Description of the Idea of the Rule
Technique summary
"Browser cache smuggling" (also called "Living off the Browser") is a delivery and defense-evasion technique in which a phishing page serves an executable payload — ZIP, DLL, EXE, or script — under an HTTP Content-Type: image/jpeg header. Because the browser treats the response as a static image resource, it silently caches the file to disk without presenting a download prompt and without applying Mark-of-the-Web (MotW). The attacker then social-engineers the victim (via a ClickFix "Run" dialog or FileFix Explorer address bar lure) into running a command that carves the payload back out of the on-disk cache entry, decodes it, stages it to a writable/executable path, and executes it.
Why it is currently undetected by SigmaHQ
The two existing rules that mention browser cache directories (Potential Browser Data Stealing, PowerShell login-data rule) target the opposite data flow: credential theft that reads the \User Data login store and copies it out of the machine. Neither keys on the \Cache\ subdirectory. Cache smuggling reads from \Cache_Data / cache2\entries / INetCache to extract and execute a payload, which is a behaviorally distinct operation with no current rule.
Detection approach
Key discriminator: a process whose command line references a browser cache subdirectory AND includes read/carve/stage verbs (e.g. Get-ChildItem, Get-Content, [regex], Select-String, FromBase64String, Expand-Archive, findstr, certutil).
Mapped to:
T1027 — Obfuscated Files or Information (tactic: attack.stealth)
T1059.001 — PowerShell (tactic: attack.execution)
T1204.004 — User Execution: Malicious Copy-Paste (tactic: attack.execution)
A draft rule implementing this detection is ready:
Filename: proc_creation_win_browser_cache_smuggling_extraction.yml
ID: 93e79eb5-2aca-4d1d-895d-0f529127e088
Level: medium / experimental
title: Potential Browser Cache Smuggling Payload Extraction
id: 93e79eb5-2aca-4d1d-895d-0f529127e088
status: experimental
description: |
Detects a process reading, searching, or extracting content directly out of a web
browser's on-disk cache directory (Chromium "Cache_Data", Firefox "cache2\entries",
or the legacy/WebView2/Outlook "INetCache"). In the "cache smuggling" / "Living off
the Browser" technique, a phishing page serves an executable payload disguised with
an "image/jpeg" Content-Type so the browser silently caches it with no download
prompt and no Mark-of-the-Web. The victim is then social-engineered into pasting a
benign-looking command that carves the payload out of the cache file (often between
two marker strings via regex), writes it to a writable/executable location, and
runs it. Because no second network request is made, network/proxy controls and
download/MotW-based detections are evaded. This rule targets the local extraction
step rather than the (invisible) delivery step.
references:
- https://expel.com/blog/cache-smuggling-when-a-picture-isnt-a-thousand-words/
- https://malwaretech.com/2025/10/exif-smuggling.html
- https://www.cybermaxx.com/resources/cache-smuggling-the-interesting-download-cradle-provided-by-your-internet-browser/
- https://sensepost.com/blog/2023/browsers-cache-smuggling/
author: Chris (The Analyst)
date: 2026-06-22
tags:
- attack.stealth
- attack.t1027
- attack.execution
- attack.t1059.001
- attack.t1204.004
logsource:
category: process_creation
product: windows
detection:
selection_cache_path:
CommandLine|contains:
- '\Cache_Data'
- '\cache2\entries'
- '\Windows\INetCache'
selection_read_extract:
CommandLine|contains:
- 'Get-ChildItem'
- 'Get-Content'
- '[IO.File]::ReadAllBytes'
- '[System.IO.File]::ReadAllBytes'
- 'ReadAllText'
- 'Select-String'
- 'findstr'
- '-match'
- '[regex]'
- '.Matches('
- 'Copy-Item'
- 'Move-Item'
- 'Expand-Archive'
- 'FromBase64String'
- 'certutil'
- 'tar '
- 'expand '
filter_optional_cleaners:
Image|endswith:
- '\ccleaner.exe'
- '\ccleaner64.exe'
- '\bleachbit.exe'
- '\bleachbit_console.exe'
- '\cleanmgr.exe'
condition: all of selection_* and not 1 of filter_*
falsepositives:
- Browser cache maintenance, backup, or DLP/AV tools that read cache contents.
Tune via the Image / ParentImage of approved tooling.
- Forensic or IR tooling (e.g. cache parsers) run by analysts.
Filter on known investigator hosts/accounts.
- Developers debugging browser cache behavior with PowerShell.
level: medium
Validated locally with sigma check (pySigma-validators-sigmaHQ): 0 errors, 0 issues.
