Date: 12/17/2025
Severity: Low
Summary
Detects instances where a web browser process opens an HTML file from a user’s Downloads folder. This behavior may be indicative of phishing activity, in which threat actors distribute HTML attachments to users. Opening such attachments can result in the execution of malicious scripts or the delivery of malware. During investigation, analysts should review the HTML file for embedded scripts or malicious links, examine any subsequent downloads or process activity, and identify the source of the email or message that delivered the attachment.
Indicators of Compromise (IOC) List
Processname : | - '\brave.exe' - '\chrome.exe' - '\firefox.exe' - '\msedge.exe' - '\opera.exe' - '\vivaldi.exe' |
Commandline : | - ':\users\' - '\Downloads\' - '.htm' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | resourcename = "Windows Security" AND eventtype = "4688" AND processname IN ("\\brave.exe","\\chrome.exe","\\firefox.exe","\\msedge.exe","\\opera.exe","\\vivaldi.exe") and (commandline like ":\\users" and commandline like "\\Downloads" and commandline like ".htm") |
Detection Query 2 | technologygroup = "EDR" AND processname IN ("\\brave.exe","\\chrome.exe","\\firefox.exe","\\msedge.exe","\\opera.exe","\\vivaldi.exe") and (commandline like ":\\users" and commandline like "\\Downloads" and commandline like ".htm") |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_open_html_file_from_download_folder.yml