Campaigns
DragonRank Campaign: The Silent Surge of SEO Poisoning

DragonRank Campaign: The Silent Surge of SEO Poisoning

Dragon RankSEO PoisoningIIS ServersBad IISBlack Hat SEO
The DragonRank campaign targets IIS servers across Asia and Europe to manipulate search engine algorithms, using malware like BadIIS and PlugX to boost malicious sites' visibility through SEO poisoning.

Indicators of Compromise

ddos.tttseo.com
a.googie.pw
mail.tttseo.com
tttseo.com
admin1.tttseo.com

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION

T1033 - System Owner/User Discovery 


ID

Data Source

Data Component

Detects

DS0026

Active Directory

Active Directory Object Access

Monitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync. [222] [223] [224] Note: Domain controllers may not log replication requests originating from the default domain controller account. [225]. Monitor for replication requests [226] from IPs not associated with known domain controllers. [227]

DS0017

Command

Command Execution

Monitor executed commands and arguments that may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Look for command-lines that invoke AuditD or the Security Accounts Manager (SAM). Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module, [228] which may require additional logging features to be configured in the operating system to collect necessary information for analysis.

Note: Event ID 4104 (from the Microsoft-Windows-Powershell/Operational log) captures Powershell script blocks, which can be analyzed and used to detect on abuse of CMSTP.

DS0022

File

File Access

Monitor for hash dumpers opening the Security Accounts Manager (SAM) on the local file system (%SystemRoot%/system32/config/SAM). Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in-memory copy of the SAM table before reading hashes. Detection of compromised Valid Accounts in-use by adversaries may help as well.

DS0029

Network Traffic

Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

Note: Network Analysis frameworks such as Zeek can be used to capture, decode, and alert on network protocols.



Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

DS0009

Process

OS API Execution

Monitor for API calls that may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software.



Process Access

Monitor for unexpected processes interacting with lsass.exe.[229] Common credential dumpers such as Mimikatz access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective Process Injection to reduce potential indicators of malicious activity.

Linux

To obtain the passwords and hashes stored in memory, processes must open a maps file in the /proc filesystem for the process being analyzed. This file is stored under the path /proc/<pid>/maps, where the <pid> directory is the unique pid of the program being interrogated for such authentication data. The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes opening this file in the proc file system, alerting on the pid, process name, and arguments of such programs.



Process Creation

Monitor for newly executed processes that may be indicative of credential dumping. On Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process.

Note: Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic looks for any instances of at being created, therefore implying the querying or creation of tasks. If this tools is commonly used in your environment (e.g., by system administrators) this may lead to false positives and this analytic will therefore require tuning.

Analytic 1 - Suspicious Process Execution

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND Image="*at.exe"

DS0024

Windows Registry

Windows Registry Key Access

Monitor for the SAM registry key being accessed that may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software.


T1082 - System Information Discovery

ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users.

DS0009

Process

OS API Execution

Monitor for API calls that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. In cloud-based systems, native logging can be used to identify access to certain APIs and dashboards that may contain system information. Depending on how the environment is used, that data alone may not be useful due to benign use during normal operations.



Process Creation

Monitor newly executed processes that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.

T1555 - Credentials from Password Stores

ID

Data Source

Data Component

Detects

DS0025

Cloud Service

Cloud Service Enumeration

Monitor for API calls and CLI commands that attempt to enumerate and fetch credential material from cloud secrets managers, such as get-secret-value in AWS, gcloud secrets describe in GCP, and az key vault secret show in Azure. Alert on any suspicious usages of these commands, such as an account or service generating an unusually high number of secret requests.

DS0017

Command

Command Execution

Monitor executed commands and arguments that may search for common password storage locations to obtain user credentials.

DS0022

File

File Access

Monitor for files being accessed that may search for common password storage locations to obtain user credentials.

DS0009

Process

OS API Execution

Monitor for API calls that may search for common password storage locations to obtain user credentials.



Process Access

Monitor for processes being accessed that may search for common password storage locations to obtain user credentials.



Process Creation

Monitor newly executed processes that may search for common password storage locations to obtain user credentials.


T1016 - System Network Configuration Discovery

ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users.

DS0009

Process

OS API Execution

Monitor for API calls (such as GetAdaptersInfo() and GetIpNetTable()) that may gather details about the network configuration and settings, such as IP and/or MAC addresses.



Process Creation

Monitor for executed processes (such as ipconfig/ifconfig and arp) with arguments that may look for details about the network configuration and settings, such as IP and/or MAC addresses.

Note: The Analytic looks for the creation of ipconfig, route, and nbtstat processes, all of which are system administration utilities that can be used for the purpose of system network configuration discovery. If these tools are commonly used in your environment (e.g., by system administrators) this may lead to false positives and this analytic will therefore require tuning.

Analytic 1 - Suspicious Process

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND (Image="C:\Windows\System32\ipconfig.exe" OR Image="C:\Windows\System32\route.exe" OR Image="C:\Windows\System32\nbtstat.exe")

DS0012

Script

Script Execution

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.


