration or runtime files into AppData extension cache directories during installation or self-update
Internal enterprise web applications that authenticate users and serve EXE or ZIP software packages via browser download as part of onboarding or provisioning workflows
Authorized red team or penetration testing engagements simulating HTML smuggling payloads against endpoints enrolled in Chronicle monitoring

CrowdStrike LogScale (CQL)

cql

#event_simpleName=NewExecutableWritten
| ImageFileName = /(?i)(msedge|chrome|firefox|iexplore|brave|opera)\.exe$/
| TargetFileName = /(?i)\.(iso|img|hta|js|vbs|lnk|bat|exe)$/
| FilePath = /(?i)(Downloads|Temp|AppData)/
| table(
    [
      @timestamp,
      ComputerName,
      UserName,
      TargetFileName,
      FilePath,
      ImageFileName,
      SHA256HashData,
      TargetProcessId
    ]
  )
| sort(field=@timestamp, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Sensor Falcon LogScale (Humio) Falcon Insight XDR

Required Tables

#event_simpleName=NewExecutableWritten #event_simpleName=ProcessRollup2

False Positives

Chrome or Edge browser auto-update processes that write new installer EXE versions into AppData\Local\Google\Update or AppData\Local\Microsoft\EdgeUpdate directories as part of the browser self-update cycle
Electron-based desktop applications (Slack, VS Code, Microsoft Teams) that use embedded Chromium to download and self-install updates, writing EXE or NUPKG files to Temp or AppData
Enterprise web-based software delivery systems (PDQ Deploy web console, ManageEngine Desktop Central) that push EXE packages via browser session on managed endpoints

HTML Smuggling

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections