diff --git a/detections/endpoint/cisco_nvm___mshtml_or_mshta_network_execution_without_url_in_cli.yml b/detections/endpoint/cisco_nvm___mshtml_or_mshta_network_execution_without_url_in_cli.yml index 83ed7414f7..51c6baf24b 100644 --- a/detections/endpoint/cisco_nvm___mshtml_or_mshta_network_execution_without_url_in_cli.yml +++ b/detections/endpoint/cisco_nvm___mshtml_or_mshta_network_execution_without_url_in_cli.yml @@ -1,6 +1,6 @@ name: Cisco NVM - MSHTML or MSHTA Network Execution Without URL in CLI id: f2a9df84-9b01-4a21-9e3a-7aa1a217f69e -version: 4 +version: 5 date: '2026-03-10' author: Nasreddine Bencherchali, Splunk status: production @@ -83,6 +83,7 @@ rba: tags: analytic_story: - Cisco Network Visibility Module Analytics + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1218.005 diff --git a/detections/endpoint/cisco_nvm___suspicious_download_from_file_sharing_website.yml b/detections/endpoint/cisco_nvm___suspicious_download_from_file_sharing_website.yml index efdb37db50..16e4a22128 100644 --- a/detections/endpoint/cisco_nvm___suspicious_download_from_file_sharing_website.yml +++ b/detections/endpoint/cisco_nvm___suspicious_download_from_file_sharing_website.yml @@ -1,6 +1,6 @@ name: Cisco NVM - Suspicious Download From File Sharing Website id: 94ebc001-35e7-4ae8-9b0e-52766b2f99c7 -version: 5 +version: 6 date: '2026-03-10' author: Nasreddine Bencherchali, Splunk status: production @@ -94,6 +94,7 @@ tags: analytic_story: - APT37 Rustonotto and FadeStealer - Cisco Network Visibility Module Analytics + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1197 diff --git a/detections/endpoint/cisco_nvm___suspicious_file_download_via_headless_browser.yml b/detections/endpoint/cisco_nvm___suspicious_file_download_via_headless_browser.yml index c897513dab..48fb4ac407 100644 --- a/detections/endpoint/cisco_nvm___suspicious_file_download_via_headless_browser.yml +++ b/detections/endpoint/cisco_nvm___suspicious_file_download_via_headless_browser.yml @@ -1,6 +1,6 @@ name: Cisco NVM - Suspicious File Download via Headless Browser id: cd0e816f-f67d-4dbe-a153-480b546e867e -version: 4 +version: 5 date: '2026-03-10' author: Nasreddine Bencherchali, Splunk status: production @@ -111,6 +111,7 @@ rba: tags: analytic_story: - Cisco Network Visibility Module Analytics + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1105 diff --git a/detections/endpoint/cisco_nvm___suspicious_network_connection_to_ip_lookup_service_api.yml b/detections/endpoint/cisco_nvm___suspicious_network_connection_to_ip_lookup_service_api.yml index 7af8728791..3e66a65e30 100644 --- a/detections/endpoint/cisco_nvm___suspicious_network_connection_to_ip_lookup_service_api.yml +++ b/detections/endpoint/cisco_nvm___suspicious_network_connection_to_ip_lookup_service_api.yml @@ -1,6 +1,6 @@ name: Cisco NVM - Suspicious Network Connection to IP Lookup Service API id: 568cb83e-d79e-4a23-85ec-6e1f6c30cb2f -version: 6 +version: 7 date: '2026-03-10' author: Nasreddine Bencherchali, Splunk, Janantha Marasinghe status: production @@ -88,6 +88,7 @@ tags: analytic_story: - Cisco Network Visibility Module Analytics - Castle RAT + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1590.005 diff --git a/detections/endpoint/detect_mshta_inline_hta_execution.yml b/detections/endpoint/detect_mshta_inline_hta_execution.yml index 1aa9410385..f411285702 100644 --- a/detections/endpoint/detect_mshta_inline_hta_execution.yml +++ b/detections/endpoint/detect_mshta_inline_hta_execution.yml @@ -1,6 +1,6 @@ name: Detect mshta inline hta execution id: a0873b32-5b68-11eb-ae93-0242ac130002 -version: 20 +version: 21 date: '2026-03-10' author: Bhavin Patel, Michael Haag, Splunk status: production @@ -66,6 +66,7 @@ tags: - Suspicious MSHTA Activity - XWorm - APT37 Rustonotto and FadeStealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1218.005 diff --git a/detections/endpoint/disable_defender_submit_samples_consent_feature.yml b/detections/endpoint/disable_defender_submit_samples_consent_feature.yml index b1bbd449ac..8b86ab51b7 100644 --- a/detections/endpoint/disable_defender_submit_samples_consent_feature.yml +++ b/detections/endpoint/disable_defender_submit_samples_consent_feature.yml @@ -1,6 +1,6 @@ name: Disable Defender Submit Samples Consent Feature id: 73922ff8-3022-11ec-bf5e-acde48001122 -version: 12 +version: 13 date: '2026-03-10' author: Teoderick Contreras, Splunk, Steven Dick status: production @@ -38,6 +38,7 @@ tags: - CISA AA23-347A - IcedID - Windows Registry Abuse + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1562.001 diff --git a/detections/endpoint/disable_windows_behavior_monitoring.yml b/detections/endpoint/disable_windows_behavior_monitoring.yml index 321a6fc081..16588899e1 100644 --- a/detections/endpoint/disable_windows_behavior_monitoring.yml +++ b/detections/endpoint/disable_windows_behavior_monitoring.yml @@ -1,6 +1,6 @@ name: Disable Windows Behavior Monitoring id: 79439cae-9200-11eb-a4d3-acde48001122 -version: 20 +version: 21 date: '2026-03-10' author: Teoderick Contreras, Splunk, Steven Dick status: production @@ -44,6 +44,7 @@ tags: - Scattered Lapsus$ Hunters - NetSupport RMM Tool Abuse - Storm-0501 Ransomware + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1562.001 