
Massive eBay Malvertising Attack Fuels Widespread Scams
Indicators of Compromise
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
REMEDIATION
T1113 - Screen Capture
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments that may attempt to take screen captures of the desktop to gather information over the course of an operation. | |||
Monitoring for screen capture behavior will depend on the method used to obtain data from the operating system and write output files. Detection methods could include collecting information from unusual processes using API calls used to obtain image data, and monitoring for image files written to disk, such as CopyFromScreen, xwd, or screencapture.[1][2]. The sensor data may need to be correlated with other events to identify malicious activity, depending on the legitimacy of this behavior within a given network environment. |
T1176 - Browser Extensions
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments for usage of the profiles tool, such as profiles install -type=configuration. | |||
Monitor for newly constructed files and/or all installed extensions maintain a plist file in the /Library/Managed Preferences/username/ directory. Ensure all listed files are in alignment with approved extensions | |||
Monitor for newly constructed network connections that are sent or received by untrusted hosts. | |||
Monitor for newly executed processes that could be used to abuse internet browser extensions to establish persistence. | |||
Monitor for any new items written to the Registry or PE files written to disk. That may correlate with browser extension installation. |