
The MCPwn Campaign: Unauthorized Nginx Server Takeovers
Indicators of Compromise
No domains found for this campaign
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
Technique ID | Technique Name | Data Source | Detection Description |
|---|---|---|---|
System Owner/User Discovery | Monitor execution of whoami, w, who, net user, id, query user and similar user-discovery commands. | ||
Capture and analyze command-line arguments via Windows Event ID 4688. | |||
Monitor API calls used to query user/session information (e.g., GetUserNameA, WTSEnumerateSessions). | |||
OS Credential Dumping | Monitor API calls to LSASS: OpenProcess, ReadProcessMemory, MiniDumpWriteDump. | ||
Detect access or copying of SAM, SYSTEM, SECURITY registry hives. | |||
Detect known credential dumping tools: Mimikatz, procdump, comsvcs.dll, secretsdump. | |||
Analyze Windows Event ID 4663 (object access) and 4656 (handle requests) on credential stores. | |||
Detect DCSync attacks — unexpected DS-Replication-Get-Changes-All usage by non-DC accounts. | |||
Command and Scripting Interpreter: JavaScript | Monitor wscript.exe, cscript.exe, node.exe for anomalous parent-child process chains. | ||
Detect .js/.jse files executed from user profile, temp, or download directories. | |||
Monitor JavaScript-initiated outbound network connections from script interpreters. | |||
Capture Windows Script Host invocations and arguments via Event Log. | |||
System Information Discovery | Monitor systeminfo, uname -a, hostname, ver, Get-ComputerInfo and similar commands. | ||
Detect WMI queries targeting Win32_OperatingSystem and Win32_ComputerSystem classes. | |||
Monitor access to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion and related keys. | |||
Flag multiple sequential system enumeration commands from a single session as anomalous. | |||
Exploit Public-Facing Application | Analyze web server logs for abnormal payloads, error code spikes (4xx/5xx), and traffic anomalies. | ||
Review WAF and IDS/IPS alerts for SQLi, XXE, SSRF, and RCE attempt signatures. | |||
Detect unexpected child processes spawned from web server processes (e.g., Apache/IIS → cmd.exe). | |||
Monitor for web shell file creation in web-accessible directories post-exploitation. | |||
Process Injection | Monitor API calls: CreateRemoteThread, VirtualAllocEx, WriteProcessMemory, NtMapViewOfSection, QueueUserAPC. | ||
Detect legitimate processes (svchost.exe, explorer.exe) making unexpected outbound network connections. | |||
Identify process hollowing via permission changes to process memory regions. | |||
Detect anomalous DLL loads and unexpected module injections via ETW. | |||
Server Software Component: Web Shell | Monitor creation of new script files (.php, .asp, .aspx, .jsp) in web-accessible directories. | ||
Detect web server processes (IIS, Apache, Nginx) spawning OS command interpreters. | |||
Analyze HTTP logs for unusual parameters, encoded payloads, and suspicious user-agent strings. | |||
Use File Integrity Monitoring (FIM) on web directories to detect unauthorized modifications. | |||
Abuse Elevation Control Mechanism | Monitor UAC bypass techniques: fodhelper, eventvwr, sdclt, cmstp, and similar known abuses. | ||
Detect sudo, su, runas, and privilege escalation command usage. | |||
Analyze Windows Event ID 4688 for high-privilege process creation; Event ID 4672/4673 for privilege assignments. | |||
Detect unexpected SUID/SGID bit changes on Linux/macOS file systems. | |||
Proxy | Detect HTTP/HTTPS CONNECT tunneling to unusual or newly observed external IP addresses. | ||
Identify connections to Tor exit nodes, known VPN services, or anonymizing proxies. | |||
Detect domain fronting via SNI and Host header mismatches in TLS traffic logs. | |||
Analyze NetFlow/IPFIX data for traffic routing anomalies inconsistent with network topology. | |||
Command and Scripting Interpreter | Monitor spawning of PowerShell, Bash, Python, cmd.exe, wscript.exe, cscript.exe. | ||
Log and analyze command-line arguments (Windows Event ID 4688 / Sysmon Event ID 1). | |||
Enable PowerShell Script Block Logging and Module Logging for full script visibility. | |||
