T1027.017

SVG Smuggling

Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign SVG files. SVGs are vector-based image files constructed using XML and can legitimately include <script> tags, enabling adversaries to embed malicious JavaScript payloads. SVGs may appear less suspicious to users than other executable file types since they are often treated as image files. SVG smuggling can assemble or download malicious payloads, redirect users to malicious websites, or display interactive content such as fake login forms. SVG Smuggling may be used in conjunction with HTML Smuggling where an SVG with a malicious payload is included inside an HTML file.

Microsoft Sentinel / Defender

kusto

// Detect SVG files opened by browsers or mail clients that subsequently spawn processes or download files
let SuspiciousChildProcesses = dynamic(["cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "msiexec.exe", "bitsadmin.exe", "curl.exe", "wget.exe"]);
let BrowserProcesses = dynamic(["chrome.exe", "msedge.exe", "firefox.exe", "iexplore.exe", "opera.exe", "brave.exe"]);
let MailClients = dynamic(["outlook.exe", "thunderbird.exe", "winmail.exe"]);
// Detection 1: Browser or mail client spawning suspicious child processes after SVG-related activity
let SvgSpawnedProcesses = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName has_any (BrowserProcesses) or InitiatingProcessFileName has_any (MailClients)
| where FileName has_any (SuspiciousChildProcesses)
| extend SvgContext = InitiatingProcessCommandLine has ".svg"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, SvgContext,
          DetectionType = "SuspiciousChildProcess";
// Detection 2: SVG files written to disk by browsers or mail clients
let SvgFileWrites = DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName endswith ".svg"
| where InitiatingProcessFileName has_any (BrowserProcesses) or InitiatingProcessFileName has_any (MailClients)
| project Timestamp, DeviceName, AccountName = InitiatingProcessAccountName,
          FileName, FolderPath, InitiatingProcessFileName, InitiatingProcessCommandLine,
          SvgContext = true, DetectionType = "SvgFileWrite";
// Detection 3: Script execution from temp/download directories (common SVG payload drop locations)
let SvgPayloadExecution = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (SuspiciousChildProcesses)
| where FolderPath has_any ("\\Downloads\\", "\\Temp\\", "\\AppData\\Local\\Temp\\", "\\AppData\\Roaming\\")
| where InitiatingProcessFileName has_any (BrowserProcesses) or InitiatingProcessFileName has_any (MailClients)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, FolderPath,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          SvgContext = false, DetectionType = "PayloadFromDownloads";
union SvgSpawnedProcesses, SvgFileWrites, SvgPayloadExecution
| sort by Timestamp desc

high severity medium confidence

Data Sources

File: File Creation Process: Process Creation Network: Network Connection Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceFileEvents

False Positives

Legitimate SVG downloads from design or documentation tools where developers open SVG files normally
Web development workflows where SVG files are edited and executed locally via browser for testing
Corporate applications that use SVG icons or graphics and invoke browser rendering legitimately
Email clients that preview SVG images attached to legitimate business communications

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
| eval BrowserParent=case(
    match(ParentImage, "(?i)(chrome\.exe|msedge\.exe|firefox\.exe|iexplore\.exe|opera\.exe|brave\.exe)"), 1,
    true(), 0)
| eval MailClientParent=case(
    match(ParentImage, "(?i)(outlook\.exe|thunderbird\.exe|winmail\.exe)"), 1,
    true(), 0)
| eval SuspiciousChild=case(
    match(Image, "(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|msiexec\.exe|bitsadmin\.exe|curl\.exe|wget\.exe)"), 1,
    true(), 0)
| eval SvgInCommandLine=case(
    match(CommandLine, "(?i)\.svg"), 1,
    match(ParentCommandLine, "(?i)\.svg"), 1,
    true(), 0)
| eval SvgFileEvent=case(
    EventCode=11 AND match(TargetFilename, "(?i)\.svg$"), 1,
    true(), 0)
| eval DropPathExecution=case(
    match(Image, "(?i)(cmd\.exe|powershell\.exe|wscript\.exe|mshta\.exe)") AND match(Image, "(?i)(downloads|temp|appdata)"), 1,
    true(), 0)
| where (EventCode=1 AND (BrowserParent=1 OR MailClientParent=1) AND SuspiciousChild=1)
    OR (EventCode=11 AND (BrowserParent=1 OR MailClientParent=1) AND SvgFileEvent=1)
    OR (EventCode=1 AND (BrowserParent=1 OR MailClientParent=1) AND SvgInCommandLine=1)
| eval DetectionType=case(
    EventCode=1 AND SuspiciousChild=1 AND SvgInCommandLine=1, "SVG_Spawned_Suspicious_Process_With_SVG_Context",
    EventCode=1 AND SuspiciousChild=1, "Browser_Or_Mail_Spawned_Suspicious_Process",
    EventCode=11 AND SvgFileEvent=1, "SVG_File_Written_By_Browser_Or_Mail",
    true(), "SVG_Smuggling_Indicator")
| eval RiskScore=BrowserParent + MailClientParent + SuspiciousChild + SvgInCommandLine + SvgFileEvent
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, TargetFilename, DetectionType, RiskScore
| sort - _time

