1. Home
  2. Detection Strategies
  3. Detection Strategy for HTML Smuggling via JavaScript Blob + Dynamic File Drop

Detection Strategy for HTML Smuggling via JavaScript Blob + Dynamic File Drop

Technique Detected:  HTML Smuggling | T1027.006

ID: DET0313
Domains: Enterprise
Analytics: AN0872, AN0873, AN0874
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN0872

Detection of browser-based or email client-driven file creation (often from temp directories) following navigation to or execution of HTML files containing JavaScript Blob APIs or base64 Data URLs, with follow-on execution of the dropped payload. Leveraging Sysmon EventID 15 to inspect Zone.Identifier ADS for HostUrl/ReferrerUrl indicators (e.g., HostUrl=about:internet). Optional: absence of a large HTTP download record for the same URL/client in proxy logs (suggests local assembly)

Log Sources
Data Component Name Channel
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
File Metadata (DC0059) EDR:detection App reputation telemetry
WinEventLog:Sysmon EventCode=15
Network Traffic Content (DC0085) Network Traffic None
Mutable Elements
Field Description
TimeWindow Time range between HTML file open and file drop + execution (e.g., 1–10 minutes)
DroppedFileExtensionWatchlist Tunable list of file extensions of interest (e.g., .js, .hta, .exe)
ParentProcessName Expected processes that may drop files (e.g., browser, Outlook); tune for normal behavior

AN0873

Detection of browser-based downloads from HTML sources that trigger file creation in temp or user directories followed by execution of new files within short timeframes and suspicious parent-child lineage.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
File Creation (DC0039) linux:osquery file_events
Mutable Elements
Field Description
DownloadPathRegex Regular expressions for common download paths (e.g., /tmp/, ~/Downloads/)
ExecutableTriggerWindow Tunable range for follow-up process execution from dropped file (e.g., 5–15 minutes)

AN0874

Detection of HTML-based downloads via Safari/Chrome that create obfuscated files (e.g., .zip, .app, .js) in user directories and are followed by suspicious executions from preview or launch services.

Log Sources
Data Component Name Channel
File Creation (DC0039) macos:unifiedlog File Events
Process Creation (DC0032) macos:osquery process_events
File Metadata (DC0059) gatekeeper/quarantine database LaunchServices quarantine
Mutable Elements
Field Description
QuarantineFlagCheck Whether downloaded file has a quarantine flag and is bypassed via Gatekeeper
BlobKeywordAlertList JavaScript strings that may indicate smuggling: msSaveBlob, download.href, createObjectURL