diff --git a/detections/endpoint/excessive_usage_of_taskkill.yml b/detections/endpoint/excessive_usage_of_taskkill.yml index d0f66bd254..b496ad57c5 100644 --- a/detections/endpoint/excessive_usage_of_taskkill.yml +++ b/detections/endpoint/excessive_usage_of_taskkill.yml @@ -1,6 +1,6 @@ name: Excessive Usage Of Taskkill id: fe5bca48-accb-11eb-a67c-acde48001122 -version: 11 +version: 12 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production @@ -52,6 +52,7 @@ tags: - CISA AA22-264A - XMRig - Crypto Stealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1562.001 diff --git a/detections/endpoint/fodhelper_uac_bypass.yml b/detections/endpoint/fodhelper_uac_bypass.yml index 1c713e9a9c..135e7f6611 100644 --- a/detections/endpoint/fodhelper_uac_bypass.yml +++ b/detections/endpoint/fodhelper_uac_bypass.yml @@ -1,6 +1,6 @@ name: FodHelper UAC Bypass id: 909f8fd8-7ac8-11eb-a1f3-acde48001122 -version: 13 +version: 14 date: '2026-03-10' author: Michael Haag, Splunk status: production @@ -58,6 +58,7 @@ tags: - ValleyRAT - Compromised Windows Host - Windows Defense Evasion Tactics + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1112 diff --git a/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml b/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml index 52cef222b8..4924c9a669 100644 --- a/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml +++ b/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml @@ -1,6 +1,6 @@ name: Malicious PowerShell Process - Execution Policy Bypass id: 9be56c82-b1cc-4318-87eb-d138afaaca39 -version: 18 +version: 19 date: '2026-03-10' author: Rico Valdez, Mauricio Velazco, Splunk status: production @@ -58,6 +58,7 @@ tags: - DarkCrystal RAT - 0bj3ctivity Stealer - APT37 Rustonotto and FadeStealer + - BlankGrabber Stealer - MuddyWater asset_type: Endpoint mitre_attack_id: diff --git a/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml b/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml index 5bd341fba4..ad9ea22a08 100644 --- a/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml +++ b/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml @@ -1,6 +1,6 @@ name: Non Chrome Process Accessing Chrome Default Dir id: 81263de4-160a-11ec-944f-acde48001122 -version: 15 +version: 16 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production @@ -48,6 +48,7 @@ tags: - Snake Keylogger - China-Nexus Threat Activity - Lokibot + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1555.003 diff --git a/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml b/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml index 0a89dece8f..561cc93cbd 100644 --- a/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml +++ b/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml @@ -1,6 +1,6 @@ name: Non Firefox Process Access Firefox Profile Dir id: e6fc13b0-1609-11ec-b533-acde48001122 -version: 15 +version: 16 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production @@ -50,6 +50,7 @@ tags: - China-Nexus Threat Activity - 0bj3ctivity Stealer - Lokibot + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1555.003 diff --git a/detections/endpoint/potential_telegram_api_request_via_commandline.yml b/detections/endpoint/potential_telegram_api_request_via_commandline.yml index 6381e8bd30..e34a1db987 100644 --- a/detections/endpoint/potential_telegram_api_request_via_commandline.yml +++ b/detections/endpoint/potential_telegram_api_request_via_commandline.yml @@ -1,6 +1,6 @@ name: Potential Telegram API Request Via CommandLine id: d6b0d627-d0bf-46b1-936f-c48284767d21 -version: 8 +version: 9 date: '2026-03-10' author: Nasreddine Bencherchali, Splunk, Zaki Zarkasih Al Mustafa status: production @@ -55,6 +55,7 @@ tags: - Water Gamayun - 0bj3ctivity Stealer - Hellcat Ransomware + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1102.002 diff --git a/detections/endpoint/powershell_disable_security_monitoring.yml b/detections/endpoint/powershell_disable_security_monitoring.yml index 48adf72d39..35a9ab2fbf 100644 --- a/detections/endpoint/powershell_disable_security_monitoring.yml +++ b/detections/endpoint/powershell_disable_security_monitoring.yml @@ -1,6 +1,6 @@ name: Powershell Disable Security Monitoring id: c148a894-dd93-11eb-bf2a-acde48001122 -version: 13 +version: 14 date: '2026-03-10' author: Michael Haag, Nasreddine Bencherchali, Splunk status: production @@ -112,6 +112,7 @@ tags: - Ransomware - Revil Ransomware - CISA AA24-241A + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1562.001 diff --git a/detections/endpoint/powershell_windows_defender_exclusion_commands.yml b/detections/endpoint/powershell_windows_defender_exclusion_commands.yml index b73cfd05f8..bbb9c46f9f 100644 --- a/detections/endpoint/powershell_windows_defender_exclusion_commands.yml +++ b/detections/endpoint/powershell_windows_defender_exclusion_commands.yml @@ -1,6 +1,6 @@ name: Powershell Windows Defender Exclusion Commands id: 907ac95c-4dd9-11ec-ba2c-acde48001122 -version: 12 +version: 13 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production @@ -55,6 +55,7 @@ tags: - WhisperGate - Warzone RAT - NetSupport RMM Tool Abuse + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1562.001 diff --git