Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-Infra-CompromisedWordPressRedirector.
Upgrade to ProCompromised WordPress Sites Weaponized as Malware Distribution Redirectors
Rather than standing up adversary-registered infrastructure that carries no reputation and is trivially blocked, actors including TA569 (SocGholish), the Gootloader crew, and Parrot TDS operators mass-compromise legitimate, high-reputation WordPress sites — typically via outdated plugins, stolen admin credentials, or vulnerable themes — and repurpose them as first-stage redirectors and payload-staging hosts. A compromised site is injected with obfuscated JavaScript (a 'fake update' overlay for SocGholish, or SEO-poisoned legal-document lures for Gootloader) that fingerprints the visitor and conditionally redirects first-time, non-crawler visitors through a traffic-distribution-system (TDS) chain to the actor's actual payload or phishing kit, while returning normal content to repeat visitors, bots, and security scanners. Because the compromised domain has years of clean history, a real TLS certificate, and legitimate unrelated content, domain-reputation-based blocking is ineffective; detection must instead focus on (1) the injected-script/traffic-fingerprinting pattern in outbound web traffic, (2) DNS and HTTP indicators of TDS chaining (rapid multi-hop redirects with cloaking headers), and (3) the file-drop/execution pattern that follows a user visiting an otherwise-reputable site and immediately downloading and running an unsigned binary.
What is THREAT-Infra-CompromisedWordPressRedirector Compromised WordPress Sites Weaponized as Malware Distribution Redirectors?
Compromised WordPress Sites Weaponized as Malware Distribution Redirectors (THREAT-Infra-CompromisedWordPressRedirector) maps to the Resource Development tactic — the adversary is trying to establish resources they can use to support operations in MITRE ATT&CK.
This page provides production-ready detection logic for Compromised WordPress Sites Weaponized as Malware Distribution Redirectors, covering the data sources and telemetry it touches: File: File Creation, Process: Process Creation, Network Traffic: Network Connection Creation, Microsoft Defender for Endpoint (DeviceFileEvents, DeviceProcessEvents, DeviceNetworkEvents). The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
- Tactic
- Resource Development
// THREAT-Infra-CompromisedWordPressRedirector (T1584.006) - Compromised legitimate web services used as malware distribution redirectors
// Pillar 1: Browser process downloads and then executes a file within minutes of visiting an otherwise-benign site (fake-update pattern)
let SuspiciousDownloadExt = dynamic([".js", ".zip", ".msi", ".exe", ".hta", ".iso"]);
DeviceFileEvents
| where Timestamp > ago(24h)
| where FolderPath has_any (@"\Downloads\", @"\Temp\", @"\AppData\Local\Temp\")
| where FileName has_any (SuspiciousDownloadExt)
| where InitiatingProcessFileName in~ ("chrome.exe", "msedge.exe", "firefox.exe", "brave.exe")
| project DownloadTime=Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName
| join kind=inner (
DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessParentFileName in~ ("chrome.exe", "msedge.exe", "firefox.exe", "explorer.exe")
| where FileName has_any (".js", ".hta", ".msi", ".exe")
| project ExecTime=Timestamp, DeviceName, ExecFileName=FileName, ExecCommandLine=ProcessCommandLine
) on DeviceName
| where ExecTime between (DownloadTime .. DownloadTime + 10m)
| extend SuspicionReason = "DownloadThenExecuteWithinTenMinutes"
| project DownloadTime, ExecTime, DeviceName, FileName, ExecFileName, ExecCommandLine, SuspicionReason
| union (
// Pillar 2: DNS/HTTP evidence of multi-hop TDS redirect chain terminating off the originally-requested domain within seconds
DeviceNetworkEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ ("chrome.exe", "msedge.exe", "firefox.exe")
| summarize HopCount=dcount(RemoteUrl), Hosts=make_set(RemoteUrl, 10), FirstHop=min(Timestamp), LastHop=max(Timestamp) by DeviceName, InitiatingProcessId
| where HopCount >= 4 and (LastHop - FirstHop) < 15s
| extend DownloadTime=FirstHop, ExecTime=LastHop, FileName=strcat("MultiHopChain:", tostring(HopCount)), ExecFileName="", ExecCommandLine=strcat_array(Hosts, " -> "), SuspicionReason="RapidMultiHopRedirectChain"
| project DownloadTime, ExecTime, DeviceName, FileName, ExecFileName, ExecCommandLine, SuspicionReason
)
| sort by DownloadTime desc Two-pillar detection independent of domain reputation. Pillar 1 correlates a browser-initiated file download of a script/installer/executable in Downloads or Temp with execution of that same class of file by the same browser process within 10 minutes — the fake-update/drive-by pattern used when a compromised WordPress page tricks a visitor into running a 'browser update' or 'missing font' payload. Pillar 2 flags browser network sessions with four or more distinct hostnames touched within a 15-second window from a single process — consistent with a TDS (traffic distribution system) redirect chain used to hop the victim from the compromised site to the actor's payload host while evading simple referrer/domain blocking.
Data Sources
Required Tables
False Positives
- Legitimate software installers (browser updaters, Adobe Reader, Zoom) that download and self-execute within minutes as part of normal update flow
- Ad-tech and analytics redirect chains (real-time bidding auctions) that legitimately hop through 4+ hostnames in under 15 seconds
- Enterprise SSO/CDN login flows that traverse multiple redirect hops (identity provider, app gateway, CDN edge) in rapid succession
- Users manually downloading and immediately running a legitimate tool from a software vendor's site
Sigma rule & cross-platform mapping
The detection logic for Compromised WordPress Sites Weaponized as Malware Distribution Redirectors (THREAT-Infra-CompromisedWordPressRedirector) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: process_creation
product: windows Browse the community-maintained Sigma rules for this technique:
Platform-specific guides for THREAT-Infra-CompromisedWordPressRedirector
References (5)
- https://attack.mitre.org/techniques/T1584/006/
- https://attack.mitre.org/tactics/TA0042/
- https://www.proofpoint.com/us/blog/threat-insight/socgholish-fake-browser-updates
- https://www.sophos.com/en-us/threat-center/threat-monitoring/threat-analyses/gootloader
- https://blog.talosintelligence.com/traffic-direction-systems/
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Browser Download Followed by Rapid Script-Host Execution (Fake-Update Simulation)
Expected signal: Sysmon Event ID 11: file creation at Downloads\atomic_update.js by powershell.exe. Sysmon Event ID 1: wscript.exe launching atomic_update.js roughly 2 seconds later, with ParentImage referencing the shell chain rather than a browser (adjust InitiatingProcessFileName filter to powershell.exe for this simulation).
- Test 2Simulated Multi-Hop Redirect Chain via Sequential curl Requests
Expected signal: Sysmon Event ID 3 / DeviceNetworkEvents: four outbound connections from powershell.exe to four distinct hostnames within approximately 3 seconds.
- Test 3Same Referring URL Accessed From Multiple Simulated Hosts (SEO-Poisoning Pattern)
Expected signal: Sysmon Event ID 3 / proxy logs: outbound HTTPS request to example.com with the atomic_test_lure query string logged.
Unlock playbooks & atomic tests with Pro
Get the full detection package for THREAT-Infra-CompromisedWordPressRedirector — response playbook and atomic red team tests, plus investigation guidance and hunting queries.
df00tech Pro — £29/user/month