T1027.017 Google Chronicle · YARA-L

Detect SVG Smuggling in Google Chronicle

Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign SVG files. SVGs are vector-based image files constructed using XML and can legitimately include <script> tags, enabling adversaries to embed malicious JavaScript payloads. SVGs may appear less suspicious to users than other executable file types since they are often treated as image files. SVG smuggling can assemble or download malicious payloads, redirect users to malicious websites, or display interactive content such as fake login forms. SVG Smuggling may be used in conjunction with HTML Smuggling where an SVG with a malicious payload is included inside an HTML file.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1027 Obfuscated Files or Information
Sub-technique
T1027.017 SVG Smuggling
Canonical reference
https://attack.mitre.org/techniques/T1027/017/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1027_017_svg_smuggling_browser_spawn {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects SVG Smuggling (T1027.017): browser or mail client spawning a suspicious child process consistent with payload execution from a malicious SVG file"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1027.017"
    mitre_attack_technique_name = "SVG Smuggling"
    severity = "HIGH"
    confidence = "MEDIUM"
    version = "1.0"

  events:
    $proc.metadata.event_type = "PROCESS_LAUNCH"
    re.regex($proc.principal.process.file.full_path,
      `(?i)(chrome\.exe|msedge\.exe|firefox\.exe|iexplore\.exe|opera\.exe|brave\.exe|outlook\.exe|thunderbird\.exe|winmail\.exe)`)
    re.regex($proc.target.process.file.full_path,
      `(?i)(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|msiexec\.exe|bitsadmin\.exe|curl\.exe|wget\.exe)`)

  condition:
    $proc
}

rule t1027_017_svg_file_written_by_browser {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects SVG Smuggling (T1027.017): SVG file written to disk by a browser or mail client — use as a lower-confidence precursor signal, correlate with the process spawn rule"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1027.017"
    mitre_attack_technique_name = "SVG Smuggling"
    severity = "MEDIUM"
    confidence = "LOW"
    version = "1.0"

  events:
    $file.metadata.event_type = "FILE_CREATION"
    re.regex($file.principal.process.file.full_path,
      `(?i)(chrome\.exe|msedge\.exe|firefox\.exe|iexplore\.exe|opera\.exe|brave\.exe|outlook\.exe|thunderbird\.exe|winmail\.exe)`)
    re.regex($file.target.file.full_path, `(?i)\.svg$`)

  condition:
    $file
}
high severity medium confidence

Two Chronicle YARA-L 2.0 rules covering SVG Smuggling (T1027.017). Rule 1 (t1027_017_svg_smuggling_browser_spawn) is the primary high-confidence detection: it fires on PROCESS_LAUNCH UDM events where the principal process (parent) is a browser or mail client and the target process (spawned child) is a suspicious interpreter or LOLBin. In Chronicle UDM, principal represents the initiating process and target represents the newly created process. Rule 2 (t1027_017_svg_file_written_by_browser) is a lower-confidence precursor signal firing on FILE_CREATION events where a browser or mail client writes an .svg file to disk. Both rules use re.regex() with backtick raw strings for pattern matching on file.full_path fields.

Data Sources

Google Chronicle UDM (PROCESS_LAUNCH and FILE_CREATION event types)Microsoft Defender for Endpoint via Chronicle ingestion pipelineWindows Sysmon events forwarded via Chronicle Forwarder

Required Tables

UDM Events — PROCESS_LAUNCHUDM Events — FILE_CREATION

False Positives & Tuning

  • Rule 2 (SVG file write) alone will generate very high false positive volume since any browser downloading an SVG image from a legitimate website (icon libraries, marketing assets, design systems) will trigger it — only treat it as an alert when correlated with Rule 1.
  • Enterprise endpoint management or RMM tools (Datto, NinjaRMM) with browser-based agent consoles that spawn msiexec.exe or certutil.exe for patch deployment will match Rule 1 without SVG involvement.
  • IT support staff using browser-based remote administration tools that invoke PowerShell for system management — the browser process spawning powershell.exe is flagged regardless of SVG context.
Download portable Sigma rule (.yml)

Other platforms for T1027.017

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create and Open Malicious SVG with Embedded JavaScript

    Expected signal: Sysmon Event ID 11: File Create — TargetFilename ending in Invoice-2024.svg written to Downloads directory by powershell.exe. Sysmon Event ID 1: Process Create — browser process (e.g., msedge.exe or chrome.exe) launched with the SVG file path as argument. Sysmon Event ID 3: Network Connection — may be generated if browser makes requests after opening file.

  2. Test 2SVG Smuggling with Blob URL Payload Download Simulation

    Expected signal: Sysmon Event ID 11: File Create — document-viewer.svg written to Downloads by powershell.exe. If opened in browser: Sysmon Event ID 11 — browser may write document.exe to Downloads directory. Sysmon Event ID 1 — browser process launch with SVG path. Network telemetry: Blob URL creation stays local (no external network), but browser history records the file:// URI.

  3. Test 3SVG File Delivered via Email Simulation with Zone Identifier Check

    Expected signal: Sysmon Event ID 11: File Create — Invoice_March2024.svg created in Outlook INetCache directory by powershell.exe. Sysmon Event ID 15 (FileCreateStreamHash): ADS Zone.Identifier written to the SVG file, indicating internet-sourced content (Zone=3). This ADS event is a strong indicator of an externally-sourced file.

  4. Test 4SVG Embedded in HTML File (HTML Smuggling Combination)

    Expected signal: Sysmon Event ID 11: File Create — invoice-document.html written to Downloads by powershell.exe. Select-String output confirms presence of <svg>, <script>, atob, and blob indicators in the file. If opened in browser: potential Sysmon Event ID 11 for invoice.exe creation in Downloads.

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1027.017 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1027Obfuscated Files or Information

Related Sub-techniques

T1027.001Binary PaddingT1027.002Software PackingT1027.003SteganographyT1027.004Compile After DeliveryT1027.005Indicator Removal from ToolsT1027.006HTML SmugglingT1027.007Dynamic API ResolutionT1027.008Stripped PayloadsT1027.009Embedded PayloadsT1027.010Command ObfuscationT1027.011Fileless StorageT1027.012LNK Icon SmugglingT1027.013Encrypted/Encoded FileT1027.014Polymorphic CodeT1027.015CompressionT1027.016Junk Code Insertion

Related Techniques

T1027Obfuscated Files or InformationT1027.006HTML SmugglingT1027.009Embedded PayloadsT1566.001Spearphishing AttachmentT1566.002Spearphishing LinkT1059.007JavaScriptT1105Ingress Tool TransferT1204.001Malicious LinkT1204.002Malicious FileT1036.008Masquerade File Type

Same Tactic: Defense Evasion

Popular Detections