Indicators of Compromise

[codingo]

Currently the VRT doesn't cater for situations where a compromise has occurred, and proof is available. This may not always be malicious, and there's a few situations where this could apply:

• A subdomain is clearly under the control of another organisation, which can happen when an IP has been released (in Microsoft Azure or another cloud based product), and later claimed by another organisation (but DNS mapping remains).

• A more direct compromise, where a webshell, and other datapoints suggesting compromise have been found by a researcher.

• Cryptojacking scripts found on a host website.

I believe this should be a P1, however I believe the language is important to help limit false positives, and so this can cover point two of the above in situations where the action may not necessarily be a malicious one. I'm not entirely certain what that wording would be, but the best I could land on was:

P1 - Evidence of Site Compromise or No Longer Controlled by Client

Alternatively, this could be a new category with branches off of it, but that in itself seems excessive for what is quite likely a rarer edge case.

[codingo]

Thanks to emitrani for pointing out another good example for this, that feeds nicely into this example: How I Hacked Facebook, and Found Someone's Backdoor Script

[hakluke]

I have also come across this previously and was hesitant to report for fear of downgrading my severity rating. It would be great to have this formalised in the VRT.

[plr0man]

After discussing this with the team we agreed that there's some potential for adding a new "varies" category. The proposed entry is: Varies - Indicators of Compromise This category could be used to build out a more detailed structure in the future.

[VinceMHernandez]

+1 Agree with @plr0man here we could build the structure out as we gather more data

[plr0man]

I opened #239 for this issue.

1. Any thoughts on remediation advice?
2. Is there any CWE that could fit there?

[codingo]

@plr0man as this is now merged and a part of the VRT, any chance for some contribution swag?

[barnett]

Definitely @codingo.

We send the swag with each release so once we cut the next version will send it out.

[codingo]

Hi @barnett, where are we at with this one?

For reference of why I'm prompting this, please see 5e635749fd5fb146dce7537295d5ebd1d0396cc33de1bd693f98b2e87e2b6697.

[barnett]

@codingo let me get back to you next week on time-frame 👍, apologies for the delay

[barnett]

@codingo we are looking at about a month until implementation