Public References / Example Log Event
Public references documenting the technique in-the-wild:
- Expel (Oct 2025): "Cache Smuggling: When a Picture Isn't a Thousand Words" — first documented in-the-wild campaign (fake Fortinet VPN lure distributed via X)
- MalwareTech (Oct 2025): "EXIF Smuggling" — extension of the technique via Outlook pre-caching, enabling stageless C2-less loaders
- CyberMaxx: "Cache Smuggling — The Interesting Download Cradle Provided by Your Internet Browser"
- SensePost (2023): Original research coining "cache smuggling" as an HTTP delivery primitive
Representative Sysmon EventID 1 (process_creation):
Observed lineage from the FileFix / ClickFix → cache-smuggling variant (Edge, marker-carving, Base64 decoded ZIP staged to %TEMP%):
EventID: 1
UtcTime: 2026-06-22T14:33:07
ProcessId: 7824
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
CommandLine: powershell.exe -w hidden -c
"$d=Get-ChildItem \"$env:LOCALAPPDATA\Microsoft\Edge\User Data\Default\Cache\Cache_Data\"
-Recurse | Get-Content -Raw;
$m=[regex]::Match($d,'JFIF_BEGIN(.*?)JFIF_END');
[IO.File]::WriteAllBytes(\"$env:TEMP\u.zip\",
[Convert]::FromBase64String($m.Groups[1].Value));
Expand-Archive \"$env:TEMP\u.zip\" \"$env:TEMP\u\";
Start-Process \"$env:TEMP\u\check.exe\""
ParentImage: C:\Windows\System32\conhost.exe
ParentCommandLine: conhost.exe --headless powershell.exe ...
User: CORP\jdoe
IntegrityLevel: Medium
Hashes: SHA256=<powershell hash>
Matches selection_cache_path (\Cache_Data) and selection_read_extract
(Get-ChildItem, Get-Content, [regex], FromBase64String, Expand-Archive).
Not excluded by filter_optional_cleaners.
Atomic Red Team emulation test available:
T1027_cache_smuggling_atomic.yaml — two tests covering Chromium and Firefox cache paths.
Validated against sigma check. PR ready to accompany or follow this proposal.
Description of the Idea of the Rule
Technique summary
"Browser cache smuggling" (also called "Living off the Browser") is a delivery and defense-evasion technique in which a phishing page serves an executable payload — ZIP, DLL, EXE, or script — under an HTTP
Content-Type: image/jpegheader. Because the browser treats the response as a static image resource, it silently caches the file to disk without presenting a download prompt and without applying Mark-of-the-Web (MotW). The attacker then social-engineers the victim (via a ClickFix "Run" dialog or FileFix Explorer address bar lure) into running a command that carves the payload back out of the on-disk cache entry, decodes it, stages it to a writable/executable path, and executes it.Why it is currently undetected by SigmaHQ
The two existing rules that mention browser cache directories (
Potential Browser Data Stealing, PowerShell login-data rule) target the opposite data flow: credential theft that reads the\User Datalogin store and copies it out of the machine. Neither keys on the\Cache\subdirectory. Cache smuggling reads from\Cache_Data/cache2\entries/INetCacheto extract and execute a payload, which is a behaviorally distinct operation with no current rule.Detection approach
Key discriminator: a process whose command line references a browser cache subdirectory AND includes read/carve/stage verbs (e.g.
Get-ChildItem,Get-Content,[regex],Select-String,FromBase64String,Expand-Archive,findstr,certutil).Mapped to:
T1027— Obfuscated Files or Information (tactic:attack.stealth)T1059.001— PowerShell (tactic:attack.execution)T1204.004— User Execution: Malicious Copy-Paste (tactic:attack.execution)A draft rule implementing this detection is ready:
Filename:
proc_creation_win_browser_cache_smuggling_extraction.ymlID:
93e79eb5-2aca-4d1d-895d-0f529127e088Level:
medium/experimentalValidated locally with
sigma check(pySigma-validators-sigmaHQ): 0 errors, 0 issues.Public References / Example Log Event
Public references documenting the technique in-the-wild:
Representative Sysmon EventID 1 (process_creation):
Observed lineage from the FileFix / ClickFix → cache-smuggling variant (Edge, marker-carving, Base64 decoded ZIP staged to
%TEMP%):Matches
selection_cache_path(\Cache_Data) andselection_read_extract(
Get-ChildItem,Get-Content,[regex],FromBase64String,Expand-Archive).Not excluded by
filter_optional_cleaners.Atomic Red Team emulation test available:
T1027_cache_smuggling_atomic.yaml— two tests covering Chromium and Firefox cache paths.Validated against
sigma check. PR ready to accompany or follow this proposal.