Campaigns
SilkSpecter Campaign: Targeting Black Friday Shoppers

SilkSpecter Campaign: Targeting Black Friday Shoppers

SilkSpecterBlack FridayBlack Friday ShopperseCommerce ExploitationSeasonal Shopping Attacks
The SilkSpecter campaign is a financially motivated operation by a Chinese threat actor targeting Black Friday shoppers. It exploits fake discount websites and phishing techniques to steal personal and financial information, leveraging seasonal shopping habits for maximum impact.

Indicators of Compromise

llbeanblackfridays.shop
ikea-euonline.com
northfaceblackfriday.shop
blackfriday-shoe.top
gardena-eu.com
wayfareblackfriday.com
bbw-blackfriday.shop
makitablackfriday.shop
lidl-blackfriday-eu.shop
dopeblackfriday.shop
eu-blochdance.shop

APT Groups1

SilkSpecter

<b>Summary of Actor:</b> SilkSpecter is a financially motivated cyber threat actor, identified in October 2024, believed to operate out of China. The group gained prominence through sophisticated phishing campaigns targeting e-commerce shoppers in Europe and the United States, particularly during the Black Friday shopping season. Their primary objective is the theft of Cardholder Data (CHD), Sensitive Authentication Data (SAD), and Personally Identifiable Information (PII).<br><br><b>General Features:</b><br><div style=""><ul><li><b>Targeting Strategy:</b>SilkSpecter focuses on exploiting high-traffic shopping periods, such as Black Friday, to maximize the effectiveness of their phishing campaigns. They create counterfeit e-commerce websites offering significant discounts to lure unsuspecting shoppers.</li><li><b>Infrastructure and Tools:</b>The group utilizes a Chinese Software as a Service (SaaS) platform known as oemapps to swiftly develop and deploy fake online stores. These fraudulent sites are designed to mimic legitimate brands and dynamically adjust language settings based on the victim's IP address, enhancing their credibility.</li><li><b>Data Exfiltration Techniques:</b>SilkSpecter employs legitimate payment processors, such as Stripe, to process transactions. While the payment is processed legitimately, the group covertly exfiltrates sensitive payment information to attacker-controlled servers. Additionally, they incorporate website trackers like OpenReplay, TikTok Pixel, and Meta Pixel to monitor and analyze visitor interactions.</li></ul><div style=""><div style=""><b>Indicators of Attack (IoAs)</b></div></div></div><div style=""><ul><li>Phishing Domains</li><li>Social Engineering Tactics</li><li>Use of Legitimate Services for Malicious Purposes</li></ul><div><p style="color: rgb(38, 38, 38);"><b>Recent Activities and Trends</b>:</p><ul style="color: rgb(38, 38, 38);"><li><b>Latest Campaigns </b>:   </li><ul><li>Expansion of Target Regions</li></ul></ul><ul style=""><li style="color: rgb(38, 38, 38);"><b>Emerging Trends </b>: </li><ul><li style=""><font color="#262626">Adaptation of Techniques</font></li></ul></ul></div></div>

Silkspecter

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION

T1033 - System Owner/User Discovery


ID

Data Source

Data Component

Detects

DS0026

Active Directory

Active Directory Object Access

Monitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync. [236] [237] [238] Note: Domain controllers may not log replication requests originating from the default domain controller account. [239]. Monitor for replication requests [240] from IPs not associated with known domain controllers. [241]

DS0017

Command

Command Execution

Monitor executed commands and arguments that may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Look for command-lines that invoke AuditD or the Security Accounts Manager (SAM). Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module, [242] which may require additional logging features to be configured in the operating system to collect necessary information for analysis.

Note: Event ID 4104 (from the Microsoft-Windows-Powershell/Operational log) captures Powershell script blocks, which can be analyzed and used to detect on abuse of CMSTP.

DS0022

File

File Access

Monitor for hash dumpers opening the Security Accounts Manager (SAM) on the local file system (%SystemRoot%/system32/config/SAM). Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in-memory copy of the SAM table before reading hashes. Detection of compromised Valid Accounts in-use by adversaries may help as well.

DS0029

Network Traffic

Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

Note: Network Analysis frameworks such as Zeek can be used to capture, decode, and alert on network protocols.



Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

DS0009

Process

OS API Execution

Monitor for API calls that may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software.



Process Access

Monitor for unexpected processes interacting with lsass.exe.[243] Common credential dumpers such as Mimikatz access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective Process Injection to reduce potential indicators of malicious activity.

Linux

To obtain the passwords and hashes stored in memory, processes must open a maps file in the /proc filesystem for the process being analyzed. This file is stored under the path /proc/<pid>/maps, where the <pid> directory is the unique pid of the program being interrogated for such authentication data. The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes opening this file in the proc file system, alerting on the pid, process name, and arguments of such programs.



Process Creation

Monitor for newly executed processes that may be indicative of credential dumping. On Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process.

Note: Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic looks for any instances of at being created, therefore implying the querying or creation of tasks. If this tools is commonly used in your environment (e.g., by system administrators) this may lead to false positives and this analytic will therefore require tuning.

Analytic 1 - Suspicious Process Execution

(sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (sourcetype="WinEventLog:Security" EventCode="4688") AND Image="*at.exe"

DS0024

Windows Registry

Windows Registry Key Access

Monitor for the SAM registry key being accessed that may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software.



T1040 - Network Sniffing


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments for actions that aid in sniffing network traffic to capture information about an environment, including authentication material passed over the network.

Analytic 1 - Unexpected command execution of network sniffing tools.

index=security (sourcetype="Powershell" EventCode=4104) | eval CommandLine=coalesce(Command_Line, CommandLine)| where ExecutingProcess IN ("tshark.exe", "windump.exe", "tcpdump.exe", "wprui.exe", "*wpr.exe")

DS0009

Process

Process Creation

Monitor for newly executed processes that can aid in sniffing network traffic to capture information about an environment, including authentication material passed over the network

Note: The Analytic is for Windows systems and looks for new processes that have the names of the most common network sniffing tools. While this may be noisy on networks where sysadmins are using any of these tools on a regular basis, in most networks their use is noteworthy.

Analytic 1 - Unexpected execution of network sniffing tools.

index=security sourcetype="WinEventLog:Security" EventCode=4688 OR index=security sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 Image IN ("tshark.exe", "windump.exe", "*tcpdump.exe", "wprui.exe", "wpr.exe") AND ParentImage!="C:\Program Files\Windows Event Reporting\Core\EventReporting.AgentService.exe"



T1120 - Peripheral Device Discovery


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may attempt to gather information about attached peripheral devices and components connected to a computer system.

DS0009

Process

OS API Execution

Monitor for API calls that may attempt to gather information about attached peripheral devices and components connected to a computer system.



Process Creation

Monitor for newly executed processes that may attempt to gather information about attached peripheral devices and components connected to a computer system.



T1082 - System Information Discovery


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users.

DS0009

Process

OS API Execution

Monitor for API calls that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. In cloud-based systems, native logging can be used to identify access to certain APIs and dashboards that may contain system information. Depending on how the environment is used, that data alone may not be useful due to benign use during normal operations.



Process Creation

Monitor newly executed processes that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.



T1071 - Application Layer Protocol


ID

Data Source

Data Component

Detects

DS0029

Network Traffic

Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).



Network Traffic Flow

Monitor and analyze traffic flows that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, or gratuitous or anomalous traffic patterns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).



T1016 - System Network Configuration Discovery


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users.

DS0009

Process

OS API Execution

Monitor for API calls (such as GetAdaptersInfo() and GetIpNetTable()) that may gather details about the network configuration and settings, such as IP and/or MAC addresses.



Process Creation

Monitor for executed processes (such as ipconfig/ifconfig and arp) with arguments that may look for details about the network configuration and settings, such as IP and/or MAC addresses.

Note: The Analytic looks for the creation of ipconfig, route, and nbtstat processes, all of which are system administration utilities that can be used for the purpose of system network configuration discovery. If these tools are commonly used in your environment (e.g., by system administrators) this may lead to false positives and this analytic will therefore require tuning.

Analytic 1 - Suspicious Process

(sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (sourcetype="WinEventLog:Security" EventCode="4688") AND (Image="C:\Windows\System32\ipconfig.exe" OR Image="C:\Windows\System32\route.exe" OR Image="C:\Windows\System32\nbtstat.exe")

DS0012

Script

Script Execution

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.



