
DarkSword iOS Exploit Kit
Indicators of Compromise
APT Groups1
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
DET0080 - Exploit Public-Facing Application
Data Component | Name | Channel |
Application Log Content (DC0038) | ApplicationLog:IIS | IIS W3C logs (5xx spikes, RCE/SQLi patterns) |
Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3, 22 |
DET0090 - Cross-host C2 via Removable Media Relay
Data Component | Name | Channel |
Drive Creation (DC0042) | WinEventLog:System | EventCode=1006 |
File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
DET0100 - Behavioral Detection of APC Injection
Data Component | Name | Channel |
Process Access (DC0035) | WinEventLog:Sysmon | EventCode=10 |
Process Modification (DC0020) | WinEventLog:Sysmon | EventCode=8 |
OS API Execution (DC0021) | etw:Microsoft-Windows-Kernel-Process | APCQueueOperations |
Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |