Skip to content

DET0313 Detection Strategy for HTML Smuggling via JavaScript Blob + Dynamic File Drop

Item Value
ID DET0313
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1027.006 (HTML Smuggling)

Analytics

Windows

AN0872

Detection of browser-based or email client-driven file creation (often from temp directories) following navigation to or execution of HTML files containing JavaScript Blob APIs or base64 Data URLs, with follow-on execution of the dropped payload. Leveraging Sysmon EventID 15 to inspect Zone.Identifier ADS for HostUrl/ReferrerUrl indicators (e.g., HostUrl=about:internet). Optional: absence of a large HTTP download record for the same URL/client in proxy logs (suggests local assembly)

Log Sources
Data Component Name Channel
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
File Metadata (DC0059) EDR:detection App reputation telemetry
File Metadata (DC0059) WinEventLog:Sysmon EventCode=15
Network Traffic Content (DC0085) Network Traffic None
Mutable Elements
Field Description
TimeWindow Time range between HTML file open and file drop + execution (e.g., 1–10 minutes)
DroppedFileExtensionWatchlist Tunable list of file extensions of interest (e.g., .js, .hta, .exe)
ParentProcessName Expected processes that may drop files (e.g., browser, Outlook); tune for normal behavior

Linux

AN0873

Detection of browser-based downloads from HTML sources that trigger file creation in temp or user directories followed by execution of new files within short timeframes and suspicious parent-child lineage.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
File Creation (DC0039) linux:osquery file_events
Mutable Elements
Field Description
DownloadPathRegex Regular expressions for common download paths (e.g., /tmp/, ~/Downloads/)
ExecutableTriggerWindow Tunable range for follow-up process execution from dropped file (e.g., 5–15 minutes)

macOS

AN0874

Detection of HTML-based downloads via Safari/Chrome that create obfuscated files (e.g., .zip, .app, .js) in user directories and are followed by suspicious executions from preview or launch services.

Log Sources
Data Component Name Channel
File Creation (DC0039) macos:unifiedlog File Events
Process Creation (DC0032) macos:osquery process_events
File Metadata (DC0059) gatekeeper/quarantine database LaunchServices quarantine
Mutable Elements
Field Description
QuarantineFlagCheck Whether downloaded file has a quarantine flag and is bypassed via Gatekeeper
BlobKeywordAlertList JavaScript strings that may indicate smuggling: msSaveBlob, download.href, createObjectURL