a/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml b/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml index 023180bcdf..2c7a077391 100644 --- a/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml +++ b/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml @@ -1,6 +1,6 @@ name: Process Creating LNK file in Suspicious Location id: 5d814af1-1041-47b5-a9ac-d754e82e9a26 -version: 15 +version: 16 date: '2026-03-10' author: Jose Hernandez, Michael Haag, Splunk status: production @@ -93,6 +93,7 @@ tags: - Amadey - Gozi Malware - APT37 Rustonotto and FadeStealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1566.002 diff --git a/detections/endpoint/recon_using_wmi_class.yml b/detections/endpoint/recon_using_wmi_class.yml index 347a4b7ae6..47a5589a7d 100644 --- a/detections/endpoint/recon_using_wmi_class.yml +++ b/detections/endpoint/recon_using_wmi_class.yml @@ -1,6 +1,6 @@ name: Recon Using WMI Class id: 018c1972-ca07-11eb-9473-acde48001122 -version: 13 +version: 14 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production @@ -63,6 +63,7 @@ tags: - Qakbot - Industroyer2 - Scattered Spider + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1592 diff --git a/detections/endpoint/system_information_discovery_detection.yml b/detections/endpoint/system_information_discovery_detection.yml index 7f7c154094..90d491e4f2 100644 --- a/detections/endpoint/system_information_discovery_detection.yml +++ b/detections/endpoint/system_information_discovery_detection.yml @@ -1,6 +1,6 @@ name: System Information Discovery Detection id: 8e99f89e-ae58-4ebc-bf52-ae0b1a277e72 -version: 14 +version: 15 date: '2026-03-10' author: Patrick Bareiss, Splunk status: production @@ -45,6 +45,7 @@ tags: - Interlock Ransomware - LAMEHUG - NetSupport RMM Tool Abuse + - BlankGrabber Stealer asset_type: Windows mitre_attack_id: - T1082 diff --git a/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml b/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml index 6493da06a3..a4d737c3e3 100644 --- a/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml +++ b/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml @@ -1,6 +1,6 @@ name: Windows Boot or Logon Autostart Execution In Startup Folder id: 99d157cb-923f-4a00-aee9-1f385412146f -version: 13 +version: 14 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production @@ -47,6 +47,7 @@ tags: - Interlock Ransomware - APT37 Rustonotto and FadeStealer - PromptFlux + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1547.001 diff --git a/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml b/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml index b3a1f07543..f4f1289811 100644 --- a/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml +++ b/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml @@ -1,6 +1,6 @@ name: Windows ClipBoard Data via Get-ClipBoard id: ab73289e-2246-4de0-a14b-67006c72a893 -version: 9 +version: 11 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production @@ -49,6 +49,7 @@ tags: analytic_story: - Windows Post-Exploitation - Prestige Ransomware + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1115 diff --git a/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml b/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml index 869d432f9a..f6e5b58d16 100644 --- a/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml +++ b/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml @@ -1,6 +1,6 @@ name: Windows Cmdline Tool Execution From Non-Shell Process id: 2afa393f-b88d-41b7-9793-623c93a2dfde -version: 10 +version: 11 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production @@ -54,6 +54,7 @@ tags: - Water Gamayun - Tuoni - SolarWinds WHD RCE Post Exploitation + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1059.007 diff --git a/detections/endpoint/windows_computerdefaults_spawning_a_process.yml b/detections/endpoint/windows_computerdefaults_spawning_a_process.yml index 3a31d3f43f..ec8dc7a50e 100644 --- a/detections/endpoint/windows_computerdefaults_spawning_a_process.yml +++ b/detections/endpoint/windows_computerdefaults_spawning_a_process.yml @@ -1,6 +1,6 @@ name: Windows ComputerDefaults Spawning a Process id: 697eb4c0-1008-4c3c-b5ae-7bd9b39adbd6 -version: 4 +version: 5 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production @@ -47,6 +47,7 @@ rba: tags: analytic_story: - Castle RAT + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1548.002 diff --git a/detections/endpoint/windows_credential_access_from_browser_password_store.yml b/detections/endpoint/windows_credential_access_from_browser_password_store.yml index 9ccbfbabe7..44ea4a4231 100644 --- a/detections/endpoint/windows_credential_access_from_browser_password_store.yml +++ b/detections/endpoint/windows_credential_access_from_browser_password_store.yml @@ -1,6 +1,6 @@ name: Windows Credential Access From Browser Password Store id: 72013a8e-5cea-408a-9d51-5585386b4d69 -version: 18 +version: 19 date: '2026-03-10' author: Teoderick Contreras, Bhavin Patel Splunk data_source: @@ -47,6 +47,7 @@ tags: - Scattered Spider - 0bj3ctivity Stealer - Scattered Lapsus$ Hunters + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1012 diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml index 959681d1e4..1fb9d76ffe 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml @@ -1,6 +1,6 @@ name: Windows Credentials from Password Stores Chrome Copied in TEMP Dir id: 4d14c86d-fdee-4393-94da-238d2706902f -version: 8 +version: 9 date: '2026-03-10' author: Teoderick Contreras, Splunk data_source: @@ -34,6 +34,7 @@ tags: analytic_story: - Braodo Stealer - Scattered Lapsus$ Hunters + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1555.003 diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml index 7cc7024fe9..8614a0392b 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml @@ -1,6 +1,6 @@ name: Windows Credentials from Password Stores Chrome Extension Access id: 2e65afe0-9a75-4487-bd87-ada9a9f1b9af -version: 10 +version: 11 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production @@ -42,6 +42,7 @@ tags: - Braodo Stealer - MoonPeak - 0bj3ctivity Stealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1012 diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml index 94938fe225..b24710c55f 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml @@ -1,6 +1,6 @@ name: Windows Credentials from Password Stores Chrome LocalState Access id: 3b1d09a8-a26f-473e-a510-6c6613573657 -version: 18 +version: 19 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production @@ -52,6 +52,7 @@ tags: - 0bj3ctivity Stealer - Lokibot - Scattered Lapsus$ Hunters + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1012 diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml index 4a7c8c5929..79c8c486bc 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml @@ -1,6 +1,6 @@ name: Windows Credentials from Password Stores Chrome Login Data Access id: 0d32ba37-80fc-4429-809c-0ba15801aeaf -version: 18 +version: 19 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production @@ -52,6 +52,7 @@ tags: - 0bj3ctivity Stealer - Lokibot - Scattered Lapsus$ Hunters + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1012 diff --git a/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml b/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml index 4b424e0cf4..90cf805b61 100644 --- a/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml +++ b/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml @@ -1,6 +1,6 @@ name: Windows Disable or Modify Tools Via Taskkill id: a43ae66f-c410-4b3d-8741-9ce1ad17ddb0 -version: 11 +version: 12 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production @@ -51,6 +51,7 @@ tags: - PXA Stealer - NjRAT - Crypto Stealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1562.001 diff --git a/detections/endpoint/windows_disable_or_stop_browser_process.yml b/detections/endpoint/windows_disable_or_stop_browser_process.yml index 2c34396dc9..32667eabd8 100644 --- a/detections/endpoint/windows_disable_or_stop_browser_process.yml +++ b/detections/endpoint/windows_disable_or_stop_browser_process.yml @@ -1,6 +1,6 @@ name: Windows Disable or Stop Browser Process id: 220d34b7-b6c7-45fe-8dbb-c35cdd9fe6d5 -version: 9 +version: 11 date: '2026-03-10' author: Teoderick Contreras, Splunk data_source: @@ -52,6 +52,7 @@ tags: - Scattered Lapsus$ Hunters - Hellcat Ransomware - Castle RAT + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1562.001 diff --git a/detections/endpoint/windows_dns_lookup_to_public_file_sharing_domain.yml b/detections/endpoint/windows_dns_lookup_to_public_file_sharing_domain.yml new file mode 100644 index 0000000000..ea53f1c350 --- /dev/null +++ b/detections/endpoint/windows_dns_lookup_to_public_file_sharing_domain.yml @@ -0,0 +1,50 @@ +name: Windows DNS Lookup to Public File Sharing Domain +id: 3c6e77aa-7b7d-4a20-bd59-9221a0b9f2c9 +version: 1 +date: '2026-03-03' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: This Analytics detects DNS queries to public file sharing domains, such as api.anonfiles.com, api.gofile.io and many more These services allow users to anonymously upload and distribute files, which can be abused by threat actors for data exfiltration, malware staging, or command-and-control communications. Monitoring DNS requests to these domains helps identify potentially unauthorized data transfers or suspicious outbound activity. While legitimate use may exist, such queries originating from servers, restricted systems, or non-browser processes should be investigated to determine whether sensitive data is being staged or transmitted externally. +data_source: + - Sysmon EventID 22 +search: '`sysmon` EventCode=22 QueryName IN ("*//objects.githubusercontent.com*", "*anonfiles.com*", "*cdn.discordapp.com*", "*ddns.net*", "*dl.dropboxusercontent.com*", "*ghostbin.co*", "*glitch.me*", "*gofile.io*", "*hastebin.com*", "*mediafire.com*", "*mega.nz*", "*onrender.com*", "*pages.dev*", "*paste.ee*", "*pastebin.com*", "*pastebin.pl*", "*pastetext.net*", "*privatlab.com*", "*privatlab.net*", "*send.exploit.in*", "*sendspace.com*", "*storage.googleapis.com*", "*storjshare.io*", "*supabase.co*", "*temp.sh*", "*transfer.sh*", "*trycloudflare.com*", "*ufile.io*", "*w3spaces.com*", "*workers.dev*") | eval answer=coalesce(answer,"none") | eval answer_count=coalesce(answer_count,0) | stats min(_time) as firstTime max(_time) as lastTime count BY answer answer_count dvc process_exec process_guid process_name