
Madgicx Plus Ad Hijack Campaign
Indicators of Compromise
No domains found for this campaign
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0026 | Active Directory | Active Directory Object Modification |
Monitor for changes made to AD security settings related to MFA logon requirements, such as changes to Azure AD Conditional Access Policies or the registration of new MFA applications. Monitor for changes made to security settings related to Azure AD Conditional Access Policies. These can be found in the Azure AD audit log under the operation name Update Conditional Access policy.[14] Analytic 1 - Changes to AD security settings outside of normal maintenance windows. index=security sourcetype IN ("WinEventLog:Security", "azure:activity", "gsuite:reports:activity", "aws:cloudtrail", "linux_audit", "macos_secure", "network_logs")(EventCode IN (4670, 5136, 5137, 5139, 5141) OR eventName IN ("UpdateUser", "UpdateGroup", "UpdatePolicy", "UpdateRole", "PutRolePolicy", "AttachUserPolicy", "AttachGroupPolicy", "AttachRolePolicy") OR "protoPayload.methodName" IN ("directory.users.update", "admin.directory.group.update", "admin.directory.roleAssignments.update")) |
| DS0015 | Application Log | Application Log Content |
Enable security auditing to collect logs from hybrid identity solutions. For example, monitor sign-ins to the Entra ID Application Proxy Connector, which are typically generated only when a new Pass Through Authentication (PTA) Agent is added. If AD FS is in use, review the logs for event ID 501, which specifies all EKU attributes on a claim, and raise alerts on any values that are not configured in your environment. Analytic 1 - Unexpected sign-ins or new PTA Agent additions. index=third_party_logs sourcetype IN ("azure:activity", "gsuite:reports:activity", "aws:cloudtrail", "office365:management", "saas_audit")(eventName IN ("AddServicePrincipal", "AddUser", "UpdateUser", "AddGroup", "UpdateGroup", "AddPolicy", "UpdatePolicy", "AddRole", "UpdateRole", "PutRolePolicy", "AttachUserPolicy", "AttachGroupPolicy", "AttachRolePolicy") OR eventCategory IN ("Sign-ins", "Security", "AuditLogs") OR EventID IN (501, 4662) OR "protoPayload.methodName" IN ("directory.users.update", "admin.directory.group.update", "admin.directory.roleAssignments.update")) |
| DS0025 | Cloud Service | Cloud Service Modification |
Monitor for changes made to conditional access policies used by SaaS identity providers and internal IaaS identity and access management systems. Analytic 1 - Changes to access policies without corresponding change requests. index=cloud_logs sourcetype IN ("azure:activity", "gsuite:reports:activity", "aws:cloudtrail", "office365:management", "saas_audit")(eventName IN ("UpdateServicePrincipal", "UpdateUser", "UpdateGroup", "UpdatePolicy", "UpdateRole", "PutRolePolicy", "AttachUserPolicy", "AttachGroupPolicy", "AttachRolePolicy", "ModifyAuthenticationMethod") OR protoPayload.methodName IN ("directory.users.update", "admin.directory.group.update", "admin.directory.roleAssignments.update", "Set-AzureADApplicationProxyConnector", "Update-PassThroughAuthentication") OR (eventName="Sign-in" AND targetResourceType="applicationProxyConnector")) |
| DS0022 | File | File Creation |
Monitor for suspicious additions to the /Library/Security/SecurityAgentPlugins directory.[15] Monitor for newly created files that may be used to register malicious network provider dynamic link libraries (DLLs). Analytic 1 - Unauthorized file creation in critical directories. index=security sourcetype IN ("WinEventLog:Security", "wineventlog:sysmon", "linux_audit", "macos_secure")(EventCode=4663 OR EventCode=11 OR EventCode=13 OR (sourcetype="linux_audit" AND (syscall="creat" OR syscall="open" OR syscall="openat")) OR (sourcetype="macos_secure" AND action="file_write"))| eval TargetFile=coalesce(ObjectName, FileName, target_file)| search TargetFile IN ( "C:\Windows\System32\config\SAM", "C:\Windows\System32\config\system", "C:\Windows\System32\config\security", "C:\Windows\System32\lsass.exe", "/etc/passwd", "/etc/shadow", "/etc/pam.d/", "/Library/Preferences/com.apple.loginwindow.plist") |
| DS0011 | Module | Module Load |
Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Password filters will also show up as an autorun and loaded DLL in lsass.exe. If AD FS is in use, monitor the AD FS server for the creation of DLLs as well as the loading of unrecognized or unsigned DLLs into the Microsoft.IdentityServer.Servicehost application.[7] Analytic 1 - Unauthorized DLL loads in critical systems. index=security sourcetype IN ("WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "macos_secure")(EventCode=7 OR EventCode=10 OR sourcetype="linux_secure" OR sourcetype="macos_secure")| eval ImageLoaded=coalesce(Image, file_path, target_file)| eval Process=coalesce(ProcessGuid, pid, process_id)| eval User=coalesce(User, user, user_name)| eval Platform=case( sourcetype=="WinEventLog:Microsoft-Windows-Sysmon/Operational", "Windows", sourcetype=="linux_secure", "Linux", sourcetype=="macos_secure", "macOS", true(), "Unknown")| search ImageLoaded IN ("\lsass.exe", "\services.exe", "\winlogon.exe", "/usr/libexec/", "/usr/bin/", "/etc/pam.d/", "/Library/Preferences/com.apple.loginwindow.plist") |