1. Home
  2. Detection Strategies
  3. Detection Strategy for SVG Smuggling with Script Execution and Delivery Behavior

Detection Strategy for SVG Smuggling with Script Execution and Delivery Behavior

Technique Detected:  SVG Smuggling | T1027.017

ID: DET0510
Domains: Enterprise
Analytics: AN1407, AN1408, AN1409
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN1407

Detects suspicious SVG file creation or download events followed by script engine execution (e.g., wscript.exe, mshta.exe, rundll32.exe), network callbacks, or browser-based credential collection.

Log Sources
Data Component Name Channel
File Creation (DC0039) WinEventLog:Sysmon EventCode=11
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Network Connection Creation (DC0082) WinEventLog:Sysmon EventCode=3
Mutable Elements
Field Description
TimeWindow Threshold between SVG file write and script execution (e.g., < 60s)
ParentProcessWhitelist Allowlisted script engines that may invoke browsers or JS in benign cases
FileExtensionPattern Regex or string match for .svg, .svgz, or embedded .svg inside HTML or PDF

AN1408

Detects downloaded SVG files followed by execution of browser processes or tools like xdg-open, and rapid follow-on network connections or process spawns to interpreters like python or bash.

Log Sources
Data Component Name Channel
File Modification (DC0061) auditd:SYSCALL open, write
Process Creation (DC0032) auditd:SYSCALL execve
Network Traffic Content (DC0085) NSM:Flow Outbound HTTP/S
Mutable Elements
Field Description
TargetPaths Suspicious write locations such as /tmp/, ~/Downloads/
ExecutionContext Processes spawned by browsers or svg-viewing apps that invoke interpreters
NetworkDestinations URLs/IPs contacted post-SVG access – may reflect initial C2

AN1409

Detects SVGs downloaded via browser that invoke AppleScript, osascript, or JavaScriptCore processes, followed by network egress or file drop to LaunchAgents or ~/Library.

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:endpointsecurity ES_EVENT_TYPE_NOTIFY_EXEC
Network Traffic Content (DC0085) macos:unifiedlog subsystem: com.apple.WebKit or com.apple.WebKit.Networking
Mutable Elements
Field Description
ScriptEngines Scriptable binaries such as osascript, jsc, JavaScriptCore – may vary by OS version
UserContext Restrict to non-system users or only specific login sessions
EmbeddedContentIndicators SVGs embedded inside PDFs or HTML with script-based triggers