Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-Infra-CompromisedWordPressRedirector.

Upgrade to Pro
THREAT-Infra-CompromisedWordPressRedirector Splunk · SPL

Detect Compromised WordPress Sites Weaponized as Malware Distribution Redirectors in Splunk

Rather than standing up adversary-registered infrastructure that carries no reputation and is trivially blocked, actors including TA569 (SocGholish), the Gootloader crew, and Parrot TDS operators mass-compromise legitimate, high-reputation WordPress sites — typically via outdated plugins, stolen admin credentials, or vulnerable themes — and repurpose them as first-stage redirectors and payload-staging hosts. A compromised site is injected with obfuscated JavaScript (a 'fake update' overlay for SocGholish, or SEO-poisoned legal-document lures for Gootloader) that fingerprints the visitor and conditionally redirects first-time, non-crawler visitors through a traffic-distribution-system (TDS) chain to the actor's actual payload or phishing kit, while returning normal content to repeat visitors, bots, and security scanners. Because the compromised domain has years of clean history, a real TLS certificate, and legitimate unrelated content, domain-reputation-based blocking is ineffective; detection must instead focus on (1) the injected-script/traffic-fingerprinting pattern in outbound web traffic, (2) DNS and HTTP indicators of TDS chaining (rapid multi-hop redirects with cloaking headers), and (3) the file-drop/execution pattern that follows a user visiting an otherwise-reputable site and immediately downloading and running an unsigned binary.

MITRE ATT&CK

Tactic
Resource Development

SPL Detection Query

Splunk (SPL)
spl
| union
[
  search index=sysmon sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
  TargetFilename IN ("*\\Downloads\\*.js", "*\\Downloads\\*.zip", "*\\Downloads\\*.msi", "*\\Downloads\\*.exe", "*\\Downloads\\*.hta", "*\\Temp\\*.js", "*\\Temp\\*.hta")
  Image IN ("*\\chrome.exe", "*\\msedge.exe", "*\\firefox.exe")
  | eval DownloadTime=_time
  | table DownloadTime, host, TargetFilename, Image
  | join type=inner host
    [ search index=sysmon sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
      ParentImage IN ("*\\chrome.exe", "*\\msedge.exe", "*\\firefox.exe", "*\\explorer.exe")
      Image IN ("*.js", "*.hta", "*.msi", "*.exe")
      | eval ExecTime=_time
      | table ExecTime, host, Image, CommandLine ]
  | where (ExecTime - DownloadTime) >= 0 AND (ExecTime - DownloadTime) <= 600
  | eval SuspicionReason="DownloadThenExecuteWithinTenMinutes"
  | table DownloadTime, ExecTime, host, TargetFilename, Image, CommandLine, SuspicionReason
]
[
  search index=proxy sourcetype="*proxy*"
  | eval Process=coalesce(app,"browser")
  | bin _time span=15s
  | stats dc(url) as HopCount, values(url) as Hosts, min(_time) as FirstHop, max(_time) as LastHop by host, _time
  | where HopCount >= 4
  | eval SuspicionReason="RapidMultiHopRedirectChain"
  | table FirstHop, LastHop, host, HopCount, Hosts, SuspicionReason
]
| sort - DownloadTime
high severity medium confidence

Two-source detection combining Sysmon Event ID 11/1 correlation (download-then-execute within 10 minutes from a browser process) with proxy-log-derived redirect-chain analysis (4+ distinct URLs touched by the same host within a 15-second bucket). Requires Sysmon with file-create and process-create logging plus a web proxy sourcetype with per-request URL visibility.

Data Sources

File: File CreationProcess: Process CreationWeb Proxy LogsSysmon Event ID 11Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operationalproxy

False Positives & Tuning

  • Legitimate self-updating software downloading and launching an installer within the correlation window
  • Ad-exchange real-time-bidding redirect chains that legitimately touch many hostnames within seconds
  • SSO/identity-provider login flows with multiple redirect hops through gateway and CDN infrastructure
  • Users downloading and manually launching a vendor-provided installer shortly after browsing to the vendor's site

Other platforms for THREAT-Infra-CompromisedWordPressRedirector


Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Browser Download Followed by Rapid Script-Host Execution (Fake-Update Simulation)

    Expected signal: Sysmon Event ID 11: file creation at Downloads\atomic_update.js by powershell.exe. Sysmon Event ID 1: wscript.exe launching atomic_update.js roughly 2 seconds later, with ParentImage referencing the shell chain rather than a browser (adjust InitiatingProcessFileName filter to powershell.exe for this simulation).

  2. Test 2Simulated Multi-Hop Redirect Chain via Sequential curl Requests

    Expected signal: Sysmon Event ID 3 / DeviceNetworkEvents: four outbound connections from powershell.exe to four distinct hostnames within approximately 3 seconds.

  3. Test 3Same Referring URL Accessed From Multiple Simulated Hosts (SEO-Poisoning Pattern)

    Expected signal: Sysmon Event ID 3 / proxy logs: outbound HTTPS request to example.com with the atomic_test_lure query string logged.

Unlock playbooks & atomic tests with Pro

Get the full detection package for THREAT-Infra-CompromisedWordPressRedirector — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections