-description: Detect suspicious use of captive portal redirection chains abusing msftconnecttest.com/redirect, particularly during network sign-in events. Look for anomalous HTTP GET requests to domains mimicking certificate authorities (e.g., fake Digicert or Kaspersky-related hosts). Flag user execution of CertificateDB.exe, which may request elevated privileges and install unauthorized custom root certificates. Monitor for persistence tactics such as creation of hidden local admin accounts, modification of firewall or network profile settings, and DLL sideloading involving oci.dll or duser.dll. Additional indicators include encoded metadata in DNS queries, exfiltration over DNS, or encrypted communications to suspicious or newly registered domains, suggesting command-and-control activity. These behaviors may indicate adversary-in-the-middle (AiTM) interception by a capable, nation-state actor.
0 commit comments