T1059 - Command and Scripting Interpreter


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used.

Analytic 1 - Suspicious script execution

(sourcetype=WinEventLog:Security OR OR sourcetype=sysmon OR sourcetype=linux_secure OR sourcetype=linux_audit OR sourcetype=mac_os_log OR sourcetype=azure:audit OR sourcetype=o365:audit)| search Image IN ("bash", "sh", "cmd", "powershell", "python", "java", "perl", "ruby", "node", "osascript", "wmic")| eval suspicious_cmds=if(like(command_line, "%Invoke-Obfuscation%") OR like(command_line, "%-EncodedCommand%") OR like(command_line, "%IEX%") OR like(command_line, "%wget%") OR like(command_line, "%curl%"), "Yes", "No")

DS0011

Module

Module Load

Monitor for events associated with scripting execution, such as the loading of modules associated with scripting languages (ex: JScript.dll or vbscript.dll).

Analytic 1 - Look for unusual module loads associated with scripting languages.

sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational| search EventCode=7 ImageLoaded IN ("C:\Windows\System32\JScript.dll", "C:\Windows\System32\vbscript.dll", "System.Management.Automation.dll")

DS0009

Process

Process Creation

Monitor log files for process execution through command-line and scripting activities. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages.

Analytic 1 - Look for unusual command and scripting process creation.

(sourcetype=WinEventLog:Security OR sourcetype=sysmon OR sourcetype=linux_secure OR sourcetype=linux_audit OR sourcetype=mac_os_log OR sourcetype=azure:audit OR sourcetype=o365:audit)(EventCode=4688 OR EventID=1 OR _raw=sh OR _raw=python OR _raw=powershell OR _raw=cmd OR _raw=script OR _raw=wscript OR _raw=bash)



Process Metadata

Monitor contextual data about a running process, which may include information such as environment variables, image name, user/owner, or other information that may reveal abuse of system features. For example, consider monitoring for Windows Event ID (EID) 400, which shows the version of PowerShell executing in the EngineVersion field (which may also be relevant to detecting a potential Downgrade Attack) as well as if PowerShell is running locally or remotely in the HostName field. Furthermore, EID 400 may indicate the start time and EID 403 indicates the end time of a PowerShell session.[56]

DS0012

Script

Script Execution

Monitor for any attempts to enable scripts running on a system that would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

Analytic 1 - Look for attempts to enable scripts on the system.

index=windows (EventCode=1 OR EventCode=4688 OR EventCode=4103 OR EventCode=4104) (CommandLine="script")| search script_name IN (".ps1", ".sh", ".py", ".rb", ".js", ".vbs")| eval suspicious_script=if(like(script_name, "%.sh") AND hour(_time) NOT BETWEEN 8 AND 18, "Yes", "No")| where suspicious_script="Yes"


T1102 - Web Service


ID

Data Source

Data Component

Detects

DS0029

Network Traffic

Network Connection Creation

Monitor for newly constructed network connections that are sent or received by untrusted hosts.



Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).



Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.


T1204 - User Execution


ID

Data Source

Data Component

Detects

DS0015

Application Log

Application Log Content

Monitor logs from applications to detect user-initiated actions such as opening malicious documents, clicking on phishing links, or executing downloaded malware.

Analytic 1 - Logs showing unexpected user actions triggering unusual processes.

sourcetype=application_log EventCode=1000 OR EventCode=1001| search application IN ("winword.exe", "excel.exe", "chrome.exe", "firefox.exe", "adobe.exe", "zip.exe")| stats count by application event_description| where event_description IN ("opened document", "clicked link", "executed file")

DS0017

Command

Command Execution

Detect commands triggered by users, especially related to decompression tools (e.g., zip files) that may unpack malicious payloads. This includes compression applications, such as those for zip files, that can be used to Deobfuscate/Decode Files or Information in payloads.

Analytic 1 - Command lines showing decompression or decoding actions.

sourcetype=WinEventLog:Powershell EventCode=4104| search process_name IN ("powershell.exe", "cmd.exe", "zip.exe", "winrar.exe")| stats count by process_name command_line user| where command_line LIKE "%unzip%" OR command_line LIKE "%decode%"

DS0032

Container

Container Creation

Monitor for newly constructed containers that may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel.

Analytic 1 - Containers communicating with unexpected external services.

sourcetype=container_creation OR sourcetype=container_start| stats count by container_name event_description user| where container_name NOT IN ("") AND event_description IN ("created", "started")



Container Start

Monitor for the activation or invocation of a container (ex: docker start or docker restart)

DS0022

File

File Creation

Anti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning powershell.exe).

DS0007

Image

Image Creation

Monitor for newly constructed image that may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel.

DS0030

Instance

Instance Creation

Monitor for newly constructed instances that may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel.



Instance Start

Monitor for the activation or invocation of an instance (ex: instance.start within GCP Audit Logs)

DS0029

Network Traffic

Network Connection Creation

Monitor network traffic patterns associated with web-based user actions, such as clicking on phishing links or executing malware that tries to establish C2 communication.

Analytic 1 - Web-based network connections to suspicious destinations.

sourcetype=sysmon EventCode=3| search process_name IN ("winword.exe", "chrome.exe", "firefox.exe") | stats count by src_ip dest_ip dest_port process_name| where dest_ip NOT IN ("")



Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated with web-based network connections that are sent to malicious or suspicious detinations (e.g. destinations attributed to phishing campaigns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments (e.g. monitor anomalies in use of files that do not normally initiate network connections or unusual connections initiated by regsvr32.exe, rundll.exe, .SCF, HTA, MSI, DLLs, or msiexec.exe).

DS0009

Process

Process Creation

Identify processes spawned by user actions, especially from Office documents, PDFs, or web browsers that could lead to malicious execution.

Analytic 1 - Processes created from user interaction with files.

((sourcetype=WinEventLog:Security EventCode=4688) OR (sourcetype=Sysmon EventCode=1))| search parent_process IN ("winword.exe", "excel.exe", "chrome.exe", "firefox.exe")| stats count by parent_process process_name command_line user| where process_name NOT IN ("chrome.exe", "firefox.exe", "winword.exe", "excel.exe")


T1566 - Phishing


ID

Data Source

Data Component

Detects

DS0015

Application Log

Application Log Content

Monitor for third-party application logging, messaging, and/or other artifacts that may send phishing messages to gain access to victim systems. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[17][18] URL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link.

Monitor call logs from corporate devices to identify patterns of potential voice phishing, such as calls to/from known malicious phone numbers. Correlate these records with system events.

DS0022

File

File Creation

Monitor for newly constructed files from a phishing messages to gain access to victim systems.

DS0029

Network Traffic

Network Traffic Content

Monitor and analyze SSL/TLS traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[17][18]



Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.


T1078 - Valid Accounts


ID

Data Source

Data Component

Detects

DS0028

Logon Session

Logon Session Creation

Monitor for newly constructed logon behavior that may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).



Logon Session Metadata

Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account.

DS0002

User Account

User Account Authentication

Monitor for an attempt by a user that may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.


T1027 - Obfuscated Files or Information


ID

Data Source

Data Component

Detects

DS0015

Application Log

Application Log Content

The first detection of a malicious tool may trigger an anti-virus or other security tool alert. Similar events may also occur at the boundary through network IDS, email scanning appliance, etc. The initial detection should be treated as an indication of a potentially more invasive intrusion. The alerting system should be thoroughly investigated beyond that initial alert for activity that was not detected. Adversaries may continue with an operation, assuming that individual events like an anti-virus detect will not be investigated or that an analyst will not be able to conclusively link that event to other activity occurring on the network.

DS0017

Command

Command Execution

Monitor executed commands and arguments for indicators of obfuscation and potentially suspicious syntax such as uninterpreted escape characters (e.g., ^).

Also monitor command-lines for syntax-specific signs of obfuscation, such as variations of arguments associated with encoding.

DS0022

File

File Creation

Detection of file obfuscation is difficult unless artifacts are left behind by the obfuscation process that are uniquely detectable with a signature. If detection of the obfuscation itself is not possible, it may be possible to detect the malicious activity that caused the obfuscated file (for example, the method that was used to write, read, or modify the file on the file system).



File Metadata

Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.

