
Casbaneiro Phishing Campaign
Indicators of Compromise
APT Groups1
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
DETECTION
DET0146 - Detection of Data Destruction Across Platforms via Mass Overwrite and Deletion Patterns
Analytics
AN0411
Adversary spawns command-line tools (e.g., del, cipher /w, SDelete) or scripts to recursively delete or overwrite user/system files. This may be correlated with abnormal file IO activity, registry writes, or tampering in critical system directories.
Log Sources
Data Component | Name | Channel |
WinEventLog:Sysmon | EventCode=1 | |
WinEventLog:Sysmon | EventCode=11 | |
WinEventLog:Sysmon | EventCode=23 |
Mutable Elements
Field | Description |
TargetFilename | Filter file deletion activity to sensitive locations (e.g., %System32%, Documents, DB paths). |
ProcessCommandLine | Tune for aggressive overwrite flags (e.g., /w, /q, /s) or temp file overwrites. |
VolumeThreshold | Threshold of unique file deletions or modifications within time window. |
TimeWindow | Correlate rapid file delete/overwrite behavior from same process/user. |
DET0249 - Behavior-chain detection for T1610 Deploy Container across Docker & Kubernetes control/node planes
Analytics
AN0693
Remote/API driven creation and start of a container whose image is not on an allow‑list (or is tagged latest), executed by a non-admin principal, and/or started with risky runtime attributes (e.g., --privileged, host PID/NET namespaces, sensitive host path mounts, capability adds). Correlates create ➜ start ➜ first network/process actions from that container within a short time window.
Log Sources
Data Component | Name | Channel |
Application Log Content (DC0038) | docker:daemon | container_create,container_start |
Container Start (DC0077) | containerd:runtime | CRI CreateContainer/StartContainer with privileged=true OR added capabilities OR host* namespaces |
Process Creation (DC0032) | ebpf:syscalls | process execution or network connect from just-created container PID namespace |
Network Traffic Content (DC0085) | docker:events | remote API calls to /containers/create or /containers/{id}/start |
Mutable Elements
Field | Description |
known_images | Environment-specific allow-list of approved images (with digests). |
known_admins | Service accounts or CI/CD users permitted to deploy containers. |
TimeWindow | Max time between create, start, and first activity to consider events causally linked (default 5m). |
RiskThreshold | Minimum number of risky attributes (e.g., unknown image + privileged) to alert. |
PrivilegedFlags | Set of runtime flags considered high risk (e.g., --privileged, --cap-add=SYS_ADMIN, hostPID, hostNetwork, /var/run/docker.sock mount). |
DET0309 - Compromised software/update chain (installer/write → first-run/child → egress/signature anomaly)
AN0862
Adversary ships a tampered application or update: an updater/installer (msiexec/setup/update.exe/vendor service) writes or replaces binaries; on first run it spawns scripts/shells or unsigned DLLs and beacons to non-approved update CDNs/hosts. Detection correlates: (1) process creation of installer/updater → (2) file metadata changes in program paths → (3) first-run children and module/signature anomalies → (4) outbound connections to unexpected hosts within a short window.
Log Sources
Data Component | Name | Channel |
Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
Driver Load (DC0079) | WinEventLog:Sysmon | EventCode=6 |
Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
Windows Registry Key Modification (DC0063) | WinEventLog:Sysmon | EventCode=13, 14 |
Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3, 22 |
File Metadata (DC0059) | WinEventLog:Microsoft-Windows-CodeIntegrity/Operational | Unsigned or invalid image for newly installed/updated binaries |
Network Traffic Flow (DC0078) | NSM:Flow | First-time egress to non-approved update hosts right after install/update |
Mutable Elements
Field | Description |
TimeWindow | Correlate write→first-run→egress (default 90 minutes). |
ApprovedUpdateHosts | Allow-list of vendor update endpoints, enterprise proxy/cache. |
ApprovedSigners | Code-signing publishers allowed for programs/services. |
ProgramPaths | Monitored install locations (e.g., C:\Program Files, C:\ProgramData, %LOCALAPPDATA%). |