From 0490e31eb5b4bfc5e98ef66bbc4870176e4bed9e Mon Sep 17 00:00:00 2001
From: skaynum <152009163+skaynum@users.noreply.github.com>
Date: Fri, 5 Dec 2025 03:22:04 +0300
Subject: [PATCH] Merge PR #5674 from @skaynum - Add `HTML File Opened From
 Download Folder`

new: HTML File Opened From Download Folder

---------

Co-authored-by: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <monsteroffire2@gmail.com>
---
 ...sp_open_html_file_from_download_folder.yml | 39 +++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100644 rules-threat-hunting/windows/process_creation/proc_creation_win_susp_open_html_file_from_download_folder.yml

diff --git a/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_open_html_file_from_download_folder.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_open_html_file_from_download_folder.yml
new file mode 100644
index 000000000..e76272cca
--- /dev/null
+++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_susp_open_html_file_from_download_folder.yml
@@ -0,0 +1,39 @@
+title: HTML File Opened From Download Folder
+id: 538c5851-8c03-4724-8ec4-623bc7aadaea
+status: experimental
+description: |
+    Detects web browser process opening an HTML file from a user's Downloads folder.
+    This behavior is could be associated with phishing attacks where threat actors send HTML attachments to users.
+    When a user opens such an attachment, it can lead to the execution of malicious scripts or the download of malware.
+    During investigation, analyze the HTML file for embedded scripts or links, check for any subsequent downloads or process executions, and investigate the source of the email or message containing the attachment.
+references:
+    - https://app.any.run/tasks/ae3c4ded-fd6a-43ed-8215-ba0ba574ad33
+    - https://app.any.run/tasks/8901e2d5-0c5a-48ba-a8e9-10b5ed7e06f4
+author: Joseph Kamau
+date: 2025-12-05
+tags:
+    - attack.t1598.002
+    - attack.t1566.001
+    - attack.initial-access
+    - attack.reconnaissance
+    - detection.threat-hunting
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection:
+        Image|endswith:
+            - '\brave.exe'
+            - '\chrome.exe'
+            - '\firefox.exe'
+            - '\msedge.exe'
+            - '\opera.exe'
+            - '\vivaldi.exe'
+        CommandLine|contains|all:
+            - ':\users\'
+            - '\Downloads\'
+            - '.htm'
+    condition: selection
+falsepositives:
+    - Opening any HTML file located in users directories via a browser process will trigger this.
+level: low