
Crescentharvets Campaign Targets Iranian Protest Supporters
Indicators of Compromise
No domains found for this campaign
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
REMEDIATION
T1036 - Masquerading
ID | Name | Analytic ID | Analytic Description |
Behavioral Detection of Masquerading Across Platforms via Metadata and Execution Discrepancy | Adversary renames LOLBINs or deploys binaries with spoofed file names, internal PE metadata, or misleading icons to appear legitimate. File creation is followed by execution or service registration inconsistent with known usage. | ||
Adversary drops renamed binaries in uncommon directories (e.g., /tmp, /dev/shm) or uses special characters in names (e.g., trailing space, Unicode RLO). Execution or cronjob registration follows shortly after file drop. | |||
Adversary creates disguised launch daemons or apps with misleading names and bundle metadata (e.g., Info.plist values inconsistent with binary path or icon). Launch is correlated with user logon or persistence setup. | |||
Adversary uses renamed container images, injects files into containers with misleading names or metadata (e.g., renamed system binaries), and executes them during startup or scheduled jobs. | |||
Adversary places scripts or binaries with misleading names in /etc/rc.local.d or /var/spool/cron, or registers services with legitimate-sounding names not present in default ESXi builds. |
T1176 - Browser Extensions
ID | Name | Analytic ID | Analytic Description |
Installation of a new browser extension followed by suspicious file writes or outbound network connections to untrusted domains by the browser process. | |||
Installation of malicious .mobileconfig profiles or browser extension plist entries followed by abnormal browser child process activity. | |||
Manual or scripted installation of Chrome extensions using user scripts or config files, followed by unexpected network connections from browser processes. |
T1083 - File and Directory Discovery
ID | Name | Analytic ID | Analytic Description |
Recursive Enumeration of Files and Directories Across Privilege Contexts | Execution of file enumeration commands (e.g., 'dir', 'tree') from non-standard processes or unusual user contexts, followed by recursive directory traversal or access to sensitive locations. | ||
Use of file enumeration commands (e.g., 'ls', 'find', 'locate') executed by suspicious users or scripts accessing broad file hierarchies or restricted directories. | |||
Execution of file or directory discovery commands (e.g., 'ls', 'find') from terminal or script-based tooling, especially outside normal user workflows. | |||
Execution of esxcli commands to enumerate datastore, configuration files, or directory structures by unauthorized or remote users. | |||
Execution of file discovery commands (e.g., 'dir', 'show flash', 'nvram:') from CLI interfaces, especially by unauthorized users or from abnormal source IPs. |
T1560 - Archive Collected Data
ID | Name | Analytic ID | Analytic Description |
Detects adversarial archiving of files prior to exfiltration by correlating execution of compression/encryption utilities (e.g., makecab.exe, rar.exe, 7z.exe, powershell Compress-Archive) with subsequent creation of large compressed or encrypted files. Identifies abnormal process lineage involving crypt32.dll usage, command-line arguments invoking compression switches, and file write operations to temporary or staging directories. | |||
Detects adversarial archiving activity through invocation of utilities like tar, gzip, bzip2, or openssl used in non-administrative or unusual contexts. Correlates command execution patterns with file creation of compressed/encrypted outputs in staging directories (e.g., /tmp, /var/tmp). | |||
Detects use of macOS-native archiving or encryption tools (zip, ditto, hdiutil) for staging collected data. Identifies unexpected invocation of archive utilities by Office apps, browsers, or background daemons. Correlates file creation of .zip/.dmg containers with process lineage anomalies. |
T1090 - Proxy
ID | Name | Analytic ID | Analytic Description |
Detection of Proxy Infrastructure Setup and Traffic Bridging | Suspicious process spawning (e.g., rundll32, svchost, powershell, or netsh) followed by network connection creation to internal hosts or uncommon external endpoints on high or non-standard ports. | ||
User-space tools (e.g., socat, ncat, iptables, ssh) used in non-standard ways to establish reverse shells, port-forwarding, or inter-host connections. Often chained with uncommon outbound destinations or SSH tunnels. | |||
AppleScript, LaunchAgents, or remote login services (ssh, networksetup) establishing proxy tunnels or dynamic port forwards to external IPs or alternate local hosts. | |||
Direct use of nc, socat, or reverse tunnel scripts initiated by abnormal user contexts or unauthorized VIBs initiating connections from hypervisor to external systems. | |||
Dynamic or static port forwarding rules added to route traffic through an internal host, or configuration changes to proxy firewall rules not aligned with baselined policy. |
