Detect HTML Smuggling in Google Chronicle
Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs that can later be constructed into file-like objects. Data may also be stored in Data URLs, enabling embedding media type or MIME files inline of HTML documents. HTML5 introduced a download attribute that may be used to initiate file downloads. Adversaries deliver payloads that bypass security controls through HTML Smuggling by abusing JavaScript Blobs and/or HTML5 download attributes. APT29 (NOBELIUM) used HTML smuggling to deliver ISO files embedded in HTML attachments (EnvyScout). QakBot was delivered in ZIP files via HTML smuggling. This technique bypasses web content filters because the HTML file itself contains only text/html MIME content.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1027 Obfuscated Files or Information
- Sub-technique
- T1027.006 HTML Smuggling
- Canonical reference
- https://attack.mitre.org/techniques/T1027/006/
YARA-L Detection Query
rule html_smuggling_browser_drops_suspicious_file {
meta:
author = "Argus Detection Engineering"
description = "Detects HTML Smuggling T1027.006: browser process creating ISO/IMG disk images or script/executable payloads in user-writable directories"
mitre_attack_tactic = "Defense Evasion"
mitre_attack_technique = "T1027.006"
mitre_attack_subtechnique = "HTML Smuggling"
reference = "https://attack.mitre.org/techniques/T1027/006/"
severity = "HIGH"
priority = "HIGH"
events:
$e.metadata.event_type = "FILE_CREATION"
$e.principal.process.file.full_path =
/(?i)(\\|\/)((msedge|chrome|firefox|iexplore|brave|opera)\.exe)$/
$e.target.file.full_path =
/(?i)\\(Downloads|Temp|AppData)\\/
$e.target.file.full_path =
/(?i)\.(iso|img|hta|js|vbs|lnk|bat|exe|zip)$/
condition:
$e
}Google Chronicle YARA-L 2.0 rule detecting HTML Smuggling (T1027.006) via UDM FILE_CREATION events. The rule matches on the UDM normalized model: principal.process.file.full_path for the creating browser process and target.file.full_path for the dropped payload path and extension. Three independent regex conditions on target.file.full_path require both a suspicious directory segment and a malicious extension simultaneously. Compatible with Chronicle data ingested from Windows endpoints via Chronicle Forwarder, CrowdStrike, Carbon Black, or BindPlane pipeline.
Data Sources
Required Tables
False Positives & Tuning
- Browser extensions leveraging the downloads API to write JS configuration or runtime files into AppData extension cache directories during installation or self-update
- Internal enterprise web applications that authenticate users and serve EXE or ZIP software packages via browser download as part of onboarding or provisioning workflows
- Authorized red team or penetration testing engagements simulating HTML smuggling payloads against endpoints enrolled in Chronicle monitoring
Other platforms for T1027.006
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create HTML Smuggling Page with JavaScript Blob
Expected signal: Sysmon Event ID 11: smuggle_test.html created in %TEMP%, html_smuggled_payload.txt created in Downloads by msedge.exe. Sysmon Event ID 1: msedge.exe launched with HTML file argument. Browser file creation in Downloads directory.
- Test 2Simulate EnvyScout HTML Smuggling ISO Drop
Expected signal: Sysmon Event ID 11: envyscout_sim.html created in %TEMP%. The HTML file contains Base64-encoded data and Blob/download attribute JavaScript patterns. Opening in a browser would trigger creation of update.iso in Downloads.
- Test 3Download and Execute Payload from HTA File via Browser
Expected signal: Sysmon Event ID 11: smuggled.hta created in %TEMP%. Sysmon Event ID 1: mshta.exe launching the HTA file. The VBScript MessageBox dialog appears, confirming execution.
- Test 4Identify HTML Smuggling Pattern in HTML File
Expected signal: PowerShell process execution. ScriptBlock Log Event ID 4104 with the analysis code. Output identifies specific HTML smuggling constructs present in the file.
References (6)
- https://attack.mitre.org/techniques/T1027/006/
- https://outflank.nl/blog/2018/08/14/html-smuggling-explained/
- https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/
- https://www.menlosecurity.com/blog/new-attack-alert-duri
- https://www.nccgroup.com/us/research-blog/smuggling-hta-files-in-internet-exploreredge/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.006/T1027.006.md
Unlock Pro Content
Get the full detection package for T1027.006 including response playbook, investigation guide, and atomic red team tests.