Campaigns
Madgicx Plus Ad Hijack Campaign

Madgicx Plus Ad Hijack Campaign

MadgicxSession HijackingMeta Business Account TheftFake Ad Tools
A malicious threat actor group is tricking Meta advertisers into installing fake Chrome extensions like Madgicx Plus and SocialMetrics Pro. These extensions are disguised as tools to optimize ads or unlock verification, but they steal login tokens and session cookies. Attackers then hijack Meta Business and Ad accounts for profit.

Indicators of Compromise

No domains found for this campaign

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

T1556 – Modify Authentication Process / Steal Session Cookies
ID Data Source Data Component Detects
DS0026 Active Directory Active Directory Object Modification

Monitor for changes made to AD security settings related to MFA logon requirements, such as changes to Azure AD Conditional Access Policies or the registration of new MFA applications.

Monitor for changes made to security settings related to Azure AD Conditional Access Policies. These can be found in the Azure AD audit log under the operation name Update Conditional Access policy.[14]

Analytic 1 - Changes to AD security settings outside of normal maintenance windows.

index=security sourcetype IN ("WinEventLog:Security", "azure:activity", "gsuite:reports:activity", "aws:cloudtrail", "linux_audit", "macos_secure", "network_logs")(EventCode IN (4670, 5136, 5137, 5139, 5141) OR eventName IN ("UpdateUser", "UpdateGroup", "UpdatePolicy", "UpdateRole", "PutRolePolicy", "AttachUserPolicy", "AttachGroupPolicy", "AttachRolePolicy") OR "protoPayload.methodName" IN ("directory.users.update", "admin.directory.group.update", "admin.directory.roleAssignments.update"))

DS0015 Application Log Application Log Content

Enable security auditing to collect logs from hybrid identity solutions. For example, monitor sign-ins to the Entra ID Application Proxy Connector, which are typically generated only when a new Pass Through Authentication (PTA) Agent is added.

If AD FS is in use, review the logs for event ID 501, which specifies all EKU attributes on a claim, and raise alerts on any values that are not configured in your environment.

Analytic 1 - Unexpected sign-ins or new PTA Agent additions.

index=third_party_logs sourcetype IN ("azure:activity", "gsuite:reports:activity", "aws:cloudtrail", "office365:management", "saas_audit")(eventName IN ("AddServicePrincipal", "AddUser", "UpdateUser", "AddGroup", "UpdateGroup", "AddPolicy", "UpdatePolicy", "AddRole", "UpdateRole", "PutRolePolicy", "AttachUserPolicy", "AttachGroupPolicy", "AttachRolePolicy") OR eventCategory IN ("Sign-ins", "Security", "AuditLogs") OR EventID IN (501, 4662) OR "protoPayload.methodName" IN ("directory.users.update", "admin.directory.group.update", "admin.directory.roleAssignments.update"))

DS0025 Cloud Service Cloud Service Modification

Monitor for changes made to conditional access policies used by SaaS identity providers and internal IaaS identity and access management systems.

Analytic 1 - Changes to access policies without corresponding change requests.

index=cloud_logs sourcetype IN ("azure:activity", "gsuite:reports:activity", "aws:cloudtrail", "office365:management", "saas_audit")(eventName IN ("UpdateServicePrincipal", "UpdateUser", "UpdateGroup", "UpdatePolicy", "UpdateRole", "PutRolePolicy", "AttachUserPolicy", "AttachGroupPolicy", "AttachRolePolicy", "ModifyAuthenticationMethod") OR protoPayload.methodName IN ("directory.users.update", "admin.directory.group.update", "admin.directory.roleAssignments.update", "Set-AzureADApplicationProxyConnector", "Update-PassThroughAuthentication") OR (eventName="Sign-in" AND targetResourceType="applicationProxyConnector"))

DS0022 File File Creation

Monitor for suspicious additions to the /Library/Security/SecurityAgentPlugins directory.[15]

Monitor for newly created files that may be used to register malicious network provider dynamic link libraries (DLLs).

Analytic 1 - Unauthorized file creation in critical directories.

index=security sourcetype IN ("WinEventLog:Security", "wineventlog:sysmon", "linux_audit", "macos_secure")(EventCode=4663 OR EventCode=11 OR EventCode=13 OR (sourcetype="linux_audit" AND (syscall="creat" OR syscall="open" OR syscall="openat")) OR (sourcetype="macos_secure" AND action="file_write"))| eval TargetFile=coalesce(ObjectName, FileName, target_file)| search TargetFile IN ( "C:\Windows\System32\config\SAM", "C:\Windows\System32\config\system", "C:\Windows\System32\config\security", "C:\Windows\System32\lsass.exe", "/etc/passwd", "/etc/shadow", "/etc/pam.d/", "/Library/Preferences/com.apple.loginwindow.plist")

DS0011 Module Module Load

Monitor for new, unfamiliar DLL files written to a domain controller and/or local computer. Password filters will also show up as an autorun and loaded DLL in lsass.exe.

If AD FS is in use, monitor the AD FS server for the creation of DLLs as well as the loading of unrecognized or unsigned DLLs into the Microsoft.IdentityServer.Servicehost application.[7]

Analytic 1 - Unauthorized DLL loads in critical systems.

index=security sourcetype IN ("WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "macos_secure")(EventCode=7 OR EventCode=10 OR sourcetype="linux_secure" OR sourcetype="macos_secure")| eval ImageLoaded=coalesce(Image, file_path, target_file)| eval Process=coalesce(ProcessGuid, pid, process_id)| eval User=coalesce(User, user, user_name)| eval Platform=case( sourcetype=="WinEventLog:Microsoft-Windows-Sysmon/Operational", "Windows", sourcetype=="linux_secure", "Linux", sourcetype=="macos_secure", "macOS", true(), "Unknown")| search ImageLoaded IN ("\lsass.exe", "\services.exe", "\winlogon.exe", "/usr/libexec/", "/usr/bin/", "/etc/pam.d/", "/Library/Preferences/com.apple.loginwindow.plist")

Observed Countries1

DE (244)