Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-Infra-CompromisedWordPressRedirector.
Upgrade to ProDetect Compromised WordPress Sites Weaponized as Malware Distribution Redirectors in Elastic Security
Rather than standing up adversary-registered infrastructure that carries no reputation and is trivially blocked, actors including TA569 (SocGholish), the Gootloader crew, and Parrot TDS operators mass-compromise legitimate, high-reputation WordPress sites — typically via outdated plugins, stolen admin credentials, or vulnerable themes — and repurpose them as first-stage redirectors and payload-staging hosts. A compromised site is injected with obfuscated JavaScript (a 'fake update' overlay for SocGholish, or SEO-poisoned legal-document lures for Gootloader) that fingerprints the visitor and conditionally redirects first-time, non-crawler visitors through a traffic-distribution-system (TDS) chain to the actor's actual payload or phishing kit, while returning normal content to repeat visitors, bots, and security scanners. Because the compromised domain has years of clean history, a real TLS certificate, and legitimate unrelated content, domain-reputation-based blocking is ineffective; detection must instead focus on (1) the injected-script/traffic-fingerprinting pattern in outbound web traffic, (2) DNS and HTTP indicators of TDS chaining (rapid multi-hop redirects with cloaking headers), and (3) the file-drop/execution pattern that follows a user visiting an otherwise-reputable site and immediately downloading and running an unsigned binary.
MITRE ATT&CK
- Tactic
- Resource Development
Elastic Detection Query
sequence by host.name with maxspan=10m
[
file where event.type == "creation" and
file.extension : ("js", "zip", "msi", "exe", "hta", "iso") and
file.path : ("*\\Downloads\\*", "*\\Temp\\*") and
process.name : ("chrome.exe", "msedge.exe", "firefox.exe")
]
[
process where event.type == "start" and
process.parent.name : ("chrome.exe", "msedge.exe", "firefox.exe", "explorer.exe") and
process.name : ("wscript.exe", "cscript.exe", "powershell.exe", "mshta.exe", "*.exe")
] Sequence-based Elastic EQL detection correlating a browser-initiated download of a script/installer/executable into Downloads or Temp with execution of a scripting engine or binary from the same host within 10 minutes — the fake-update/drive-by execution pattern used by SocGholish and Gootloader after a visitor lands on a compromised legitimate WordPress site.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate auto-updating software that downloads and self-executes an installer within the correlation window
- IT-deployed software packages delivered via browser download and executed by a deployment script
- Users manually downloading and running a legitimate vendor tool shortly after browsing to the vendor site
Other platforms for THREAT-Infra-CompromisedWordPressRedirector
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Browser Download Followed by Rapid Script-Host Execution (Fake-Update Simulation)
Expected signal: Sysmon Event ID 11: file creation at Downloads\atomic_update.js by powershell.exe. Sysmon Event ID 1: wscript.exe launching atomic_update.js roughly 2 seconds later, with ParentImage referencing the shell chain rather than a browser (adjust InitiatingProcessFileName filter to powershell.exe for this simulation).
- Test 2Simulated Multi-Hop Redirect Chain via Sequential curl Requests
Expected signal: Sysmon Event ID 3 / DeviceNetworkEvents: four outbound connections from powershell.exe to four distinct hostnames within approximately 3 seconds.
- Test 3Same Referring URL Accessed From Multiple Simulated Hosts (SEO-Poisoning Pattern)
Expected signal: Sysmon Event ID 3 / proxy logs: outbound HTTPS request to example.com with the atomic_test_lure query string logged.
References (5)
- https://attack.mitre.org/techniques/T1584/006/
- https://attack.mitre.org/tactics/TA0042/
- https://www.proofpoint.com/us/blog/threat-insight/socgholish-fake-browser-updates
- https://www.sophos.com/en-us/threat-center/threat-monitoring/threat-analyses/gootloader
- https://blog.talosintelligence.com/traffic-direction-systems/
Unlock playbooks & atomic tests with Pro
Get the full detection package for THREAT-Infra-CompromisedWordPressRedirector — response playbook and atomic red team tests, plus investigation guidance and hunting queries.
df00tech Pro — £29/user/month