The White Company
Copy link

The White Company
Copy link

The White Company is a suspected state-sponsored threat actor with advanced capabilities. From 2017 through 2018, the group led the Operation Shaheen espionage campaign that targeted government and military organizations in Pakistan.

This is a collection of rules based on the presence of indicators of compromise publicly reported as associated with this malicious actor.

Suspicious DNS Request - The White Company Related Domain Observed

Description
Copy link

This detection identifies a request to resolve a domain publicly reported as associated with this malicious actor. Malicious actors may use compromised websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.

Recommendation
Copy link

This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques
Copy link

  • Acquire Infrastructure - T1583
  • Domains - T1583.001
  • Compromise Infrastructure - T1584
  • Domains - T1584.001

Suspicious Process - The White Company Related Binary Executed

Description
Copy link

This detection identifies the execution of a file with a hash publicly reported as associated with this malicious actor. Malicious actors may use common System Administration tools for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.

Recommendation
Copy link

Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

Suspicious Web Request - The White Company Related Domain Observed

Description
Copy link

This detection identifies a request to a domain publicly reported as associated with this malicious actor. Malicious actors may compromise websites for malicious purposes. This detection is powered by the Rapid7 Threat Command Threat Library.

Recommendation
Copy link

This alert may have been caused by normal web browsing activity by the end user. Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password.

MITRE ATT&CK Techniques
Copy link

  • Acquire Infrastructure - T1583
  • Domains - T1583.001
  • Virtual Private Server - T1583.003
  • Server - T1583.004
  • Compromise Infrastructure - T1584
  • Domains - T1584.001
  • Virtual Private Server - T1584.003
  • Server - T1584.004