query query_count reply_code_id signature signature_id src user_id vendor_product QueryName QueryResults QueryStatus | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dns_lookup_to_public_file_sharing_domain_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and eventcode = 22 dnsquery executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used. +known_false_positives: No false positives have been identified at this time. +references: + - https://malpedia.caad.fkie.fraunhofer.de/details/py.blankgrabber +drilldown_searches: + - name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A process [$process_name$] made a DNS query for [$QueryName$] from host [$dvc$]. + risk_objects: + - field: dvc + type: system + score: 50 + threat_objects: + - field: process_name + type: process_name +tags: + analytic_story: + - BlankGrabber Stealer + asset_type: Endpoint + mitre_attack_id: + - T1071.004 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1071.004/upload_files_dns/upload_files.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_eventlog_recon_activity_using_log_query_utilities.yml b/detections/endpoint/windows_eventlog_recon_activity_using_log_query_utilities.yml index 7f60af1356..16aa626f9c 100644 --- a/detections/endpoint/windows_eventlog_recon_activity_using_log_query_utilities.yml +++ b/detections/endpoint/windows_eventlog_recon_activity_using_log_query_utilities.yml @@ -1,6 +1,6 @@ name: Windows EventLog Recon Activity Using Log Query Utilities id: dc167f8b-3f9d-4460-9c98-8b6e703fd628 -version: 5 +version: 6 date: '2026-03-10' author: Nasreddine Bencherchali, Splunk status: production @@ -106,6 +106,7 @@ rba: tags: analytic_story: - Windows Discovery Techniques + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1654 diff --git a/detections/endpoint/windows_hosts_file_access.yml b/detections/endpoint/windows_hosts_file_access.yml new file mode 100644 index 0000000000..7ee8105b0c --- /dev/null +++ b/detections/endpoint/windows_hosts_file_access.yml @@ -0,0 +1,52 @@ +name: Windows Hosts File Access +id: b34bcf35-5380-4b00-b208-5531303fb751 +version: 1 +date: '2026-03-03' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: This Analytics detects the execution of a process attempting to access the hosts file. This behavior is significant as it indicates potential malware activity or attempts to bypass security measures. Hosts file is a critical file for network configuration and DNS resolution. If an attacker gains access to the hosts file, they can redirect traffic to malicious websites, serve fake content or block legitimate security websites. +data_source: + - Windows Event Log Security 4663 +search: '`wineventlog_security` EventCode=4663 object_file_path="*:\\Windows\\System32\\drivers\\etc\\hosts" AND NOT ( process_path IN ( "*:\\Windows\\System32\\svchost.exe", "*:\\Windows\\SysWow64\\svchost.exe", "*:\\Windows\\System32\\lsass.exe", "*:\\Windows\\SysWow64\\lsass.exe", "*:\\Windows\\System32\\services.exe", "*:\\Windows\\SysWow64\\services.exe", "*:\\Windows\\System32\\SearchIndexer.exe", "*:\\Windows\\SysWow64\\SearchIndexer.exe", "*:\\Windows\\explorer.exe" )) + + | stats count by _time object_file_path object_file_name dest process_name process_path process_id EventCode | eval process_path = lower(process_path) | lookup browser_process_and_path browser_process_path as process_path OUTPUT is_valid_browser_path | eval is_valid_browser_path=coalesce(is_valid_browser_path,"false") | where is_valid_browser_path = "false" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_hosts_file_access_filter`' +how_to_implement: To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." This search may trigger on a browser application that is not included in the browser_app_list lookup file. +known_false_positives: Administrator may access this registry for product key recovery purposes. +references: + - https://cert.gov.ua/article/6284730 +drilldown_searches: + - name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: a [$process_name$] attempting to access the hosts file [$object_file_path$] on [$dest$]. + risk_objects: + - field: dest + type: system + score: 20 + threat_objects: + - field: process_name + type: process_name +tags: + analytic_story: + - BlankGrabber Stealer + asset_type: Endpoint + mitre_attack_id: + - T1012 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1012/host_file_accessed/hosts_accessed.log + source: XmlWinEventLog:Security + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml b/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml index 0eefcb8797..246bea562d 100644 --- a/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml +++ b/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml @@ -1,6 +1,6 @@ name: Windows Impair Defense Disable Controlled Folder Access id: 3032741c-d6fc-4c69-8988-be8043d6478c -version: 8 +version: 9 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production @@ -34,6 +34,7 @@ tags: analytic_story: - Windows Defense Evasion Tactics - Windows Registry Abuse + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1562.001 diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml index b41be54166..c3e6f60d18 100644 --- a/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml +++ b/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml @@ -1,6 +1,6 @@ name: Windows Impair Defense Disable Win Defender Network Protection id: 8b6c15c7-5556-463d-83c7-986326c21f12 -version: 9 +version: 10 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production @@ -35,6 +35,7 @@ tags: - Windows Defense Evasion Tactics - Windows Registry Abuse - Scattered Lapsus$ Hunters + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1562.001 diff --git a/detections/endpoint/windows_mpcmdrun_removedefinitions_execution.yml b/detections/endpoint/windows_mpcmdrun_removedefinitions_execution.yml new file mode 100644 index 0000000000..1e527e9b14 --- /dev/null +++ b/detections/endpoint/windows_mpcmdrun_removedefinitions_execution.yml @@ -0,0 +1,68 @@ +name: Windows MpCmdRun RemoveDefinitions Execution +id: b2442e49-bd3f-4685-a2dc-2bdc292563bf +version: 1 +date: '2026-03-03' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: This detection identifies the execution of MpCmdRun.exe with the -RemoveDefinitions argument, which is commonly used by malware to remove definitions from the Windows Malware Protection Engine. This behavior is significant as it indicates potential malware activity or attempts to bypass security measures. +data_source: + - Sysmon EventID 1 + - Windows Event Log Security 4688 + - CrowdStrike ProcessRollup2 +search: |- + | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where (Processes.process_name ="MpCmdRun.exe" OR Processes.original_file_name = MpCmdRun.exe) AND Processes.process = "*-RemoveDefinitions *" + by Processes.action Processes.dest Processes.original_file_name Processes.parent_process + Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id + Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec + Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level + Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_mpcmdrun_removedefinitions_execution_filter` +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: Administrators may execute this command for testing or auditing. +references: + - https://cert.gov.ua/article/6284730 +drilldown_searches: + - name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: An instance of [$process_name$] attempting to remove definitions from the Windows Malware Protection Engine on [$dest$] by user [$user$]. + risk_objects: + - field: dest + type: system + score: 20 + - field: user + type: user + score: 20 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name +tags: + analytic_story: + - BlankGrabber Stealer + asset_type: Endpoint + mitre_attack_id: + - T1562.001 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/mpcmdrun_remove/mpcmdrun_remove.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml b/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml index 57f80d4573..9d8e3d3ccf 100644 --- a/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml +++ b/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml @@ -1,6 +1,6 @@ name: Windows Non Discord App Access Discord LevelDB id: 1166360c-d495-45ac-87a6-8948aac1fa07 -version: 8 +version: 9 date: '2026-03-10' author: Teoderick Contreras, Splunk data_source: @@ -34,6 +34,7 @@ tags: - StealC Stealer - Snake Keylogger - PXA Stealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1012 diff --git a/detections/endpoint/windows_product_key_registry_query.yml b/detections/endpoint/windows_product_key_registry_query.yml new file mode 100644 index 0000000000..dabb6a0b49 --- /dev/null +++ b/detections/endpoint/windows_product_key_registry_query.yml @@ -0,0 +1,50 @@ +name: Windows Product Key Registry Query +id: 977da0c0-c7d5-45de-8b7e-f79e959ca13d +version: 1 +date: '2026-03-03' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: This Analytics detects the execution of a process attempting to access the registry for product key recovery purposes. This behavior is significant as it indicates potential malware activity or attempts to bypass security measures or data exfiltration. +data_source: + - Windows Event Log Security 4663 +search: '`wineventlog_security` EventCode=4663 object_file_path="*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform" | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_product_key_registry_query_filter`' +how_to_implement: To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." This search may trigger on a browser application that is not included in the browser_app_list lookup file. +known_false_positives: Administrator may access this registry for product key recovery purposes. +references: + - https://malpedia.caad.fkie.fraunhofer.de/details/py.blankgrabber +drilldown_searches: + - name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: a [$process_name$] attempting to access the registry on [$dest$]. + risk_objects: + - field: dest + type: system + score: 20 + threat_objects: + - field: process_name + type: process_name +tags: + analytic_story: + - BlankGrabber Stealer + asset_type: Endpoint + mitre_attack_id: + - T1012 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1012/backup_product_key_registry/backup_protection.log + source: XmlWinEventLog:Security + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_screen_capture_via_powershell.yml