T1608.006 SEO Poisoning Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// SEO Poisoning Detection — Victim-side proxy/web gateway telemetry
// Detects search-engine-referred downloads of high-risk file types
let SearchEngineReferers = dynamic([
    'google.com/search', 'bing.com/search', 'yahoo.com/search',
    'duckduckgo.com', 'search.yahoo.com', 'yandex.com/search',
    'google.co.uk', 'google.com.au', 'google.ca', 'google.de',
    'google.fr', 'google.co.jp', 'baidu.com/s'
]);
CommonSecurityLog
| where TimeGenerated > ago(24h)
| where DeviceAction !in ("deny", "block", "drop", "Deny", "Block", "Drop", "reset-both")
| where isnotempty(RequestContext)
| where RequestContext has_any (SearchEngineReferers)
| where RequestURL matches regex @"(?i)\.(zip|exe|msi|js|jse|hta|wsf|ps1|vbs|vbe|dll|iso|img|cab|7z|rar)(\?|#|$)"
| extend RiskCategory = case(
    RequestURL has_any ('.exe', '.dll', '.msi', '.cab'), 'HighRisk-Executable',
    RequestURL has_any ('.js', '.jse', '.hta', '.wsf', '.ps1', '.vbs', '.vbe'), 'HighRisk-Script',
    RequestURL has_any ('.zip', '.iso', '.img', '.7z', '.rar'), 'MediumRisk-Archive',
    'Other'
  )
| extend SearchQuery = url_decode(extract(@"[?&]q=([^&#]+)", 1, RequestContext))
| extend DestDomain = extract(@"https?://([^/]+)", 1, RequestURL)
| extend FileRequested = extract(@"([^/]+\.(zip|exe|msi|js|jse|hta|wsf|ps1|vbs|dll|iso|img|cab|7z|rar))(?:\?|#|$)", 1, RequestURL)
| project TimeGenerated, SourceUserName, SourceIP, DestDomain, FileRequested,
          RequestURL, RequestContext, RiskCategory, SearchQuery,
          RequestClientApplication, DeviceVendor, DeviceProduct, DestinationIP
| sort by TimeGenerated desc

high severity medium confidence

Data Sources

Network Traffic: Network Traffic Content Network Traffic: Network Traffic Flow Application Log: Application Log Content

Required Tables

CommonSecurityLog

False Positives

Legitimate software downloads where users search for and directly download vendor-provided installers — particularly common for open-source tools, developer utilities, and freeware; mitigation: maintain an allowlist of trusted software vendor domains
IT administrators discovering and downloading troubleshooting or diagnostic tools via web search, particularly ZIP archives and MSI packages
Developer workflows where searching for SDK documentation leads to downloading JavaScript sample files or compressed source archives from official project sites
Automated patch management or software inventory agents using browser user-agents that may produce referrer headers resembling search engine traffic
Security researchers intentionally downloading samples from threat-sharing platforms or malware repositories that appear in search results

Splunk

spl

// SEO Poisoning Detection — Web proxy access log analysis
// Correlates search engine HTTP Referer headers with suspicious file downloads
(index=proxy OR index=web_gateway OR index=firewall)
  (sourcetype="bluecoat:proxysg:access:syslog" OR sourcetype="squid" OR sourcetype="pan:url"
   OR sourcetype="cisco:wsa:squid" OR sourcetype="websense:cg:kv" OR sourcetype="zscaler:proxy"
   OR sourcetype="symantec:proxysg:access:syslog")
| eval referrer=lower(coalesce(cs_referer, http_referer, referer, x_cs_referer, ""))
| where match(referrer, "(google\.com/search|bing\.com/search|yahoo\.com/search|duckduckgo\.com|search\.yahoo\.com|yandex\.com/search|google\.[a-z]{2,3}(\.[a-z]{2})?/search)")
| eval request_url=lower(coalesce(cs_uri_stem, uri_path, url, c_uri, ""))
| where match(request_url, "\.(zip|exe|msi|js|jse|hta|wsf|ps1|vbs|vbe|dll|iso|img|cab|7z|rar)(\?|#|$)")
| eval risk_category=case(
    match(request_url, "\.(exe|dll|msi|cab)(\?|$)"), "HighRisk-Executable",
    match(request_url, "\.(js|jse|hta|wsf|ps1|vbs|vbe)(\?|$)"), "HighRisk-Script",
    match(request_url, "\.(zip|iso|img|7z|rar)(\?|$)"), "MediumRisk-Archive",
    1==1, "Other"
  )
| rex field=referrer "[?&]q=(?<search_query>[^&]+)"
| eval search_query=urldecode(search_query)
| eval username=coalesce(cs_username, user, src_user, "unknown")
| eval dest_host=coalesce(cs_host, dest_host, host_header, "")
| eval file_requested=mvindex(split(request_url, "/"), -1)
| table _time, username, src_ip, dest_host, file_requested, request_url, referrer,
        risk_category, search_query, cs_useragent
| where risk_category IN ("HighRisk-Executable", "HighRisk-Script", "MediumRisk-Archive")
| sort - _time

