
StealC and Amadey Infostealer and Loader Campaign
Indicators of Compromise
No domains found for this campaign
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
REMEDIATION/DETECTION
Technique | Tactic | Detection Strategy ID | Detection Strategy Name | Analytic ID | Analytic Description |
|---|---|---|---|---|---|
Asynchronous Procedure Call | Behavioral Detection of Asynchronous Procedure Call (APC) Injection via Remote Thread Queuing | Detects malicious injection behavior involving memory allocation, remote thread queuing via APC (e.g., QueueUserAPC), and altered thread context within another live process to execute unauthorized code under legitimate context. | |||
Scheduled Task | Detection of Suspicious Scheduled Task Creation and Execution on Windows | Detects the creation, modification, or deletion of scheduled tasks through Task Scheduler, WMI, PowerShell, or API-based methods followed by execution from svchost.exe or taskeng.exe. Includes hidden or anomalous tasks, especially those created under SYSTEM or suspicious user contexts. | |||
PowerShell | Abuse of PowerShell for Arbitrary Execution | Detects behavioral chains where PowerShell is launched with encoded commands, unusual parent processes, or suspicious modules loaded, potentially followed by network connections or child process spawning. Supports both direct (powershell.exe) and indirect (.NET automation) invocations. | |||
Rundll32 | Detection Strategy for T1218.011 Rundll32 Abuse | Detects rundll32.exe invoked with atypical arguments (.dll, .cpl, javascript:, mshtml). DLLs not normally loaded by rundll32 are mapped into memory. Control_RunDLL or RunHTMLApplication invoked. Suspicious DLLs or scripts accessed from disk or network, or rundll32 reaching external domains. | |||
Credentials from Web Browsers | Detect Suspicious Access to Browser Credential Stores | Detects unauthorized access to web browser credential stores (e.g., Chrome Login Data, Edge Credential Locker) by processes other than the browser itself. Correlates file reads of credential databases with subsequent calls to CryptUnprotectData or memory inspection attempts. | |||
Steal Web Session Cookie | Detection of Web Session Cookie Theft via File, Memory, and Network Artifacts | Detects suspicious access to browser session cookie storage (e.g., Chrome's Cookies SQLite DB) or memory reads of browser processes. Anomalous injection or memory-dump utilities targeting browser processes such as chrome.exe, firefox.exe, or msedge.exe. | |||
Web Protocols | Detection of Web Protocol-Based C2 Over HTTP, HTTPS, or WebSockets | Detects unexpected or high-volume HTTP/S/WebSocket communication from suspicious processes (e.g., PowerShell, rundll32) using uncommon user agents or mimicking browser traffic to unusual domains or IPs. | |||
Ingress Tool Transfer | Detect Ingress Tool Transfers via Behavioral Chain | Unusual or uncommon processes initiate network connections to external destinations followed by file creation (tools downloaded). | |||
Remote Desktop Protocol | Multi-event Detection Strategy for RDP-Based Remote Logins and Post-Access Activity | Remote Desktop (RDP) logon by a user followed by unusual process execution, file access, or lateral movement activity within a short timeframe. | |||
Local Account | T1136.001 Detection Strategy - Local Account Creation Across Platforms | Adversary uses built-in tools like net user /add, PowerShell, or WMI to create a local user. Sequence: account creation event (4720) follows process creation of a suspicious executable (e.g., powershell.exe or net.exe). | |||
Screen Capture | Detect Screen Capture via Commands and API Calls | Unusual use of screen capture APIs (e.g., CopyFromScreen) or command-line tools to write image files to disk. |