Merge PR #5674 from @skaynum - Add HTML File Opened From Download Folder

new: HTML File Opened From Download Folder

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>

rules-threat-hunting/windows/process_creation/proc_creation_win_susp_open_html_file_from_download_folder.yml

@@ -0,0 +1,39 @@
+title: HTML File Opened From Download Folder
+id: 538c5851-8c03-4724-8ec4-623bc7aadaea
+status: experimental
+description: |
+    Detects web browser process opening an HTML file from a user's Downloads folder.
+    This behavior is could be associated with phishing attacks where threat actors send HTML attachments to users.
+    When a user opens such an attachment, it can lead to the execution of malicious scripts or the download of malware.
+    During investigation, analyze the HTML file for embedded scripts or links, check for any subsequent downloads or process executions, and investigate the source of the email or message containing the attachment.
+references:
+    - https://app.any.run/tasks/ae3c4ded-fd6a-43ed-8215-ba0ba574ad33
+    - https://app.any.run/tasks/8901e2d5-0c5a-48ba-a8e9-10b5ed7e06f4
+author: Joseph Kamau
+date: 2025-12-05
+tags:
+    - attack.t1598.002
+    - attack.t1566.001
+    - attack.initial-access
+    - attack.reconnaissance
+    - detection.threat-hunting
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection:
+        Image|endswith:
+            - '\brave.exe'
+            - '\chrome.exe'
+            - '\firefox.exe'
+            - '\msedge.exe'
+            - '\opera.exe'
+            - '\vivaldi.exe'
+        CommandLine|contains|all:
+            - ':\users\'
+            - '\Downloads\'
+            - '.htm'
+    condition: selection
+falsepositives:
+    - Opening any HTML file located in users directories via a browser process will trigger this.
+level: low