← Back to Explore
sublimehighRule
Attachment: SVG file execution
Detects file execution attempts in SVG files. ActiveXObject is used to invoke WScript.Shell and run a program.
Detection Query
type.inbound
and any(attachments,
(
.file_extension =~ "svg"
or .file_extension in $file_extensions_common_archives
or .file_type == "svg"
)
and any(file.explode(.),
.file_extension == "svg"
// Author Matt harr0ey @harr0ey
// Topic: SVG file Execution
// WScript inside SVG
// <script language="JScript">
// <![CDATA[
// var r = new ActiveXObject("WScript.Shell").Run("calc.exe")
// ]]>
// </script>
and any(.scan.strings.strings,
strings.icontains(., "ActiveXObject")
)
and any(.scan.strings.strings,
strings.icontains(., "WScript.Shell")
)
and any(.scan.strings.strings,
strings.like(., "*Run*", "*Execute*")
)
)
)
Data Sources
Email MessagesEmail HeadersEmail Attachments
Platforms
email
Raw Content
name: "Attachment: SVG file execution"
description: |
Detects file execution attempts in SVG files. ActiveXObject is used to invoke WScript.Shell and run a program.
references:
- "https://delivr.to/payloads?id=511ae995-5401-4c60-ae50-08a5b12b3f4b"
type: "rule"
severity: "high"
source: |
type.inbound
and any(attachments,
(
.file_extension =~ "svg"
or .file_extension in $file_extensions_common_archives
or .file_type == "svg"
)
and any(file.explode(.),
.file_extension == "svg"
// Author Matt harr0ey @harr0ey
// Topic: SVG file Execution
// WScript inside SVG
// <script language="JScript">
// <![CDATA[
// var r = new ActiveXObject("WScript.Shell").Run("calc.exe")
// ]]>
// </script>
and any(.scan.strings.strings,
strings.icontains(., "ActiveXObject")
)
and any(.scan.strings.strings,
strings.icontains(., "WScript.Shell")
)
and any(.scan.strings.strings,
strings.like(., "*Run*", "*Execute*")
)
)
)
attack_types:
- "Malware/Ransomware"
tactics_and_techniques:
- "Scripting"
detection_methods:
- "Archive analysis"
- "Content analysis"
- "File analysis"
id: "084b0cde-4352-5624-b1e8-2d9ecd1f7218"