high severity medium confidence

Data Sources

File: File Creation Process: Process Creation Sysmon Event ID 1 Sysmon Event ID 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate SVG downloads from design or documentation tools where developers open SVG files normally
Web development workflows where SVG files are edited and executed locally via browser for testing
Corporate applications that use SVG icons or graphics and invoke browser rendering legitimately
Email clients that preview SVG images attached to legitimate business communications

Elastic Security (EQL)

eql

any where
  (event.category == "process" and event.type == "start" and
   process.parent.name : ("chrome.exe", "msedge.exe", "firefox.exe", "iexplore.exe", "opera.exe", "brave.exe", "outlook.exe", "thunderbird.exe", "winmail.exe") and
   process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "msiexec.exe", "bitsadmin.exe", "curl.exe", "wget.exe"))
  or
  (event.category == "file" and event.type == "creation" and
   file.extension : "svg" and
   process.name : ("chrome.exe", "msedge.exe", "firefox.exe", "iexplore.exe", "opera.exe", "brave.exe", "outlook.exe", "thunderbird.exe", "winmail.exe"))
  or
  (event.category == "process" and event.type == "start" and
   process.parent.name : ("chrome.exe", "msedge.exe", "firefox.exe", "iexplore.exe", "opera.exe", "brave.exe", "outlook.exe", "thunderbird.exe", "winmail.exe") and
   process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "msiexec.exe", "bitsadmin.exe", "curl.exe", "wget.exe") and
   (process.command_line like~ "*downloads*" or process.command_line like~ "*\\temp\\*" or process.command_line like~ "*appdata*"))

high severity medium confidence

Data Sources

Elastic Endpoint Security (logs-endpoint.events.process-*, logs-endpoint.events.file-*) Winlogbeat with Sysmon module (winlogbeat-*) Filebeat Windows module with Sysmon pipeline

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.file-* winlogbeat-*

False Positives

Legitimate browser extensions or download managers (e.g., IDM, Free Download Manager) that invoke cmd.exe or powershell.exe as post-download handlers — these will match the parent-child process pattern without any malicious SVG involvement.
Enterprise software deployment portals accessed via browser where clicking an installer link causes the browser to spawn msiexec.exe or a similar LOLBin — common in large organisations using web-based software catalogues.
Electron-based applications (VS Code, Slack, Teams) that embed a Chromium renderer (process.parent.name matching browser patterns) and legitimately invoke PowerShell or cmd.exe for shell integration, terminal features, or auto-update workflows.
Web-based SVG design tools (Figma native desktop with embedded browser, or browser-based Inkscape/Canva equivalents) that write SVG files to disk and then invoke local script interpreters for export or processing pipelines.

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  username AS UserName,
  "Computer" AS Hostname,
  "EventID" AS EventID,
  "Image" AS ProcessImage,
  "CommandLine" AS CommandLine,
  "ParentImage" AS ParentProcessImage,
  "ParentCommandLine" AS ParentCommandLine,
  "TargetFilename" AS TargetFile,
  CASE
    WHEN "EventID" = '11' AND REGEXP_MATCH("TargetFilename", '(?i)\.svg$')
      THEN 'SVG_File_Written_By_Browser_Or_Mail'
    WHEN "EventID" = '1'
      AND (REGEXP_MATCH("CommandLine", '(?i)\.svg')
           OR REGEXP_MATCH("ParentCommandLine", '(?i)\.svg'))
      THEN 'SVG_Context_Suspicious_Process_Spawn'
    ELSE 'Browser_Mail_Client_Spawned_Suspicious_Process'
  END AS DetectionType,
  (CASE WHEN "EventID" = '11' THEN 1 ELSE 0 END
   + CASE WHEN REGEXP_MATCH("CommandLine", '(?i)\.svg')
              OR REGEXP_MATCH("ParentCommandLine", '(?i)\.svg') THEN 1 ELSE 0 END
   + CASE WHEN REGEXP_MATCH("Image", '(?i)(cmd\.exe|powershell\.exe|wscript\.exe|mshta\.exe)') THEN 1 ELSE 0 END) AS RiskScore
FROM events
WHERE
  "EventID" IN ('1', '11')
  AND REGEXP_MATCH("ParentImage", '(?i)(chrome\.exe|msedge\.exe|firefox\.exe|iexplore\.exe|opera\.exe|brave\.exe|outlook\.exe|thunderbird\.exe|winmail\.exe)')
  AND (
    (
      "EventID" = '1'
      AND REGEXP_MATCH("Image", '(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|msiexec\.exe|bitsadmin\.exe|curl\.exe|wget\.exe)')
    )
    OR (
      "EventID" = '11'
      AND REGEXP_MATCH("TargetFilename", '(?i)\.svg$')
    )
  )
LAST 24 HOURS
ORDER BY starttime DESC