T1070 - Indicator Removal on Host

ID

Data Source

Data Component

Detects

DS0015

Application Log

Application Log Content

Monitor logs for abnormal modifications to application settings, such as the creation of malicious Exchange transport rules.

DS0017

Command

Command Execution

Monitor executed commands and arguments that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.

DS0022

File

File Deletion

Monitor for a file that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.

File Metadata

Monitor for contextual file data that may show signs of deletion or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.

File Modification

Monitor for changes made to a file may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.

DS0018

Firewall

Firewall Rule Modification

Monitor for changes made to firewall rules, especially unexpected modifications that may potentially be related to allowing and/or cleaning up previous tampering that enabled malicious network traffic.

DS0029

Network Traffic

Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

DS0009

Process

OS API Execution

Monitor for API calls that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.

Process Creation

Monitor for newly executed processes that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.

DS0003

Scheduled Job

Scheduled Job Modification

Monitor for changes made to scheduled jobs that may attempt to remove artifacts on a host system.

DS0002

User Account

User Account Authentication

Monitor for an attempt by a user to gain access to a network or computing resource, often by providing credentials that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.

User Account Deletion

Monitor for unexpected deletions of user accounts. Windows event logs may highlight activity associated with an adversary's attempt to remove an account (e.g., Event ID 4726 - A user account was deleted).

Alerting on these Event IDs may generate a high degree of false positives, so compare against baseline knowledge for how systems are typically used and correlate account modification events with other indications of malicious activity where possible.

DS0024

Windows Registry

Windows Registry Key Deletion

Monitor windows registry keys that may be deleted or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.

Windows Registry Key Modification

Monitor for changes made to windows registry keys or values that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware.

T1057 - Process Discovery

ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments for actions that may attempt to get information about running processes on a system.

DS0009

Process

OS API Execution

Monitor for API calls may attempt to get information about running processes on a system.

Process Creation

Monitor for newly executed processes that may attempt to get information about running processes on a system. To be effective in deciphering malicious and benign activity, the full command line is essential. Similarly, having information about the parent process can help with making decisions and tuning to an environment.

Because these commands are built in, they may be run frequently by power users or even by normal users. Thus, an analytic looking at this information should have well-defined white- or blacklists, and should consider looking at an anomaly detection approach, so that this information can be learned dynamically.Within the built-in Windows Commands:

  • hostname

  • ipconfig

  • net

  • quser

  • qwinsta

  • sc with flags query, queryex, qc

  • systeminfo

  • tasklist

  • dsquery

  • whoamiNote: To be effective in deciphering malicious and benign activity, the full command line is essential. Similarly, having information about the parent process can help with making decisions and tuning to an environment.

Analytic 1 - Host Discovery Commands

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") (Image="C:\Windows\\hostname.exe" OR Image="C:\Windows\\ipconfig.exe" OR Image="C:\Windows\\net.exe" OR Image="C:\Windows\\quser.exe" OR Image="C:\Windows\\qwinsta.exe" OR (Image="C:\Windows\\sc.exe" AND (CommandLine=" query " OR CommandLine=" qc ")) OR Image="C:\Windows\\systeminfo.exe" OR Image="C:\Windows\\tasklist.exe" OR Image="C:\Windows\*\whoami.exe")|stats values(Image) as "Images" values(CommandLine) as "Command Lines" by ComputerName

T1069.001 - Local Groups


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor for executed commands and arguments that may attempt to find local system groups and permission settings.

DS0036

Group

Group Enumeration

Monitor for logging that may suggest a list of available groups and/or their associated settings has been extracted, ex. Windows EID 4798 and 4799.

DS0009

Process

OS API Execution

Monitor for API calls associated with finding local system groups and permission settings, such as NetLocalGroupEnum. Other API calls relevant to Local Group discovery include NetQueryDisplayInformation and NetGetDisplayInformationIndex.

Note: Most EDR tools do not support direct monitoring of API calls due to the sheer volume of calls produced by an endpoint but may have alerts or events that are based on abstractions of OS API calls. Dynamic malware analysis tools (i.e., sandboxes) can be used to trace the execution, including OS API calls, for a single PE binary.



Process Creation

Monitor newly executed processes that may attempt to find local system groups and permission settings.

Note: Event IDs are for Sysmon (Event ID 1 - process creation) and Windows Security Log (Event ID 4688 - a new process has been created). The logic in the Analytic looks for any instances of net.exe used for local user/group discovery; although this utility is not normally used for benign purposes, such usage by system administrator actions may trigger false positives.

Analytic 1 - Local Permission Group Discovery

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="net.exe" AND ( CommandLine="net user" OR CommandLine="net group" OR CommandLine="net localgroup" OR CommandLine="get-localgroup" OR CommandLine="get-ADPrincipalGroupMembership*" )

T1098 - Account Manipulation

ID

Data Source

Data Component

Detects

DS0026

Active Directory

Active Directory Object Modification

Monitor for the registration or joining of new device objects in Active Directory. Raise alerts when new devices are registered or joined without using MFA.[18]

DS0017

Command

Command Execution

Monitor executed commands and arguments for suspicious commands to modify accounts or account settings (including files such as the authorized_keys or /etc/ssh/sshd_config).