File-based signatures may be capable of detecting code obfuscation depending on the methods used.[187][188][189]

DS0011

Module

Module Load

Monitoring module loads, especially those not explicitly included in import tables, may highlight obfuscated code functionality. Dynamic malware analysis may also expose signs of code obfuscation.[188]

DS0009

Process

OS API Execution

Monitor and analyze calls to functions such as GetProcAddress() that are associated with malicious code obfuscation.[187]



Process Creation

Monitor for newly executed processes that may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.

DS0012

Script

Script Execution

Monitor executed scripts for indicators of obfuscation and potentially suspicious command syntax, such as uninterpreted escape characters (e.g., ^).

Also monitor commands within scripts for syntax-specific signs of obfuscation, such as encoded or otherwise unreadable blobs of characters.

DS0024

Windows Registry

Windows Registry Key Creation

Monitor for the creation of Registry values that may highlight storage of malicious data such as commands or payloads.

DS0005

WMI

WMI Creation

Monitor for the creation of WMI Objects and values that may highlight storage of malicious data such as commands or payloads.


T1056 - Input Capture


ID

Data Source

Data Component

Detects

DS0027

Driver

Driver Load

Monitor for unusual kernel driver installation activity.

Analytic 1 - Unexpected kernel driver installations.

index=security sourcetype="WinEventLog:System" EventCode=7045 | where match(Service_Name, "(?i)(keylogger|input|capture|sniff|monitor|keyboard|logger|driver)")

DS0022

File

File Modification

Monitor for changes made to files for unexpected modifications to access permissions and attributes.

Analytic 1 - Unexpected file modifications.

index=security sourcetype="WinEventLog:Security" EventCode=4663 | where Object_Type="File" AND Access_Mask IN ("0x2", "0x4", "0x20", "0x80", "0x100")

DS0009

Process

OS API Execution

Monitor for API calls to SetWindowsHook, GetKeyState, and GetAsyncKeyState [9]



Process Creation

Monitor for newly executed processes conducting malicious activity



Process Metadata

Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow.

DS0024

Windows Registry

Windows Registry Key Modification

Monitor for changes made to windows registry keys or values for unexpected modifications


T1132 - Data Encoding


ID

Data Source

Data Component

Detects

DS0029

Network Traffic

Network Traffic Content

Monitor for network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.

Note: Network Analysis frameworks such as Zeek can be used to capture, decode, and alert on network protocols and packet contents.


T1526 - Cloud Service Discovery


ID

Data Source

Data Component

Detects

DS0025

Cloud Service

Cloud Service Enumeration

Cloud service discovery techniques will likely occur throughout an operation where an adversary is targeting cloud-based systems and services. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.Normal, benign system and network events that look like cloud service discovery may be uncommon, depending on the environment and how they are used. Monitor cloud service usage for anomalous behavior that may indicate adversarial presence within the environment.

DS0028

Logon Session

Logon Session Creation

Monitor for newly constructed logon behavior that may attempt to enumerate the cloud services running on a system after gaining access. Look for suspicious Applications and accounts authenticating to the Windows Azure Service Management API using User Agents values attributed to scripting utilities such as python or Powershell.

Analytic 1 - Applications or accounts with unusual User Agents, anomalous IP addresses, unexpected locations, and usernames

index="azure_ad_signin_logs" Resource="Windows Azure Service Management API" AND (UserAgent="python" OR UserAgent="PowerShell")| stats count by UserAgent, UserID, IPAddress, Location| where IPAddress!="expected_ip" OR Location!="expected_location"the new


T1518 - Software Discovery


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment.

DS0018

Firewall

Firewall Enumeration

Monitor for an extracted list of available firewalls and/or their associated settings/rules (ex: Azure Network Firewall CLI Show commands)



Firewall Metadata

Monitor for contextual data about a firewall and activity around it such as name, policy, or status

DS0009

Process

OS API Execution

Monitor for API calls that may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment.



Process Creation

Monitor newly executed processes that may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment.


T0885 - Commonly Used Port


ID

Data Source

Data Component

Detects

DS0029

Network Traffic

Network Traffic Content

Monitor for mismatches between protocols and their expected ports (e.g., non-HTTP traffic on tcp:80). Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.[5]



Network Traffic Flow

Analyze network data for uncommon data flows (e.g., new protocols in use between hosts, unexpected ports in use). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.


Observed Countries1

US (391)