high severity medium confidence

Data Sources

IBM QRadar SIEM with Sysmon Universal DSM or WinCollect Windows Sysmon (EventID 1 and EventID 11 ingested as custom event properties)

Required Tables

events

False Positives

Enterprise browser management or endpoint security agents (e.g., Cisco Umbrella roaming client, Zscaler Client Connector) that hook browser processes and legitimately invoke cmd.exe or powershell.exe for network policy enforcement — these will match the ParentImage filter.
Corporate Outlook deployments integrated with DLP or email gateway tools that spawn script-based utilities (certutil.exe, msiexec.exe) as part of attachment scanning or S/MIME certificate validation workflows.
Developer workstations where web-based IDEs (JupyterLab, Eclipse Theia in browser) invoke shell processes for code execution or build triggers — browser parent + cmd/powershell child is a legitimate pattern in these environments.

Sumo Logic CSE

sql

_sourceCategory=*windows* (EventID=1 OR EventID=11)
| parse regex "<EventID.*?>(?P<EventID>\d+)</EventID>" nodrop
| parse regex "<Image.*?>(?P<Image>[^<]+)</Image>" nodrop
| parse regex "<CommandLine.*?>(?P<CommandLine>[^<]+)</CommandLine>" nodrop
| parse regex "<ParentImage.*?>(?P<ParentImage>[^<]+)</ParentImage>" nodrop
| parse regex "<ParentCommandLine.*?>(?P<ParentCommandLine>[^<]+)</ParentCommandLine>" nodrop
| parse regex "<TargetFilename.*?>(?P<TargetFilename>[^<]+)</TargetFilename>" nodrop
| parse regex "<User.*?>(?P<User>[^<]+)</User>" nodrop
| parse regex "<Computer>(?P<Computer>[^<]+)</Computer>" nodrop
| where EventID in ("1", "11")
| where ParentImage matches /(?i)(chrome|msedge|firefox|iexplore|opera|brave|outlook|thunderbird|winmail)\.exe/
| where (EventID == "1" AND Image matches /(?i)(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|certutil|msiexec|bitsadmin|curl|wget)\.exe/)
    OR (EventID == "11" AND TargetFilename matches /(?i)\.svg$/)
| if (EventID == "11", "SVG_File_Written",
    if (CommandLine matches /(?i)\.svg/ OR ParentCommandLine matches /(?i)\.svg/,
        "SVG_Context_Process_Spawn", "Browser_Mail_Suspicious_Child_Process")) as DetectionType
| if (CommandLine matches /(?i)(downloads|temp|appdata)/, 1, 0) as DropPathBonus
| if (CommandLine matches /(?i)\.svg/ OR ParentCommandLine matches /(?i)\.svg/, 1, 0) as SvgContextBonus
| (1 + DropPathBonus + SvgContextBonus) as RiskScore
| fields _messageTime, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, TargetFilename, DetectionType, RiskScore
| sort by _messageTime desc

high severity medium confidence

Data Sources

Windows Sysmon events forwarded in XML format (XmlWinEventLog:Microsoft-Windows-Sysmon/Operational) Sumo Logic Installed Collector with Windows Event Log source, or Sumo Logic Windows Sysmon app

Required Tables

_sourceCategory=*windows*

False Positives

Web-based SVG design platforms (e.g., Canva desktop app using embedded browser, browser-based Inkscape) that legitimately download SVG files and subsequently invoke local utilities for format conversion or export processing.
Email security awareness training platforms (KnowBe4, Proofpoint Security Awareness) that deliver simulated phishing emails with SVG attachments to test detection coverage — analyst test machines will generate this alert intentionally.
Browser-based CI/CD dashboards (GitHub Actions web UI, Jenkins) where clicking an artifact download link triggers a helper script via a browser extension or OS file handler association, creating a browser-parent + cmd-child process chain.

