Detect HTML Smuggling in Sumo Logic CSE
Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs that can later be constructed into file-like objects. Data may also be stored in Data URLs, enabling embedding media type or MIME files inline of HTML documents. HTML5 introduced a download attribute that may be used to initiate file downloads. Adversaries deliver payloads that bypass security controls through HTML Smuggling by abusing JavaScript Blobs and/or HTML5 download attributes. APT29 (NOBELIUM) used HTML smuggling to deliver ISO files embedded in HTML attachments (EnvyScout). QakBot was delivered in ZIP files via HTML smuggling. This technique bypasses web content filters because the HTML file itself contains only text/html MIME content.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1027 Obfuscated Files or Information
- Sub-technique
- T1027.006 HTML Smuggling
- Canonical reference
- https://attack.mitre.org/techniques/T1027/006/
Sumo Detection Query
_sourceCategory=windows/sysmon OR _sourceCategory=*sysmon*
| parse regex "\<EventID\>(?<EventID>\d+)\<\/EventID\>"
| where EventID = "11"
| parse regex "\<Data Name='TargetFilename'\>(?<TargetFilename>[^<]+)\<\/Data\>"
| parse regex "\<Data Name='Image'\>(?<Image>[^<]+)\<\/Data\>"
| parse regex "\<Data Name='User'\>(?<UserName>[^<]+)\<\/Data\>" nodrop
| parse regex "\<Computer\>(?<Computer>[^<]+)\<\/Computer\>" nodrop
| where (
TargetFilename matches "*\\Downloads\\*.iso"
OR TargetFilename matches "*\\Downloads\\*.img"
OR TargetFilename matches "*\\Downloads\\*.hta"
OR TargetFilename matches "*\\Downloads\\*.js"
OR TargetFilename matches "*\\Downloads\\*.vbs"
OR TargetFilename matches "*\\Downloads\\*.lnk"
OR TargetFilename matches "*\\Downloads\\*.bat"
OR TargetFilename matches "*\\Temp\\*.iso"
OR TargetFilename matches "*\\Temp\\*.hta"
OR TargetFilename matches "*\\AppData\\*.hta"
)
| where (
Image matches "*\\msedge.exe"
OR Image matches "*\\chrome.exe"
OR Image matches "*\\firefox.exe"
OR Image matches "*\\iexplore.exe"
OR Image matches "*\\brave.exe"
OR Image matches "*\\opera.exe"
)
| if(TargetFilename matches "*.iso" OR TargetFilename matches "*.img", "ISO_IMG",
if(TargetFilename matches "*.hta" OR TargetFilename matches "*.js" OR TargetFilename matches "*.vbs" OR TargetFilename matches "*.lnk" OR TargetFilename matches "*.bat", "Script", "Executable")
) as FileCategory
| fields _messageTime, Computer, UserName, TargetFilename, Image, FileCategory
| sort by _messageTime descDetects HTML Smuggling (T1027.006) in Sumo Logic by regex-parsing Sysmon Event ID 11 (File Create) XML telemetry. Because Sysmon data arrives as raw Windows XML event logs, the query extracts TargetFilename and Image via named capture groups matching the Sysmon XML schema. FileCategory classifies results as ISO_IMG, Script, or Executable to triage analyst response. Adjust _sourceCategory to match your Sumo Logic collector configuration for Windows Sysmon data.
Data Sources
Required Tables
False Positives & Tuning
- Automated browser-based backup or sync clients (OneDrive, Box Drive, Dropbox) that use an embedded browser engine to download ISO or ZIP archive files from cloud storage
- Enterprise managed browser policies permitting ISO media downloads from approved internal software repositories for OS imaging or VM template distribution
- Security analyst workstations in sandbox environments where analysts intentionally download malware samples via browser for triage or reverse engineering
Other platforms for T1027.006
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create HTML Smuggling Page with JavaScript Blob
Expected signal: Sysmon Event ID 11: smuggle_test.html created in %TEMP%, html_smuggled_payload.txt created in Downloads by msedge.exe. Sysmon Event ID 1: msedge.exe launched with HTML file argument. Browser file creation in Downloads directory.
- Test 2Simulate EnvyScout HTML Smuggling ISO Drop
Expected signal: Sysmon Event ID 11: envyscout_sim.html created in %TEMP%. The HTML file contains Base64-encoded data and Blob/download attribute JavaScript patterns. Opening in a browser would trigger creation of update.iso in Downloads.
- Test 3Download and Execute Payload from HTA File via Browser
Expected signal: Sysmon Event ID 11: smuggled.hta created in %TEMP%. Sysmon Event ID 1: mshta.exe launching the HTA file. The VBScript MessageBox dialog appears, confirming execution.
- Test 4Identify HTML Smuggling Pattern in HTML File
Expected signal: PowerShell process execution. ScriptBlock Log Event ID 4104 with the analysis code. Output identifies specific HTML smuggling constructs present in the file.
References (6)
- https://attack.mitre.org/techniques/T1027/006/
- https://outflank.nl/blog/2018/08/14/html-smuggling-explained/
- https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/
- https://www.menlosecurity.com/blog/new-attack-alert-duri
- https://www.nccgroup.com/us/research-blog/smuggling-hta-files-in-internet-exploreredge/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.006/T1027.006.md
Unlock Pro Content
Get the full detection package for T1027.006 including response playbook, investigation guide, and atomic red team tests.