Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-Infra-CompromisedWordPressRedirector.

Upgrade to Pro
THREAT-Infra-CompromisedWordPressRedirector CrowdStrike LogScale · LogScale

Detect Compromised WordPress Sites Weaponized as Malware Distribution Redirectors in CrowdStrike LogScale

Rather than standing up adversary-registered infrastructure that carries no reputation and is trivially blocked, actors including TA569 (SocGholish), the Gootloader crew, and Parrot TDS operators mass-compromise legitimate, high-reputation WordPress sites — typically via outdated plugins, stolen admin credentials, or vulnerable themes — and repurpose them as first-stage redirectors and payload-staging hosts. A compromised site is injected with obfuscated JavaScript (a 'fake update' overlay for SocGholish, or SEO-poisoned legal-document lures for Gootloader) that fingerprints the visitor and conditionally redirects first-time, non-crawler visitors through a traffic-distribution-system (TDS) chain to the actor's actual payload or phishing kit, while returning normal content to repeat visitors, bots, and security scanners. Because the compromised domain has years of clean history, a real TLS certificate, and legitimate unrelated content, domain-reputation-based blocking is ineffective; detection must instead focus on (1) the injected-script/traffic-fingerprinting pattern in outbound web traffic, (2) DNS and HTTP indicators of TDS chaining (rapid multi-hop redirects with cloaking headers), and (3) the file-drop/execution pattern that follows a user visiting an otherwise-reputable site and immediately downloading and running an unsigned binary.

MITRE ATT&CK

Tactic
Resource Development

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql
#event_simpleName=FileWritten
| FileName=/\.(js|hta|msi|exe|zip)$/i
| FilePath=/(Downloads|Temp)/i
| ImageFileName=/(chrome|msedge|firefox)\.exe$/i
| join(
    {
      #event_simpleName=ProcessRollup2
      | ImageFileName=/(wscript|cscript|powershell|mshta)\.exe$/i
    },
    field=[aid], key=[aid], mode=inner, include=[CommandLine, ImageFileName, "#timestamp"]
  )
| ExecDeltaSeconds := ("#timestamp" - timestamp) / 1000
| test(ExecDeltaSeconds >= 0 and ExecDeltaSeconds <= 600)
| table([ComputerName, FileName, ImageFileName, CommandLine, ExecDeltaSeconds])
| sort(ExecDeltaSeconds)
high severity medium confidence

CrowdStrike LogScale (Falcon) query correlating a browser-initiated file write of a script/installer extension into Downloads/Temp with execution of a scripting engine within 10 minutes on the same endpoint — flags the download-then-execute chain characteristic of a fake-update lure served from a compromised legitimate web service.

Data Sources

CrowdStrike Falcon Endpoint ProtectionFile eventsProcess events

Required Tables

FileWrittenProcessRollup2

False Positives & Tuning

  • Legitimate self-updating applications that download and execute an installer package
  • Endpoint management agents staging and then running deployment scripts
  • Users manually running a just-downloaded legitimate utility

Other platforms for THREAT-Infra-CompromisedWordPressRedirector


Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Browser Download Followed by Rapid Script-Host Execution (Fake-Update Simulation)

    Expected signal: Sysmon Event ID 11: file creation at Downloads\atomic_update.js by powershell.exe. Sysmon Event ID 1: wscript.exe launching atomic_update.js roughly 2 seconds later, with ParentImage referencing the shell chain rather than a browser (adjust InitiatingProcessFileName filter to powershell.exe for this simulation).

  2. Test 2Simulated Multi-Hop Redirect Chain via Sequential curl Requests

    Expected signal: Sysmon Event ID 3 / DeviceNetworkEvents: four outbound connections from powershell.exe to four distinct hostnames within approximately 3 seconds.

  3. Test 3Same Referring URL Accessed From Multiple Simulated Hosts (SEO-Poisoning Pattern)

    Expected signal: Sysmon Event ID 3 / proxy logs: outbound HTTPS request to example.com with the atomic_test_lure query string logged.

Unlock playbooks & atomic tests with Pro

Get the full detection package for THREAT-Infra-CompromisedWordPressRedirector — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections