Detect HTML Smuggling in IBM QRadar
Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs that can later be constructed into file-like objects. Data may also be stored in Data URLs, enabling embedding media type or MIME files inline of HTML documents. HTML5 introduced a download attribute that may be used to initiate file downloads. Adversaries deliver payloads that bypass security controls through HTML Smuggling by abusing JavaScript Blobs and/or HTML5 download attributes. APT29 (NOBELIUM) used HTML smuggling to deliver ISO files embedded in HTML attachments (EnvyScout). QakBot was delivered in ZIP files via HTML smuggling. This technique bypasses web content filters because the HTML file itself contains only text/html MIME content.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1027 Obfuscated Files or Information
- Sub-technique
- T1027.006 HTML Smuggling
- Canonical reference
- https://attack.mitre.org/techniques/T1027/006/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
LOGSOURCENAME(logsourceid) AS log_source,
sourceip,
username,
"TargetFilename",
"Image",
CATEGORYNAME(category) AS event_category
FROM events
WHERE LOGSOURCETYPE(logsourceid) ILIKE '%Microsoft Windows%'
AND eventid = 11
AND (
"TargetFilename" ILIKE '%\\Downloads\\%.iso'
OR "TargetFilename" ILIKE '%\\Downloads\\%.img'
OR "TargetFilename" ILIKE '%\\Downloads\\%.hta'
OR "TargetFilename" ILIKE '%\\Downloads\\%.js'
OR "TargetFilename" ILIKE '%\\Downloads\\%.vbs'
OR "TargetFilename" ILIKE '%\\Downloads\\%.lnk'
OR "TargetFilename" ILIKE '%\\Downloads\\%.bat'
OR "TargetFilename" ILIKE '%\\Downloads\\%.exe'
OR "TargetFilename" ILIKE '%\\Temp\\%.iso'
OR "TargetFilename" ILIKE '%\\Temp\\%.hta'
OR "TargetFilename" ILIKE '%\\AppData\\%.hta'
OR "TargetFilename" ILIKE '%\\AppData\\%.iso'
)
AND (
"Image" ILIKE '%\\msedge.exe'
OR "Image" ILIKE '%\\chrome.exe'
OR "Image" ILIKE '%\\firefox.exe'
OR "Image" ILIKE '%\\iexplore.exe'
OR "Image" ILIKE '%\\brave.exe'
OR "Image" ILIKE '%\\opera.exe'
)
LAST 24 HOURS
ORDER BY starttime DESCDetects HTML Smuggling (T1027.006) using Sysmon Event ID 11 (File Create) ingested into IBM QRadar. The query targets Microsoft Windows log sources and filters on the custom DSM-parsed properties TargetFilename and Image — corresponding directly to the Sysmon XML fields used in the SPL baseline. Requires Sysmon deployed with FileCreate event collection and QRadar WinCollect or Universal DSM parsing configured to extract these custom properties. The LOGSOURCETYPE filter ensures portability across environments with multiple Windows log source types.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise internal web portals serving browser-initiated downloads of approved software packages (EXE or ZIP) from authenticated inventory management systems
- Security tooling or EDR product updates where the agent's embedded browser component downloads installer EXE files into Temp or AppData directories
- Automated browser-based test frameworks (Selenium, Playwright) running in CI pipelines that download ZIP artifacts as part of test fixture setup
Other platforms for T1027.006
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create HTML Smuggling Page with JavaScript Blob
Expected signal: Sysmon Event ID 11: smuggle_test.html created in %TEMP%, html_smuggled_payload.txt created in Downloads by msedge.exe. Sysmon Event ID 1: msedge.exe launched with HTML file argument. Browser file creation in Downloads directory.
- Test 2Simulate EnvyScout HTML Smuggling ISO Drop
Expected signal: Sysmon Event ID 11: envyscout_sim.html created in %TEMP%. The HTML file contains Base64-encoded data and Blob/download attribute JavaScript patterns. Opening in a browser would trigger creation of update.iso in Downloads.
- Test 3Download and Execute Payload from HTA File via Browser
Expected signal: Sysmon Event ID 11: smuggled.hta created in %TEMP%. Sysmon Event ID 1: mshta.exe launching the HTA file. The VBScript MessageBox dialog appears, confirming execution.
- Test 4Identify HTML Smuggling Pattern in HTML File
Expected signal: PowerShell process execution. ScriptBlock Log Event ID 4104 with the analysis code. Output identifies specific HTML smuggling constructs present in the file.
References (6)
- https://attack.mitre.org/techniques/T1027/006/
- https://outflank.nl/blog/2018/08/14/html-smuggling-explained/
- https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/
- https://www.menlosecurity.com/blog/new-attack-alert-duri
- https://www.nccgroup.com/us/research-blog/smuggling-hta-files-in-internet-exploreredge/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.006/T1027.006.md
Unlock Pro Content
Get the full detection package for T1027.006 including response playbook, investigation guide, and atomic red team tests.