Detect SEO Poisoning in Splunk
Adversaries manipulate search engine optimization (SEO) rankings to promote malicious infrastructure hosting payloads toward potential victims. Techniques include keyword stuffing in compromised websites (often WordPress/CMS sites), purchasing or planting incoming links to boost site reputation, combining with cloaking and redirect mechanisms to evade crawler scrutiny while serving malicious content to real users, and gaming in-site developer platform searches (GitHub, npm, PyPI) for supply chain lures. The goal is to intercept users conducting legitimate searches and route them to adversary-controlled download sites, directly enabling Drive-by Compromise (T1189). Gootloader is the most extensively documented threat actor leveraging SEO poisoning — compromised WordPress sites rank highly in search results for legal document and business template queries, serving ZIP archives containing obfuscated JavaScript payloads. Detection pivots entirely to victim-side indicators: proxy and web gateway logs capturing HTTP Referer headers from search engines correlating with suspicious file downloads, endpoint telemetry showing browser-spawned script interpreter execution chains, and file system artifacts showing archive extraction followed by script execution in user-writable directories.
MITRE ATT&CK
- Tactic
- Resource Development
- Technique
- T1608 Stage Capabilities
- Sub-technique
- T1608.006 SEO Poisoning
- Canonical reference
- https://attack.mitre.org/techniques/T1608/006/
SPL Detection Query
// SEO Poisoning Detection — Web proxy access log analysis
// Correlates search engine HTTP Referer headers with suspicious file downloads
(index=proxy OR index=web_gateway OR index=firewall)
(sourcetype="bluecoat:proxysg:access:syslog" OR sourcetype="squid" OR sourcetype="pan:url"
OR sourcetype="cisco:wsa:squid" OR sourcetype="websense:cg:kv" OR sourcetype="zscaler:proxy"
OR sourcetype="symantec:proxysg:access:syslog")
| eval referrer=lower(coalesce(cs_referer, http_referer, referer, x_cs_referer, ""))
| where match(referrer, "(google\.com/search|bing\.com/search|yahoo\.com/search|duckduckgo\.com|search\.yahoo\.com|yandex\.com/search|google\.[a-z]{2,3}(\.[a-z]{2})?/search)")
| eval request_url=lower(coalesce(cs_uri_stem, uri_path, url, c_uri, ""))
| where match(request_url, "\.(zip|exe|msi|js|jse|hta|wsf|ps1|vbs|vbe|dll|iso|img|cab|7z|rar)(\?|#|$)")
| eval risk_category=case(
match(request_url, "\.(exe|dll|msi|cab)(\?|$)"), "HighRisk-Executable",
match(request_url, "\.(js|jse|hta|wsf|ps1|vbs|vbe)(\?|$)"), "HighRisk-Script",
match(request_url, "\.(zip|iso|img|7z|rar)(\?|$)"), "MediumRisk-Archive",
1==1, "Other"
)
| rex field=referrer "[?&]q=(?<search_query>[^&]+)"
| eval search_query=urldecode(search_query)
| eval username=coalesce(cs_username, user, src_user, "unknown")
| eval dest_host=coalesce(cs_host, dest_host, host_header, "")
| eval file_requested=mvindex(split(request_url, "/"), -1)
| table _time, username, src_ip, dest_host, file_requested, request_url, referrer,
risk_category, search_query, cs_useragent
| where risk_category IN ("HighRisk-Executable", "HighRisk-Script", "MediumRisk-Archive")
| sort - _timeDetects potential SEO poisoning victims using web proxy access logs across multiple proxy sourcetypes (Blue Coat ProxySG, Squid, Palo Alto URL filtering, Cisco WSA, Websense, Zscaler, Symantec ProxySG). Correlates the HTTP Referer field containing a search engine domain with the requested URL containing a suspicious file extension. Normalizes the referrer field across proxy formats using coalesce, extracts and URL-decodes the original search query for analyst context, and categorizes the file type by risk level. Supports varied field naming conventions across proxy vendors.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Enterprise software downloads from trusted vendor CDNs or distribution sites discovered via search engine — particularly EXE installers, MSI packages, and ZIP archives from known-good domains
- Developer workflows involving searching for npm/PyPI packages or framework documentation that includes downloadable sample files or compressed archives
- IT helpdesk staff searching for and downloading diagnostic utilities, driver packages, or software tools in response to user tickets
- Automated browser-based testing frameworks or web scrapers configured to use search referrers that access file download endpoints
- Cloud storage share links (OneDrive, SharePoint, Google Drive) generating referrer headers that partially match search engine patterns when accessed via web portal
Other platforms for T1608.006
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Search Engine Referrer File Download Simulation (Proxy Telemetry Validation)
Expected signal: Proxy/NGFW logs (CommonSecurityLog in Sentinel or proxy sourcetype in Splunk) should capture: RequestURL containing the httpbin.org target with '.zip' in the path, RequestContext/cs_referer containing 'google.com/search?q=employment+contract+template', RequestClientApplication showing Chrome user-agent, DeviceAction=Allow (or equivalent). DNS query to httpbin.org visible in DNS logs. The response will not contain an actual ZIP file but the request metadata — which is what the detection fires on — is fully generated.
- Test 2Gootloader-Style ZIP Extraction and Script Execution Chain
Expected signal: Sysmon Event ID 11 (FileCreate): two events — one for ContractTemplate2024.zip in Downloads (simulating browser download), one for ContractTemplate2024.js in the subdirectory (simulating extraction). Sysmon Event ID 1 (ProcessCreate): wscript.exe with CommandLine referencing the .js file path in Downloads. Security Event ID 4688 (if command line auditing enabled): wscript.exe process creation with full command line. A WScript message box appears displaying the test message — confirm and dismiss to complete the test.
- Test 3Zone Identifier ADS Forensic Inspection (Evidence Collection Validation)
Expected signal: Sysmon Event ID 11 (FileCreate): file creation for df00tech-seo-test.zip in Temp directory. Sysmon Event ID 15 (FileCreateStreamHash): captures the Zone.Identifier stream creation with hash — this is the key event that records ADS creation in Sysmon. PowerShell ScriptBlock Log Event ID 4104: records the Set-Content command used to write the Zone.Identifier. The Get-Content output shows ZoneId=3, ReferrerUrl containing google.com/search, and HostUrl containing the simulated malicious download domain.
- Test 4npm Typosquatting Reconnaissance (Developer-Platform SEO Poisoning Detection)
Expected signal: Process creation events for node (npm) and python3. DNS query to registry.npmjs.org visible in DNS logs. In environments proxying npm through Artifactory, Nexus, or Sonatype Nexus Repository, the registry query appears in package manager audit logs. No file system artifacts created by this test. If the developer workstation has Sysmon configured, Sysmon Event ID 22 (DNS Query) captures the registry.npmjs.org resolution.
References (8)
- https://attack.mitre.org/techniques/T1608/006/
- https://www.malwarebytes.com/blog/news/2018/05/seo-poisoning-is-it-worth-it
- https://atlas-cybersecurity.com/cyber-threats/threat-actors-use-search-engine-optimization-tactics-to-redirect-traffic-and-install-malware/
- https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/
- https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/
- https://www.zscaler.com/blogs/security-research/ubiquitous-seo-poisoning-urls-0
- https://zero.checkmarx.com/the-github-black-market-gaming-the-star-ranking-game-fc42f5913fb7
- https://checkmarx.com/blog/new-technique-to-trick-developers-detected-in-an-open-source-supply-chain-attack/
Unlock Pro Content
Get the full detection package for T1608.006 including response playbook, investigation guide, and atomic red team tests.