T1566 - Phishing
ID | Name | Analytic ID | Analytic Description |
Unusual inbound email activity where attachments or embedded URLs are delivered to users followed by execution of new processes or suspicious document behavior. Detection involves correlating email metadata, file creation, and network activity after a phishing message is received. | |||
Monitor for malicious payload delivery through phishing where attachments or URLs in email clients (e.g., Thunderbird, mutt) result in unusual file creation or outbound network connections. Focus on correlation between mail logs, file writes, and execution activity. | |||
Detection of phishing through anomalous Mail app activity, such as attachments saved to disk and immediately executed, or Safari/Preview launching URLs and files linked from email messages. Correlate UnifiedLogs events with subsequent process execution. | |||
Phishing via Office documents containing embedded macros or links that spawn processes. Detection relies on correlating Office application logs with suspicious child process execution and outbound network connections. | |||
Phishing attempts targeting IdPs often manifest as anomalous login attempts from suspicious email invitations or fake SSO prompts. Detection correlates login flows, MFA bypass attempts, and anomalous geographic patterns following phishing email delivery. | |||
Phishing delivered via SaaS services (chat, collaboration platforms) where messages contain malicious URLs or attachments. Detect anomalous link clicks, suspicious file uploads, or token misuse after SaaS-based phishing attempts. |
T1140 - Deobfuscate/Decode Files or Information
ID | Name | Analytic ID | Analytic Description |
Detect Adversary Deobfuscation or Decoding of Files and Payloads | An adversary leverages built-in tools such as certutil.exe, powershell.exe, or copy.exe to decode, reassemble, or extract hidden malicious content from obfuscated containers or encoded formats. The decoding utility often spawns shortly after file staging or download and may be chained with script interpreters or further payload execution. | ||
The adversary uses native utilities like base64, gzip, tar, or openssl to decode, decompress, or decrypt files that were previously staged or downloaded. These tools may be chained with curl/wget and executed via bash/zsh, often to extract an embedded payload or reverse shell script. | |||
The adversary invokes built-in scripting or decoding tools like base64, plutil, or AppleScript-based utilities to decode files embedded in staging artifacts. Decoding often occurs post-download or as part of post-exploitation payload deployment via zsh, python, or osascript. |
T1546 - Event Triggered Execution
ID | Name | Analytic ID | Analytic Description |
Behavioral Detection of Event Triggered Execution Across Platforms | Correlates unexpected modifications to WMI event filters, scheduled task triggers, or registry autorun keys with subsequent execution of non-standard binaries by SYSTEM-level processes. | ||
Detects inotify or auditd configuration changes that monitor system files coupled with execution of script interpreters or binaries by cron or systemd timers. | |||
Correlates launchd plist modifications with subsequent unauthorized script execution or anomalous parent-child process trees involving user agents. | |||
Monitors cloud function creation triggered by specific audit log events (e.g., IAM changes, object creation), followed by anomalous behavior from new service accounts. | |||
Correlates Power Automate or similar logic app workflows triggered by SaaS file uploads or email rules with data forwarding or anomalous access patterns. | |||
Detects macros or VBA triggers set to execute on document open or close events, often correlating with embedded payloads or C2 traffic shortly after execution. |
T1056 - Input Capture
ID | Name | Analytic ID | Analytic Description |
Monitors for abnormal process behavior and API calls like SetWindowsHookEx, GetAsyncKeyState, or device input polling commonly used for keystroke logging. | |||
Detects use of tools/scripts accessing input devices like /dev/input/* or evdev via suspicious processes lacking GUI context. | |||
Monitors for TCC-bypassing or unauthorized access to input services like IOHIDSystem or Quartz Event Services used in keylogging or screen monitoring. | |||
Detects web-based credential phishing by analyzing traffic to suspicious URLs that mimic login portals and POST credential content. |
T1547 - Boot or Logon Autostart Execution
ID | Name | Analytic ID | Analytic Description |
Correlation of registry key modification for Run/RunOnce with abnormal parent-child process relationships and outlier execution at user logon or system startup | |||
Correlates creation/modification of systemd service files or /etc/init.d scripts with outlier process behavior during boot | |||
Observes creation or modification of LaunchAgent/LaunchDaemon property list files combined with anomalous plist payload execution after user logon |