high severity medium confidence

Data Sources

Network Traffic: Network Traffic Content Application Log: Application Log Content Web Proxy Logs

Required Sourcetypes

bluecoat:proxysg:access:syslog pan:url cisco:wsa:squid zscaler:proxy

False Positives

Enterprise software downloads from trusted vendor CDNs or distribution sites discovered via search engine — particularly EXE installers, MSI packages, and ZIP archives from known-good domains
Developer workflows involving searching for npm/PyPI packages or framework documentation that includes downloadable sample files or compressed archives
IT helpdesk staff searching for and downloading diagnostic utilities, driver packages, or software tools in response to user tickets
Automated browser-based testing frameworks or web scrapers configured to use search referrers that access file download endpoints
Cloud storage share links (OneDrive, SharePoint, Google Drive) generating referrer headers that partially match search engine patterns when accessed via web portal

Elastic Security (EQL)

eql

any where process.name : ("curl", "wget", "powershell.exe", "certutil.exe", "bitsadmin.exe") and (process.command_line : ("*.bin", "*.exe", "*.dll", "*.ps1", "*.bat", "*.vbs", "*.hta") or network.direction : "egress" and destination.port in (80, 443) and process.parent.name : ("winword.exe", "excel.exe", "outlook.exe", "mshta.exe", "wscript.exe", "cscript.exe"))

high severity medium confidence

Data Sources

Elastic Endpoint Security Elastic Agent Network Events

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.network-* logs-endpoint.events.file-*

False Positives

Legitimate software downloads where users search for and directly download vendor-provided installers — particularly common for open-source tools, developer utilities, and freeware; mitigation: maintain an allowlist of trusted software vendor domains
IT administrators discovering and downloading troubleshooting or diagnostic tools via web search, particularly ZIP archives and MSI packages
Developer workflows where searching for SDK documentation leads to downloading JavaScript sample files or compressed source archives from official project sites
Automated patch management or software inventory agents using browser user-agents that may produce referrer headers resembling search engine traffic
Security researchers intentionally downloading samples from threat-sharing platforms or malware repositories that appear in search results

IBM QRadar (AQL)

sql

SELECT sourceip as "SourceIP", destinationip as "DestinationIP", UTF8(payload) as "URL", username as "Username", devicetime as "EventTime", CASE WHEN UTF8(payload) ILIKE '%.exe%' OR UTF8(payload) ILIKE '%.dll%' OR UTF8(payload) ILIKE '%.bin%' THEN 80 WHEN UTF8(payload) ILIKE '%paste%' OR UTF8(payload) ILIKE '%transfer.sh%' OR UTF8(payload) ILIKE '%gofile%' THEN 75 WHEN UTF8(payload) ILIKE '%certutil%' OR UTF8(payload) ILIKE '%bitsadmin%' THEN 70 ELSE 50 END as "RiskScore" FROM events WHERE LOGSOURCETYPENAME(devicetype) IN ('Proxy', 'Windows', 'Zscaler Internet Access') AND (eventid = 4688 OR destinationport IN (80, 443)) ORDER BY "RiskScore" DESC LAST 24 HOURS

high severity medium confidence

Data Sources

Windows Security Event Log Proxy Zscaler Internet Access

Required Tables

events

False Positives

Legitimate software downloads where users search for and directly download vendor-provided installers — particularly common for open-source tools, developer utilities, and freeware; mitigation: maintain an allowlist of trusted software vendor domains
IT administrators discovering and downloading troubleshooting or diagnostic tools via web search, particularly ZIP archives and MSI packages
Developer workflows where searching for SDK documentation leads to downloading JavaScript sample files or compressed source archives from official project sites
Automated patch management or software inventory agents using browser user-agents that may produce referrer headers resembling search engine traffic
Security researchers intentionally downloading samples from threat-sharing platforms or malware repositories that appear in search results

