
Project Silent Browse: 4.3M Victims of ShadyPanda's Long Game
Indicators of Compromise
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
REMEDIATION
T1176.001 – Browser Extensions (Software Extensions)
ID | Name | Analytic ID | Analytic Description |
Installation of a new browser extension followed by suspicious file writes or outbound network connections to untrusted domains by the browser process. | |||
Installation of malicious .mobileconfig profiles or browser extension plist entries followed by abnormal browser child process activity. | |||
Manual or scripted installation of Chrome extensions using user scripts or config files, followed by unexpected network connections from browser processes. |
T1557 – Adversary in the Middle
ID | Name | Analytic ID | Analytic Description |
Detect Adversary-in-the-Middle via Network and Configuration Anomalies | Detects suspicious DNS/ARP poisoning attempts, unauthorized modifications to registry/network configuration, or abnormal TLS downgrade activity. Correlates changes in system configuration with subsequent unusual network flows or authentication events. | ||
Detects unauthorized edits to /etc/hosts, /etc/resolv.conf, or suspicious ARP broadcasts. Correlates file modifications with subsequent unexpected network sessions or service creation. | |||
Detects unauthorized edits to system configuration profiles, unexpected certificate trust changes, or abnormal ARP/DNS patterns indicative of interception. | |||
Detects unauthorized firmware or configuration changes enabling adversary-in-the-middle positioning (e.g., route injection, DNS spoofing, SSL downgrade). Behavioral analytics focus on sudden changes to routing tables or image file integrity failures. |
T1539 – Steal Web Session Cookie
ID | Name | Analytic ID | Analytic Description |
Detection of Web Session Cookie Theft via File, Memory, and Network Artifacts | Detects suspicious access to browser session cookie storage (e.g., Chrome’s Cookies SQLite DB) or memory reads of browser processes. Anomalous injection or memory dump utilities targeting browser processes such as chrome.exe, firefox.exe, or msedge.exe. | ||
Detects access to known browser cookie files (e.g., ~/.mozilla/firefox/*.default/cookies.sqlite, ~/.config/google-chrome/) and suspicious reads of browser memory via /proc/[pid]/mem or ptrace. | |||
Detects unauthorized access to browser cookie paths (e.g., ~/Library/Application Support/Google/Chrome/Default/Cookies) or task_for_pid/vm_read calls to Safari/Chrome memory space. | |||
Detects automation macros or VBA scripts in documents that access browser file paths, read cookie data, or attempt to exfiltrate browser session tokens over HTTP. | |||
Detects use of session cookies or authentication tokens from unusual user agents or locations. Identifies token reuse without reauthentication or attempts to bypass MFA using previously stolen cookies. |
T1555.003 – Credentials from Web Browsers
ID | Name | Analytic ID | Analytic Description |
Detects unauthorized access to web browser credential stores (e.g., Chrome Login Data, Edge Credential Locker) by processes other than the browser itself. Correlates file reads of credential databases with subsequent API calls to CryptUnprotectData or memory inspection attempts. | |||
Detects attempts to access browser credential stores (e.g., Firefox logins.json, Chrome SQLite DB) or processes (e.g., gnome-keyring-daemon). Observes unauthorized file reads and memory inspection of browser processes using ptrace or gdb. | |||
Detects abnormal access to Safari credential stores (Keychain-backed) or Chrome/Firefox login databases. Observes processes executing security dump-keychain or directly reading credential files in ~/Library/Application Support. Correlates file access with suspicious process ancestry or unsigned binaries. |
T1217 – Browser Information Discovery
ID | Name | Analytic ID | Analytic Description |
Detection of Local Browser Artifact Access for Reconnaissance | Access to browser artifact locations (e.g., Chrome, Edge, Firefox) by processes like PowerShell, cmd.exe, or unknown tools, followed by file reads, decoding, or export operations indicating enumeration of bookmarks, autofill, or history databases. | ||
Unauthorized shell or script-based access to browser config or SQLite history files, typically in ~/.config/google-chrome/, ~/.mozilla/, or ~/.var/app folders, indicating enumeration of bookmarks or saved credentials. | |||
Scripting or CLI tool access to ~/Library/Application Support/Google/Chrome or ~/Library/Safari bookmarks, cookies, or history databases. Detection relies on unexpected processes accessing or reading from these locations. |
T1041 – Exfiltration Over C2 Channel
ID | Name | Analytic ID | Analytic Description |
Identifies suspicious outbound traffic volume mismatches from processes that typically do not generate network activity, particularly over C2 protocols like HTTPS, DNS, or custom TCP/UDP ports, following file or data access. | |||
Monitors for processes reading sensitive files then immediately initiating unusual outbound connections or bulk transfer sessions over persistent sockets, particularly with encrypted or binary payloads. | |||
Detects unauthorized applications or scripts accessing sensitive data followed by establishing encrypted outbound communication to rare external destinations or with abnormal byte ratios. | |||
Detects VMs sending outbound traffic through non-standard services or to unknown destinations. Exfiltration over reverse shells tunneled via VMkernel or custom payloads routed via hostd/vpxa. |
T1567 – Exfiltration Over Web Service
ID | Name | Analytic ID | Analytic Description |
Processes that normally do not initiate network communications suddenly making outbound HTTPS connections with high outbound-to-inbound data ratios. Defender view: correlation between process creation logs (e.g., Word, Excel, PowerShell) and subsequent anomalous network traffic volumes toward common web services (Dropbox, Google Drive, OneDrive). | |||
Processes (tar, curl, python scripts) accessing large file sets and initiating outbound HTTPS POST requests with payload sizes inconsistent with baseline activity. Defender perspective: detect abnormal sequence of file archival followed by encrypted uploads to external web services. | |||
Office apps or scripts writing files followed by xattr manipulation (to evade quarantine) and subsequent HTTPS uploads. Defender perspective: anomalous file modification + outbound TLS traffic originating from non-networking apps (Word, Excel, Preview). | |||
Abnormal API calls from user accounts invoking file upload endpoints outside normal baselines (M365, Google Drive, Box). Defender perspective: monitor unified audit logs for elevated frequency of Upload, Create, or Copy operations from compromised accounts. | |||
ESXi guest OS or management interface processes establishing unexpected external HTTPS connections. Defender perspective: monitor vmx or hostd processes making outbound web requests with significant data transfer. |