Skip to content

[Rule Proposal] Potential Browser Cache Smuggling Payload Extraction #6077

Description

@Tetryl12

Description of the Idea of the Rule

Technique summary

"Browser cache smuggling" (also called "Living off the Browser") is a delivery and defense-evasion technique in which a phishing page serves an executable payload — ZIP, DLL, EXE, or script — under an HTTP Content-Type: image/jpeg header. Because the browser treats the response as a static image resource, it silently caches the file to disk without presenting a download prompt and without applying Mark-of-the-Web (MotW). The attacker then social-engineers the victim (via a ClickFix "Run" dialog or FileFix Explorer address bar lure) into running a command that carves the payload back out of the on-disk cache entry, decodes it, stages it to a writable/executable path, and executes it.

Why it is currently undetected by SigmaHQ

The two existing rules that mention browser cache directories (Potential Browser Data Stealing, PowerShell login-data rule) target the opposite data flow: credential theft that reads the \User Data login store and copies it out of the machine. Neither keys on the \Cache\ subdirectory. Cache smuggling reads from \Cache_Data / cache2\entries / INetCache to extract and execute a payload, which is a behaviorally distinct operation with no current rule.

Detection approach

Key discriminator: a process whose command line references a browser cache subdirectory AND includes read/carve/stage verbs (e.g. Get-ChildItem, Get-Content, [regex], Select-String, FromBase64String, Expand-Archive, findstr, certutil).

Mapped to:

  • T1027 — Obfuscated Files or Information (tactic: attack.stealth)
  • T1059.001 — PowerShell (tactic: attack.execution)
  • T1204.004 — User Execution: Malicious Copy-Paste (tactic: attack.execution)

A draft rule implementing this detection is ready:

Filename: proc_creation_win_browser_cache_smuggling_extraction.yml
ID: 93e79eb5-2aca-4d1d-895d-0f529127e088
Level: medium / experimental

title: Potential Browser Cache Smuggling Payload Extraction
id: 93e79eb5-2aca-4d1d-895d-0f529127e088
status: experimental
description: |
    Detects a process reading, searching, or extracting content directly out of a web
    browser's on-disk cache directory (Chromium "Cache_Data", Firefox "cache2\entries",
    or the legacy/WebView2/Outlook "INetCache"). In the "cache smuggling" / "Living off
    the Browser" technique, a phishing page serves an executable payload disguised with
    an "image/jpeg" Content-Type so the browser silently caches it with no download
    prompt and no Mark-of-the-Web. The victim is then social-engineered into pasting a
    benign-looking command that carves the payload out of the cache file (often between
    two marker strings via regex), writes it to a writable/executable location, and
    runs it. Because no second network request is made, network/proxy controls and
    download/MotW-based detections are evaded. This rule targets the local extraction
    step rather than the (invisible) delivery step.
references:
    - https://expel.com/blog/cache-smuggling-when-a-picture-isnt-a-thousand-words/
    - https://malwaretech.com/2025/10/exif-smuggling.html
    - https://www.cybermaxx.com/resources/cache-smuggling-the-interesting-download-cradle-provided-by-your-internet-browser/
    - https://sensepost.com/blog/2023/browsers-cache-smuggling/
author: Chris (The Analyst)
date: 2026-06-22
tags:
    - attack.stealth
    - attack.t1027
    - attack.execution
    - attack.t1059.001
    - attack.t1204.004
logsource:
    category: process_creation
    product: windows
detection:
    selection_cache_path:
        CommandLine|contains:
            - '\Cache_Data'
            - '\cache2\entries'
            - '\Windows\INetCache'
    selection_read_extract:
        CommandLine|contains:
            - 'Get-ChildItem'
            - 'Get-Content'
            - '[IO.File]::ReadAllBytes'
            - '[System.IO.File]::ReadAllBytes'
            - 'ReadAllText'
            - 'Select-String'
            - 'findstr'
            - '-match'
            - '[regex]'
            - '.Matches('
            - 'Copy-Item'
            - 'Move-Item'
            - 'Expand-Archive'
            - 'FromBase64String'
            - 'certutil'
            - 'tar '
            - 'expand '
    filter_optional_cleaners:
        Image|endswith:
            - '\ccleaner.exe'
            - '\ccleaner64.exe'
            - '\bleachbit.exe'
            - '\bleachbit_console.exe'
            - '\cleanmgr.exe'
    condition: all of selection_* and not 1 of filter_*
falsepositives:
    - Browser cache maintenance, backup, or DLP/AV tools that read cache contents.
      Tune via the Image / ParentImage of approved tooling.
    - Forensic or IR tooling (e.g. cache parsers) run by analysts.
      Filter on known investigator hosts/accounts.
    - Developers debugging browser cache behavior with PowerShell.
level: medium

Validated locally with sigma check (pySigma-validators-sigmaHQ): 0 errors, 0 issues.


Public References / Example Log Event

Public references documenting the technique in-the-wild:

  • Expel (Oct 2025): "Cache Smuggling: When a Picture Isn't a Thousand Words" — first documented in-the-wild campaign (fake Fortinet VPN lure distributed via X)
  • MalwareTech (Oct 2025): "EXIF Smuggling" — extension of the technique via Outlook pre-caching, enabling stageless C2-less loaders
  • CyberMaxx: "Cache Smuggling — The Interesting Download Cradle Provided by Your Internet Browser"
  • SensePost (2023): Original research coining "cache smuggling" as an HTTP delivery primitive

Representative Sysmon EventID 1 (process_creation):

Observed lineage from the FileFix / ClickFix → cache-smuggling variant (Edge, marker-carving, Base64 decoded ZIP staged to %TEMP%):

EventID:       1
UtcTime:       2026-06-22T14:33:07
ProcessId:     7824
Image:         C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
CommandLine:   powershell.exe -w hidden -c
               "$d=Get-ChildItem \"$env:LOCALAPPDATA\Microsoft\Edge\User Data\Default\Cache\Cache_Data\"
               -Recurse | Get-Content -Raw;
               $m=[regex]::Match($d,'JFIF_BEGIN(.*?)JFIF_END');
               [IO.File]::WriteAllBytes(\"$env:TEMP\u.zip\",
               [Convert]::FromBase64String($m.Groups[1].Value));
               Expand-Archive \"$env:TEMP\u.zip\" \"$env:TEMP\u\";
               Start-Process \"$env:TEMP\u\check.exe\""
ParentImage:   C:\Windows\System32\conhost.exe
ParentCommandLine: conhost.exe --headless powershell.exe ...
User:          CORP\jdoe
IntegrityLevel: Medium
Hashes:        SHA256=<powershell hash>

Matches selection_cache_path (\Cache_Data) and selection_read_extract
(Get-ChildItem, Get-Content, [regex], FromBase64String, Expand-Archive).
Not excluded by filter_optional_cleaners.

Atomic Red Team emulation test available:
T1027_cache_smuggling_atomic.yaml — two tests covering Chromium and Firefox cache paths.
Validated against sigma check. PR ready to accompany or follow this proposal.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions