Adversaries may use HTML file uploads to exfiltrate data or execute malicious code within a web application. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential web-based attacks that bypass traditional detection mechanisms.
YARA Rule
rule html_upload {
strings:
$ = "<input type='submit' name='upload' value='upload'>"
$ = "if($_POST['upload'])"
condition:
any of them and filesize < 500KB
}This YARA rule can be deployed in the following contexts:
Scenario: Developer uploading a static HTML file for a new website
Filter/Exclusion: Exclude files with the .html or .htm extension uploaded to a known web server directory (e.g., /var/www/html/).
Scenario: System administrator deploying a scheduled backup job that includes HTML reports
Filter/Exclusion: Exclude files with the .html extension uploaded to a backup directory (e.g., /backup/reports/).
Scenario: Security team using a tool like Burp Suite to save HTTP responses as HTML for analysis
Filter/Exclusion: Exclude files with the .html extension uploaded to a temporary analysis directory (e.g., /tmp/burp/).
Scenario: IT staff using a configuration management tool like Ansible to deploy HTML-based dashboards
Filter/Exclusion: Exclude files with the .html extension uploaded to a known dashboard directory (e.g., /opt/dashboards/).
Scenario: User exporting a report from a business intelligence tool (e.g., Tableau) as HTML
Filter/Exclusion: Exclude files with the .html extension uploaded to a user-specific report directory (e.g., /home/user/reports/).