Detect suspicious parent→child process relationships (e.g., Office apps spawning script interpreters). | |||
File and Directory Discovery | Monitor execution of dir, ls, find, tree, Get-ChildItem and enumeration commands. | ||
Detect bulk file access activity targeting sensitive directories (C:\Users, /etc, /root). | |||
Flag rapid sequential directory listing operations within a single session as anomalous. | |||
Analyze Windows Event ID 4663 for object access audit entries on sensitive directories. | |||
Valid Accounts | Monitor logins from unusual times, geolocations, or unrecognized devices. | ||
Correlate failed logins followed by success (brute-force + success) via Event ID 4625/4624. | |||
Detect same credential being used across multiple systems as lateral movement indicator. | |||
Use UEBA to identify deviations from established user behavior baselines. | |||
Obfuscated Files or Information | Perform entropy analysis on files and scripts to identify high-entropy (encoded) content. | ||
Detect Base64, XOR, hex encoding usage in scripts via PowerShell Script Block Logging. | |||
Monitor PowerShell -EncodedCommand, certutil -decode, and similar decoding tool invocations. | |||
Use deep packet inspection (DPI) to identify obfuscation or steganography in network payloads. | |||
Data Encrypted for Impact | Detect mass file modification or extension changes within a short time window (ransomware pattern). | ||
Monitor VSS deletion commands: vssadmin delete shadows, wmic shadowcopy delete. | |||
Detect processes making heavy use of encryption APIs (CryptoAPI, bcrypt.dll). | |||
Detect ransom note file creation (e.g., README.txt, HOW_TO_DECRYPT.html). | |||
Encrypted Channel | Monitor for self-signed certificates, unusual issuers, and short-lived certs in TLS sessions. | ||
Compare TLS/SSL JA3 and JA3S fingerprints against known C2 tool signatures. | |||
Detect encrypted traffic occurring on non-standard or unexpected ports. | |||
Analyze data transfer sizes and timing regularity for beaconing pattern detection. | |||
Exploitation for Client Execution | Detect unexpected child processes from browsers or Office apps (e.g., Winword.exe → cmd.exe). | ||
Monitor application crash logs and crash dumps as indicators of active exploit attempts. | |||
Detect outbound network connections initiated from sandboxed or client application processes. | |||
Monitor macro and script execution triggered from high-risk document formats. | |||
Application Layer Protocol: Web Protocols | Analyze HTTP traffic for anomalous User-Agent strings, non-standard headers, and beaconing intervals. | ||
Detect periodic, regular HTTP requests indicative of automated C2 beaconing. | |||
Analyze DNS and HTTP logs for newly registered or DGA-generated domain names. | |||
Inspect large HTTP POST requests for potential data exfiltration over web protocols. | |||
Remote System Discovery | Monitor execution of nmap, net view, arp -a, ping sweep, nbtscan, and similar tools. | ||
Detect connection attempts to large ranges of IP addresses in short time windows. | |||
Monitor NetBIOS, SNMP, and LDAP queries used for network host enumeration. | |||
SIEM correlation: flag excessive network discovery from a single source IP within defined time thresholds. | |||
Ingress Tool Transfer | Monitor certutil, bitsadmin, Invoke-WebRequest, wget, curl, tftp used for file download. | ||
Detect creation of executable files (.exe, .dll, .bat, .ps1, .sh) downloaded from the internet. | |||
Monitor for anomalous transfer volumes, frequencies, and suspicious file types in network traffic. | |||
Match downloaded file hashes against threat intelligence feeds in real time. | |||
Remote Services: Remote Desktop Protocol | Monitor Windows Event ID 4624 (Logon Type 10) for remote desktop logon events. | ||
Detect RDP connections (TCP 3389) from unknown IPs or outside of business hours. | |||
Monitor failed RDP logon attempts (Event ID 4625) for brute-force patterns. | |||
Analyze TerminalServices-RemoteConnectionManager and Security event logs for suspicious RDP activity. | |||
Detect lateral movement: a single account establishing RDP sessions to multiple hosts in sequence. |