Monitor executed commands and arguments of suspicious commands (such as Add-MailboxPermission) that may be indicative of modifying the permissions of Exchange and other related service settings.

DS0022

File

File Modification

Monitor for changes made to files related to account settings, such as /etc/ssh/sshd_config and the authorized_keys file for each user on a system.

DS0036

Group

Group Modification

Monitor events for changes to account objects and/or permissions on systems and the domain, such as event IDs 4738, 4728 and 4670.

DS0009

Process

Process Creation

Monitor for newly constructed processes indicative of modifying account settings, such as those that modify authorized_keys or /etc/ssh/sshd_config files.

DS0002

User Account

User Account Modification

Monitor events for changes to account objects and/or permissions on systems and the domain, such as event IDs 4738, 4728 and 4670. Monitor for modification of accounts in correlation with other suspicious activity. Changes may occur at unusual times or from unusual systems. Especially flag events where the subject and target accounts differ or that include additional flags such as changing a password without knowledge of the old password.

Monitor for unusual permissions changes that may indicate excessively broad permissions being granted to compromised accounts.

T1136 - Create Account

ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments for actions that are associated with account creation, such as net user or useradd

DS0009

Process

Process Creation

Monitor newly executed processes associated with account creation, such as net.exe

DS0002

User Account

User Account Creation

Monitor for newly constructed user accounts through account audits to detect suspicious accounts that may have been created by an adversary. Collect data on account creation within a network or Windows Event ID 4720 (for when a user account is created on a Windows system and domain controller).


T1105 - Ingress Tool Transfer

ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments for suspicious activity associated with downloading external content.

DS0022

File

File Creation

Monitor for file creation and files transferred into the network

DS0029

Network Traffic

Network Connection Creation

Monitor for newly constructed network connections that are sent or received by untrusted hosts or creating files on-system may be suspicious. Use of utilities, such as FTP, that does not normally occur may also be suspicious.

Network Traffic Content

Monitor network traffic content for files and other potentially malicious content, especially data coming in from abnormal/unknown domain and IPs.

Network Traffic Flow

Monitor network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

T1021.001 - Remote Desktop Protocol

ID

Data Source

Data Component

Detects

DS0028

Logon Session

Logon Session Creation

Monitor for user accounts logged into systems associated with RDP (ex: Windows EID 4624 Logon Type 10). Other factors, such as access patterns (ex: multiple systems over a relatively short period of time) and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP.

Monitoring logon and logoff events for hosts on the network is very important for situational awareness. This information can be used as an indicator of unusual activity as well as to corroborate activity seen elsewhere.

Could be applied to a number of different types of monitoring depending on what information is desired. Some use cases include monitoring for all remote connections and building login timelines for users. Logon events are Windows Event Code 4624 for Windows Vista and above, 518 for pre-Vista. Logoff events are 4634 for Windows Vista and above, 538 for pre-Vista.

Note: This analytic looks for user logon events and filters out the top 30 account names to reduce the occurrence of noisy service accounts and the like. It is meant as a starting point for situational awareness around such events. This is liable to be quite noisy and will need tweaking, especially in terms of the number of top users filtered out.

Analytic 1

source="*WinEventLog:Security" EventCode IN (4624, 4634, 4647, 4778)|search user NOT IN top limit=30

Logon Session Metadata

Monitor authentication logs and analyze for unusual access patterns. A remote desktop logon, through RDP, may be typical of a system administrator or IT support, but only from select workstations. Monitoring remote desktop logons and comparing to known/approved originating systems can detect lateral movement of an adversary.

Analytic 1

source="WinEventLog:Security" EventCode="4624" AND LogonType="10" AND AuthenticationPackageName="Negotiate" AND TargetUserName="Admin")

DS0029

Network Traffic

Network Connection Creation

Monitor for newly constructed network connections (typically over port 3389) that may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP.

Network Traffic Flow

Monitor network traffic for uncommon data flows that may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP).

The Remote Desktop Protocol (RDP), built in to Microsoft operating systems, allows a user to remotely log in to the desktop of another host. It allows for interactive access of the running windows, and forwards key presses, mouse clicks, etc. Network administrators, power users, and end-users may use RDP for day-to-day operations. From an adversary’s perspective, RDP provides a means to laterally move to a new host. Determining which RDP connections correspond to adversary activity can be a difficult problem in highly dynamic environments, but will be useful in identifying the scope of a compromise.Remote Desktop can be detected in several ways

  • Network connections to port 3389/tcp (assuming use of the default port)

  • Packet capture analysis

  • Detecting network connections from mstsc.exe

  • Execution of the process rdpclip.exe

  • Runs as the clipboard manager on the RDP target if clipboard sharing is enabled

Analytic 1

source="Zeek:" AND (port="3389") AND LogonType="10"

DS0009

Process

Process Creation

Monitor for newly executed processes (such as mstsc.exe) that may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions that spawn additional processes as the logged-on user.

Observed Countries7

BE (541)
CN (799)
IN (172)
IO (957)
KP (164)
NL (808)
TH (707)