Shulou(Shulou.com)06/03 Report--

This article will explain in detail how to use Sysmon and Zone.Identifier files to detect HTML smuggling attacks. The editor thinks it is very practical, so I share it with you as a reference. I hope you can get something after reading this article.

Sysmon ID 15 (FileCreateStreamHash)

Starting with version 11.10, Sysmon can record the contents of ADS. Therefore, if the HTML Smuggling artifact is in Zone.Identifier ADS, then we can use Sysmon to detect that a HTML Smuggling has occurred.

Testing method

To test each browser, I used this document in Outflank.nl. In the browser, I open the document through the original URL and a locally saved copy. This is to determine whether the browser handles the downloaded file differently according to the protocol used (http:// or https:// and file://).

As a result, the browser version has been tested

Google Chrome version 88.0.4324.96 (official version) (64-bit)

Mozilla Firefox version 84.0.2 (64-bit)

Microsoft Edge (Chromium) version 88.0.705.50 (official version) (64-bit)

Microsoft Edge (previous version) version 44.18362.449.0

Note: by "smuggling page", I mean, for example, https://www.outflank.nl/demo/html_smuggling.html or C:\ Users\ Joshua\ Downloads\ html_smuggling.html

Both Google Chrome,Firefox and Chromium Edge exhibit the same behavior. For both hosted and local smuggling pages, Zone.Identifier ADS is created, but the HostUrl property is set to about:internet instead of the original page.

On the other hand, Legacy Edge handles these files differently. When a smuggling page is serviced through HTTP (S), a Zone.Identifier ADS is created and the HostUrl property is set to the original page, starting with * * blob:**.

When the smuggling page is provided locally, the old version of Edge only creates a Zone.Identifier ADS for the downloaded document. Modern e-mail clients will create Zone.Identifier ADS attachments for e-mail messages from the Internet, so Sysmon should still detect files downloaded by smuggled pages sent by e-mail and opened at the edge of the old version.

In this case, the origin of the HostUrl attribute is empty, but the ReferrerUrl will point to the smuggling page.

Summary

MOTW Created (http://)MOTW Created (file://) stream contains documents URL identifiable HTML smuggling Google browser yes yes no Firefox browser yes no Chromium Edge yes yes no old Edge yes it depends on * yes for http://, yes for file://, depends on *

For the local smuggling page (file://), if there is only one smuggling page, the old Edge will only create a Zone.Identifier ADS for the downloaded files.

Sysmon rule

From the above results, we can see that Sysmon can detect HTML Smuggling attacks by looking for Zone.Identifier alternate data streams that contain one of the following two values:

HostUrl=about:internet

HostUrl=blob:

Sysmon XML: Zone.Identifierblob:;about:internet posts on "how to use Sysmon and Zone.Identifier files to detect HTML smuggling attacks" this article shares here, I hope the above content can be of some help to you, so that you can learn more knowledge, if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.