Google Chronicle / SecOps

yaral

rule t1027_017_svg_smuggling_browser_spawn {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects SVG Smuggling (T1027.017): browser or mail client spawning a suspicious child process consistent with payload execution from a malicious SVG file"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1027.017"
    mitre_attack_technique_name = "SVG Smuggling"
    severity = "HIGH"
    confidence = "MEDIUM"
    version = "1.0"

  events:
    $proc.metadata.event_type = "PROCESS_LAUNCH"
    re.regex($proc.principal.process.file.full_path,
      `(?i)(chrome\.exe|msedge\.exe|firefox\.exe|iexplore\.exe|opera\.exe|brave\.exe|outlook\.exe|thunderbird\.exe|winmail\.exe)`)
    re.regex($proc.target.process.file.full_path,
      `(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|msiexec\.exe|bitsadmin\.exe|curl\.exe|wget\.exe)`)

  condition:
    $proc
}

rule t1027_017_svg_file_written_by_browser {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects SVG Smuggling (T1027.017): SVG file written to disk by a browser or mail client — use as a lower-confidence precursor signal, correlate with the process spawn rule"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1027.017"
    mitre_attack_technique_name = "SVG Smuggling"
    severity = "MEDIUM"
    confidence = "LOW"
    version = "1.0"

  events:
    $file.metadata.event_type = "FILE_CREATION"
    re.regex($file.principal.process.file.full_path,
      `(?i)(chrome\.exe|msedge\.exe|firefox\.exe|iexplore\.exe|opera\.exe|brave\.exe|outlook\.exe|thunderbird\.exe|winmail\.exe)`)
    re.regex($file.target.file.full_path, `(?i)\.svg$`)

  condition:
    $file
}

high severity medium confidence

Data Sources

Google Chronicle UDM (PROCESS_LAUNCH and FILE_CREATION event types) Microsoft Defender for Endpoint via Chronicle ingestion pipeline Windows Sysmon events forwarded via Chronicle Forwarder

Required Tables

UDM Events — PROCESS_LAUNCH UDM Events — FILE_CREATION

False Positives

Rule 2 (SVG file write) alone will generate very high false positive volume since any browser downloading an SVG image from a legitimate website (icon libraries, marketing assets, design systems) will trigger it — only treat it as an alert when correlated with Rule 1.
Enterprise endpoint management or RMM tools (Datto, NinjaRMM) with browser-based agent consoles that spawn msiexec.exe or certutil.exe for patch deployment will match Rule 1 without SVG involvement.
IT support staff using browser-based remote administration tools that invoke PowerShell for system management — the browser process spawning powershell.exe is flagged regardless of SVG context.

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ParentBaseFileName = /(?i)(chrome|msedge|firefox|iexplore|opera|brave|outlook|thunderbird|winmail)\.exe/
| FileName = /(?i)(cmd|powershell|pwsh|wscript|cscript|mshta|rundll32|regsvr32|certutil|msiexec|bitsadmin|curl|wget)\.exe/
| SvgInCommandLine := if(
    CommandLine = /(?i)\.svg/ OR ParentCommandLine = /(?i)\.svg/,
    "true", "false"
  )
| DropPathLaunch := if(
    CommandLine = /(?i)(downloads|\\temp\\|appdata)/,
    "true", "false"
  )
| RiskScore := if(SvgInCommandLine = "true", 2, 1) + if(DropPathLaunch = "true", 1, 0)
| DetectionType := case(
    SvgInCommandLine = "true" AND DropPathLaunch = "true", "SVG_Smuggling_High_Confidence",
    SvgInCommandLine = "true", "SVG_Context_Suspicious_Spawn",
    DropPathLaunch = "true", "Suspicious_Spawn_From_Drop_Path",
    true(), "Browser_Mail_Spawned_Suspicious_Process"
  )
| select([timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, SvgInCommandLine, DropPathLaunch, RiskScore, DetectionType])
| sort(timestamp, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint (ProcessRollup2 event stream) Falcon LogScale / CrowdStrike Next-Gen SIEM

Required Tables

ProcessRollup2

False Positives

Browser-initiated installer workflows where the user clicks 'Run' on a downloaded file from Chrome or Edge, causing the browser to spawn msiexec.exe or a setup executable — extremely common in enterprise environments without application whitelisting.
Password managers or corporate SSO browser extensions (1Password, LastPass, Okta Verify) that inject into browser processes and occasionally invoke PowerShell for credential database sync or system keychain integration.
Development workstations where engineers use browser-based tools (GitHub Codespaces browser tab, Jupyter notebooks served locally) that legitimately spawn cmd.exe or curl.exe for build automation or notebook kernel management.

Last updated: 2026-04-13 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1027.017 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

SVG Smuggling

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections