Adversaries may use Mage CDN links to exfiltrate data or establish command and control channels, leveraging compromised infrastructure for persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data exfiltration or C2 activities early.
YARA Rule
rule mage_cdn_link {
strings: $ = "\\x6D\\x61\\x67\\x65\\x2D\\x63\\x64\\x6E\\x2E\\x6C\\x69\\x6E\\x6B"
condition: any of them
}This YARA rule can be deployed in the following contexts:
Scenario: A developer uses a CDN link in a static site build process using Webpack or Gulp for a legitimate front-end asset.
Filter/Exclusion: Exclude files generated by known build tools (e.g., webpack.config.js, gulpfile.js) or filter by file type (e.g., .js, .css).
Scenario: A system administrator configures a CDN (e.g., Cloudflare, AWS CloudFront) via the AWS Console or Cloudflare API for legitimate content delivery.
Filter/Exclusion: Exclude traffic from known admin IPs, or filter by HTTP methods (e.g., GET, HEAD) and user agents associated with management consoles.
Scenario: A scheduled job runs Magento (e.g., bin/magento setup:static-content:deploy) to deploy static content to a CDN.
Filter/Exclusion: Exclude processes running under the magento user or filter by command-line arguments containing setup:static-content:deploy.
Scenario: A DevOps team uses Ansible or Chef to automate CDN configuration across multiple environments.
Filter/Exclusion: Exclude tasks or playbooks associated with infrastructure automation tools, or filter by process names like ansible, chef-client.
Scenario: A security team uses SIEM tools (e.g., Splunk, ELK) to monitor CDN traffic for suspicious activity.
Filter/Exclusion: Exclude logs from SIEM tools or filter by log sources (e.g., splunk, elasticsearch, logstash).