Sumo Logic CSE

sql

_sourceCategory=endpoint/windows OR _sourceCategory=proxy/access | json auto | where (process_name in ("curl.exe", "wget.exe", "certutil.exe", "bitsadmin.exe", "powershell.exe") and (command_line matches "*.exe" or command_line matches "*.dll" or command_line matches "*.bin")) or (url matches "*transfer.sh*" or url matches "*paste.ee*" or url matches "*gofile.io*") | if(matches(process_name, "*certutil*") and matches(command_line, "*urlcache*"), "High", if(matches(url, "*transfer.sh*") or matches(url, "*gofile.io*"), "High", "Medium")) as RiskLevel | count by src_ip, process_name, RiskLevel | sort by count desc

high severity medium confidence

Data Sources

Windows Endpoint Events Proxy Access Logs

Required Tables

endpoint/windows proxy/access

False Positives

Legitimate software downloads where users search for and directly download vendor-provided installers — particularly common for open-source tools, developer utilities, and freeware; mitigation: maintain an allowlist of trusted software vendor domains
IT administrators discovering and downloading troubleshooting or diagnostic tools via web search, particularly ZIP archives and MSI packages
Developer workflows where searching for SDK documentation leads to downloading JavaScript sample files or compressed source archives from official project sites
Automated patch management or software inventory agents using browser user-agents that may produce referrer headers resembling search engine traffic
Security researchers intentionally downloading samples from threat-sharing platforms or malware repositories that appear in search results

Google Chronicle / SecOps

yaral

rule detect_stage_capabilities {
  meta:
    author = "Argus"
    description = "Detects staging of capabilities from external infrastructure"
    severity = "HIGH"
    technique = "T1608"
  events:
    $e.metadata.event_type = "NETWORK_HTTP"
    (
      re.regex($e.target.url, `\.(exe|dll|bin|ps1|bat|vbs|hta|sh|elf)($|\?)`) nocase or
      re.regex($e.target.hostname, `transfer\.sh|paste\.ee|gofile\.io|anonfiles|temp\.sh`) nocase
    )
    $e.principal.process.file.full_path != ""
  condition:
    $e
}

high severity medium confidence

Data Sources

Endpoint Telemetry Web Proxy Google Workspace

Required Tables

NETWORK_HTTP PROCESS_LAUNCH FILE_CREATION

False Positives

Legitimate software downloads where users search for and directly download vendor-provided installers — particularly common for open-source tools, developer utilities, and freeware; mitigation: maintain an allowlist of trusted software vendor domains
IT administrators discovering and downloading troubleshooting or diagnostic tools via web search, particularly ZIP archives and MSI packages
Developer workflows where searching for SDK documentation leads to downloading JavaScript sample files or compressed source archives from official project sites
Automated patch management or software inventory agents using browser user-agents that may produce referrer headers resembling search engine traffic
Security researchers intentionally downloading samples from threat-sharing platforms or malware repositories that appear in search results

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName = /certutil|bitsadmin|curl|wget/i
| CommandHistory = /urlcache|transfer|download|http/i
| case {
    CommandHistory = /\.exe|\.dll|\.bin/i | FileType := "Executable";
    CommandHistory = /\.ps1|\.bat|\.vbs/i | FileType := "Script";
    * | FileType := "Other"
  }
| table([@timestamp, UserName, ComputerName, ImageFileName, CommandHistory, FileType])

high severity medium confidence

Data Sources

ProcessRollup2 (Falcon sensor) NetworkConnectIP4 (Falcon sensor)

Required Tables

ProcessRollup2 NetworkConnectIP4 DetectionSummaryEvent

False Positives

Legitimate software downloads where users search for and directly download vendor-provided installers — particularly common for open-source tools, developer utilities, and freeware; mitigation: maintain an allowlist of trusted software vendor domains
IT administrators discovering and downloading troubleshooting or diagnostic tools via web search, particularly ZIP archives and MSI packages
Developer workflows where searching for SDK documentation leads to downloading JavaScript sample files or compressed source archives from official project sites
Automated patch management or software inventory agents using browser user-agents that may produce referrer headers resembling search engine traffic
Security researchers intentionally downloading samples from threat-sharing platforms or malware repositories that appear in search results

SEO Poisoning

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Resource Development

Popular Detections