Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign SVG files.[1] SVGs, or Scalable Vector Graphics, are vector-based image files constructed using XML. As such, they can legitimately include <script> tags that enable adversaries to include malicious JavaScript payloads. However, SVGs may appear less suspicious to users than other types of executable files, as they are often treated as image files.
SVG smuggling can take a number of forms. For example, threat actors may include content that:
SVG Smuggling may be used in conjunction with HTML Smuggling where an SVG with a malicious payload is included inside an HTML file.[2] SVGs may also be included in other types of documents, such as PDFs.
| ID | Mitigation | Description |
|---|---|---|
| M1048 | Application Isolation and Sandboxing |
Browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0510 | Detection Strategy for SVG Smuggling with Script Execution and Delivery Behavior | AN1407 |
Detects suspicious SVG file creation or download events followed by script engine execution (e.g., wscript.exe, mshta.exe, rundll32.exe), network callbacks, or browser-based credential collection. |
| AN1408 |
Detects downloaded SVG files followed by execution of browser processes or tools like xdg-open, and rapid follow-on network connections or process spawns to interpreters like python or bash. |
||
| AN1409 |
Detects SVGs downloaded via browser that invoke AppleScript, osascript, or JavaScriptCore processes, followed by network egress or file drop to LaunchAgents or ~/Library. |