Obfuscated Files or Information: SVG Smuggling

Other sub-techniques of Obfuscated Files or Information (17)

ID	Name
T1027.001	Binary Padding
T1027.002	Software Packing
T1027.003	Steganography
T1027.004	Compile After Delivery
T1027.005	Indicator Removal from Tools
T1027.006	HTML Smuggling
T1027.007	Dynamic API Resolution
T1027.008	Stripped Payloads
T1027.009	Embedded Payloads
T1027.010	Command Obfuscation
T1027.011	Fileless Storage
T1027.012	LNK Icon Smuggling
T1027.013	Encrypted/Encoded File
T1027.014	Polymorphic Code
T1027.015	Compression
T1027.016	Junk Code Insertion
T1027.017	SVG Smuggling

Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign SVG files.^[1] SVGs, or Scalable Vector Graphics, are vector-based image files constructed using XML. As such, they can legitimately include <script> tags that enable adversaries to include malicious JavaScript payloads. However, SVGs may appear less suspicious to users than other types of executable files, as they are often treated as image files.

SVG smuggling can take a number of forms. For example, threat actors may include content that:

Assembles malicious payloads^[2]
Downloads malicious payloads^[3]
Redirects users to malicious websites^[4]
Displays interactive content to users, such as fake login forms and download buttons.^[4]

SVG Smuggling may be used in conjunction with HTML Smuggling where an SVG with a malicious payload is included inside an HTML file.^[2] SVGs may also be included in other types of documents, such as PDFs.

ID: T1027.017

Sub-technique of: T1027

ⓘ

Tactic: Defense Evasion

ⓘ

Platforms: Linux, Windows, macOS

Contributors: Dhiraj Mishra (@RandomDhiraj); Suraj Khetani (@r00treaver)

Version: 1.0

Created: 25 March 2025

Last Modified: 15 April 2025

Version Permalink

Live Version

Mitigations

ID	Mitigation	Description
M1048	Application Isolation and Sandboxing	Browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist.

Detection

ID Data Source Data Component Detects

ID	Data Source	Data Component	Detects
DS0022	File	File Creation	Monitor for newly constructed files via JavaScript. Developing rules for the different variants, with a combination of different encoding and/or encryption schemes, may be very challenging. Consider monitoring files downloaded from the Internet, possibly by SVG Smuggling, for suspicious activities. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities. SVG Smuggling is often chained: .svg downloaded → parsed or executed by browser/email client Drops or references a secondary payload (HTML/JS/Payload) Follow-on execution with powershell, cmd, wscript, etc. Analytic 1 - Detect malicious use of SVG files embedded with script tags to assemble, download, or redirect to payloads. index= (sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="linux_audit" OR sourcetype="osquery")(file_name=".svg" OR file_path="\Downloads\.svg" OR file_path="/tmp/.svg" OR file_path="/Users//Downloads/.svg")\| join type=inner file_path [ search index= process_name IN ("powershell.exe", "wscript.exe", "cmd.exe", "mshta.exe", "bash", "curl", "wget") \| stats min(_time) as proc_time by file_path, process_name, host]\| eval time_diff=proc_time - _time\| where time_diff >= 0 AND time_diff < 120\| table _time, host, user, file_path, file_name, process_name, command_line, time_diff\| sort _time Analytic 2 - Suspicious JavaScript or Obfuscation in SVG `file_name=".svg"\| rex field=_raw ""\| search js_payload="eval" OR js_payload="atob" OR js_payload="window.location" OR js_payload="document.write"\| table _time, file_name, js_payload`

DS0022

File

File Creation

Monitor for newly constructed files via JavaScript. Developing rules for the different variants, with a combination of different encoding and/or encryption schemes, may be very challenging. Consider monitoring files downloaded from the Internet, possibly by SVG Smuggling, for suspicious activities. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities.

SVG Smuggling is often chained:

.svg downloaded → parsed or executed by browser/email client
Drops or references a secondary payload (HTML/JS/Payload)
Follow-on execution with powershell, cmd, wscript, etc.

Analytic 1 - Detect malicious use of SVG files embedded with script tags to assemble, download, or redirect to payloads.

index= (sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="linux_audit" OR sourcetype="osquery")(file_name=".svg" OR file_path="\Downloads\.svg" OR file_path="/tmp/.svg" OR file_path="/Users//Downloads/.svg")| join type=inner file_path [ search index= process_name IN ("powershell.exe", "wscript.exe", "cmd.exe", "mshta.exe", "bash", "curl", "wget") | stats min(_time) as proc_time by file_path, process_name, host]| eval time_diff=proc_time - _time| where time_diff >= 0 AND time_diff < 120| table _time, host, user, file_path, file_name, process_name, command_line, time_diff| sort _time

Analytic 2 - Suspicious JavaScript or Obfuscation in SVG

file_name=".svg"| rex field=_raw ""| search js_payload="eval" OR js_payload="atob" OR js_payload="window.location" OR js_payload="document.write"| table _time, file_name, js_payload

Obfuscated Files or Information: SVG Smuggling

Other sub-techniques of Obfuscated Files or Information (17)

Mitigations

Detection

References