T1608.006 Sumo Logic CSE · Sumo

Detect SEO Poisoning in Sumo Logic CSE

Adversaries manipulate search engine optimization (SEO) rankings to promote malicious infrastructure hosting payloads toward potential victims. Techniques include keyword stuffing in compromised websites (often WordPress/CMS sites), purchasing or planting incoming links to boost site reputation, combining with cloaking and redirect mechanisms to evade crawler scrutiny while serving malicious content to real users, and gaming in-site developer platform searches (GitHub, npm, PyPI) for supply chain lures. The goal is to intercept users conducting legitimate searches and route them to adversary-controlled download sites, directly enabling Drive-by Compromise (T1189). Gootloader is the most extensively documented threat actor leveraging SEO poisoning — compromised WordPress sites rank highly in search results for legal document and business template queries, serving ZIP archives containing obfuscated JavaScript payloads. Detection pivots entirely to victim-side indicators: proxy and web gateway logs capturing HTTP Referer headers from search engines correlating with suspicious file downloads, endpoint telemetry showing browser-spawned script interpreter execution chains, and file system artifacts showing archive extraction followed by script execution in user-writable directories.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1608 Stage Capabilities
Sub-technique
T1608.006 SEO Poisoning
Canonical reference
https://attack.mitre.org/techniques/T1608/006/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=endpoint/windows OR _sourceCategory=proxy/access | json auto | where (process_name in ("curl.exe", "wget.exe", "certutil.exe", "bitsadmin.exe", "powershell.exe") and (command_line matches "*.exe" or command_line matches "*.dll" or command_line matches "*.bin")) or (url matches "*transfer.sh*" or url matches "*paste.ee*" or url matches "*gofile.io*") | if(matches(process_name, "*certutil*") and matches(command_line, "*urlcache*"), "High", if(matches(url, "*transfer.sh*") or matches(url, "*gofile.io*"), "High", "Medium")) as RiskLevel | count by src_ip, process_name, RiskLevel | sort by count desc
high severity medium confidence

Sumo Logic query for T1608.006 detection using source category filters and aggregation. Detects potential SEO poisoning victims using CommonSecurityLog (proxy/NGFW telemetry from Palo Alto

Data Sources

Windows Endpoint EventsProxy Access Logs

Required Tables

endpoint/windowsproxy/access

False Positives & Tuning

  • Legitimate software downloads where users search for and directly download vendor-provided installers — particularly common for open-source tools, developer utilities, and freeware; mitigation: maintain an allowlist of trusted software vendor domains
  • IT administrators discovering and downloading troubleshooting or diagnostic tools via web search, particularly ZIP archives and MSI packages
  • Developer workflows where searching for SDK documentation leads to downloading JavaScript sample files or compressed source archives from official project sites
  • Automated patch management or software inventory agents using browser user-agents that may produce referrer headers resembling search engine traffic
  • Security researchers intentionally downloading samples from threat-sharing platforms or malware repositories that appear in search results
Download portable Sigma rule (.yml)

Other platforms for T1608.006

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Search Engine Referrer File Download Simulation (Proxy Telemetry Validation)

    Expected signal: Proxy/NGFW logs (CommonSecurityLog in Sentinel or proxy sourcetype in Splunk) should capture: RequestURL containing the httpbin.org target with '.zip' in the path, RequestContext/cs_referer containing 'google.com/search?q=employment+contract+template', RequestClientApplication showing Chrome user-agent, DeviceAction=Allow (or equivalent). DNS query to httpbin.org visible in DNS logs. The response will not contain an actual ZIP file but the request metadata — which is what the detection fires on — is fully generated.

  2. Test 2Gootloader-Style ZIP Extraction and Script Execution Chain

    Expected signal: Sysmon Event ID 11 (FileCreate): two events — one for ContractTemplate2024.zip in Downloads (simulating browser download), one for ContractTemplate2024.js in the subdirectory (simulating extraction). Sysmon Event ID 1 (ProcessCreate): wscript.exe with CommandLine referencing the .js file path in Downloads. Security Event ID 4688 (if command line auditing enabled): wscript.exe process creation with full command line. A WScript message box appears displaying the test message — confirm and dismiss to complete the test.

  3. Test 3Zone Identifier ADS Forensic Inspection (Evidence Collection Validation)

    Expected signal: Sysmon Event ID 11 (FileCreate): file creation for df00tech-seo-test.zip in Temp directory. Sysmon Event ID 15 (FileCreateStreamHash): captures the Zone.Identifier stream creation with hash — this is the key event that records ADS creation in Sysmon. PowerShell ScriptBlock Log Event ID 4104: records the Set-Content command used to write the Zone.Identifier. The Get-Content output shows ZoneId=3, ReferrerUrl containing google.com/search, and HostUrl containing the simulated malicious download domain.

  4. Test 4npm Typosquatting Reconnaissance (Developer-Platform SEO Poisoning Detection)

    Expected signal: Process creation events for node (npm) and python3. DNS query to registry.npmjs.org visible in DNS logs. In environments proxying npm through Artifactory, Nexus, or Sonatype Nexus Repository, the registry query appears in package manager audit logs. No file system artifacts created by this test. If the developer workstation has Sysmon configured, Sysmon Event ID 22 (DNS Query) captures the registry.npmjs.org resolution.

Last updated: 2026-03-13 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1608.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1608Stage Capabilities

Related Sub-techniques

T1608.001Upload MalwareT1608.002Upload ToolT1608.003Install Digital CertificateT1608.004Drive-by TargetT1608.005Link Target

Related Techniques

T1608Stage CapabilitiesT1608.004Drive-by TargetT1189Drive-by CompromiseT1583.008MalvertisingT1195Supply Chain CompromiseT1204.001Malicious LinkT1204.002Malicious FileT1027Obfuscated Files or InformationT1059.007JavaScriptT1036.005Match Legitimate Resource Name or Location

Same Tactic: Resource Development

Popular Detections