b/detections/endpoint/windows_screen_capture_via_powershell.yml index a753de9117..a8cffb1342 100644 --- a/detections/endpoint/windows_screen_capture_via_powershell.yml +++ b/detections/endpoint/windows_screen_capture_via_powershell.yml @@ -1,6 +1,6 @@ name: Windows Screen Capture Via Powershell id: 5e0b1936-8f99-4399-8ee2-9edc5b32e170 -version: 12 +version: 13 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production @@ -9,17 +9,17 @@ data_source: - Powershell Script Block Logging 4104 description: The following analytic detects the execution of a PowerShell script designed to capture screen images on a host. It leverages PowerShell Script Block Logging to identify specific script block text patterns associated with screen capture activities. This behavior is significant as it may indicate an attempt to exfiltrate sensitive information by capturing desktop screenshots. If confirmed malicious, this activity could allow an attacker to gather visual data from the compromised system, potentially leading to data breaches or further exploitation. search: |- - `powershell` EventCode=4104 ScriptBlockText = "*[Drawing.Graphics]::FromImage(*" AND ScriptBlockText = "*New-Object Drawing.Bitmap*" AND ScriptBlockText = "*.CopyFromScreen*" - | fillnull - | stats count min(_time) as firstTime max(_time) as lastTime - BY dest signature signature_id - user_id vendor_product EventID - Guid Opcode Name - Path ProcessID ScriptBlockId - ScriptBlockText - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_screen_capture_via_powershell_filter` + `powershell` EventCode=4104 ScriptBlockText IN ("*[Drawing.Graphics]::FromImage*", "*Drawing.Bitmap*", "*Graphics.FromImage*") AND ScriptBlockText = "*.CopyFromScreen*" + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime + BY dest signature signature_id + user_id vendor_product EventID + Guid Opcode Name + Path ProcessID ScriptBlockId + ScriptBlockText + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_screen_capture_via_powershell_filter` how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.1/add-other-data-to-splunk-uba/configure-powershell-logging-to-see-powershell-anomalies-in-splunk-uba. known_false_positives: No false positives have been identified at this time. references: @@ -46,6 +46,7 @@ tags: - APT37 Rustonotto and FadeStealer - Winter Vivern - Water Gamayun + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1113 diff --git a/detections/endpoint/windows_system_network_connections_discovery_netsh.yml b/detections/endpoint/windows_system_network_connections_discovery_netsh.yml index bf1e45869d..3a71d6c679 100644 --- a/detections/endpoint/windows_system_network_connections_discovery_netsh.yml +++ b/detections/endpoint/windows_system_network_connections_discovery_netsh.yml @@ -1,6 +1,6 @@ name: Windows System Network Connections Discovery Netsh id: abfb7cc5-c275-4a97-9029-62cd8d4ffeca -version: 8 +version: 9 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production @@ -51,6 +51,7 @@ tags: - Windows Post-Exploitation - Prestige Ransomware - Snake Keylogger + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1049 diff --git a/detections/endpoint/windows_time_based_evasion.yml b/detections/endpoint/windows_time_based_evasion.yml index f8160a94c0..f2859f16a3 100644 --- a/detections/endpoint/windows_time_based_evasion.yml +++ b/detections/endpoint/windows_time_based_evasion.yml @@ -1,6 +1,6 @@ name: Windows Time Based Evasion id: 34502357-deb1-499a-8261-ffe144abf561 -version: 11 +version: 12 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production @@ -48,6 +48,7 @@ rba: tags: analytic_story: - NjRAT + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1497.003 diff --git a/detections/endpoint/windows_winrar_launched_outside_default_installation_directory.yml b/detections/endpoint/windows_winrar_launched_outside_default_installation_directory.yml new file mode 100644 index 0000000000..f77a1bdfc8 --- /dev/null +++ b/detections/endpoint/windows_winrar_launched_outside_default_installation_directory.yml @@ -0,0 +1,68 @@ +name: Windows WinRAR Launched Outside Default Installation Directory +id: 3b711292-9793-4a88-8e89-6e016cfbc09c +version: 1 +date: '2026-03-03' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: This Analytics detects the execution of WinRAR or RAR outside the default installation directory. This behavior is significant as it indicates potential malware activity or attempts to archive collected sensitive data from the endpoint for exfiltration. We recommend reviewing the process path and the parent process path to determine if the execution is legitimate and if possible validate the data being archived. +data_source: + - Sysmon EventID 1 + - Windows Event Log Security 4688 + - CrowdStrike ProcessRollup2 +search: |- + | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where Processes.process_name IN ("Winrar.exe", "rar.exe") AND NOT (Processes.process_path IN ("*:\\Program Files (x86)\\WinRAR\\*", "*:\\Program Files\\WinRAR\\*")) + by Processes.action Processes.dest Processes.original_file_name Processes.parent_process + Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id + Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec + Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level + Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_winrar_launched_outside_default_installation_directory_filter` +how_to_implement: he detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: No false positives have been identified at this time. +references: + - https://malpedia.caad.fkie.fraunhofer.de/details/py.blankgrabber +drilldown_searches: + - name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A winrar [$process_name$] execution in [$process_path$] was identified on endpoint [$dest$] by user [$user$]. + risk_objects: + - field: dest + type: system + score: 20 + - field: user + type: user + score: 20 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name +tags: + analytic_story: + - BlankGrabber Stealer + asset_type: Endpoint + mitre_attack_id: + - T1047 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/susp_winrar/blank123.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_wmi_reconnaissance_class_query.yml b/detections/endpoint/windows_wmi_reconnaissance_class_query.yml new file mode 100644 index 0000000000..57fbb87d27 --- /dev/null +++ b/detections/endpoint/windows_wmi_reconnaissance_class_query.yml @@ -0,0 +1,72 @@ +name: Windows WMI Reconnaissance Class Query +id: 5e38bd3e-5da7-483d-aa61-27f7e8c27ad1 +version: 1 +date: '2026-03-03' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: The following analytic detects the use of WMIC (Windows Management Instrumentation Command-line) for reconnaissance and system information discovery on Windows endpoints. It identifies command-line queries targeting common Win32 WMI classes such as Win32_OperatingSystem, Win32_Processor, csproduct, Win32_DiskDrive, and Win32_PhysicalMemory, which are frequently leveraged to enumerate hardware, operating system details, and system configuration. Adversaries often use these queries during post-exploitation to fingerprint hosts, assess virtualization, and tailor follow-on activity. While WMIC usage can be legitimate for administrative and inventory tasks, suspicious or unexpected execution—particularly by non-administrative users or uncommon parent processes—may indicate malicious reconnaissance aligned with system discovery techniques. +data_source: + - Sysmon EventID 1 + - Windows Event Log Security 4688 + - CrowdStrike ProcessRollup2 +search: |- + | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes + where (NOT (Processes.parent_process_path IN ("*\\Windows\\System32\\*", "*\\Windows\\SysWOW64\\*", "*:\\Program Files\\*", "*:\\Program Files (x86)\\*")) OR Processes.parent_process_name IN("cmd.exe", "powershell*", "pwsh*")) AND + Processes.process_name = "wmic.exe" OR Processes.original_file_name = "wmic.exe" + AND Processes.process IN ("*Win32_Bios*", "*Win32_OperatingSystem*", "*Win32_Processor*", "*Win32_PnPEntity*", "*Win32_ShadowCopy*", "*Win32_DiskDrive*", + "*Win32_PhysicalMemory*", "*Win32_BaseBoard*", "*Win32_DisplayConfiguration*", "*win32_VideoController*", "*win32_shortcutfile*", "*csproduct*") + by Processes.action Processes.dest Processes.original_file_name Processes.parent_process + Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id + Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec + Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level + Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_wmi_reconnaissance_class_query_filter` +how_to_implement: he detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: Administrators may execute this command for testing or auditing. +references: + - https://malpedia.caad.fkie.fraunhofer.de/details/py.blankgrabber +drilldown_searches: + - name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: An instance of [$parent_process_name$] spawning [$process_name$] was identified on endpoint [$dest$] by user [$user$] attempting to enumerate system information via WMI classes. + risk_objects: + - field: dest + type: system + score: 20 + - field: user + type: user + score: 20 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name +tags: + analytic_story: + - BlankGrabber Stealer + asset_type: Endpoint + mitre_attack_id: + - T1047 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/wmic_classes/wmic_cmd.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_wmic_systeminfo_discovery.yml b/detections/endpoint/windows_wmic_systeminfo_discovery.yml index e6a5203ce4..8c40fda1a2 100644 --- a/detections/endpoint/windows_wmic_systeminfo_discovery.yml +++ b/detections/endpoint/windows_wmic_systeminfo_discovery.yml @@ -1,6 +1,6 @@ name: Windows Wmic Systeminfo Discovery id: 97937ece-cb13-4dbc-9684-c0dc3afd400a -version: 3 +version: 4 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production @@ -54,6 +54,7 @@ rba: tags: analytic_story: - LAMEHUG + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1082 diff --git a/detections/network/suspicious_process_dns_query_known_abuse_web_services.yml b/detections/network/suspicious_process_dns_query_known_abuse_web_services.yml index c5d287ba50..50742de7cd 100644 --- a/detections/network/suspicious_process_dns_query_known_abuse_web_services.yml +++ b/detections/network/suspicious_process_dns_query_known_abuse_web_services.yml @@ -1,6 +1,6 @@ name: Suspicious Process DNS Query Known Abuse Web Services id: 3cf0dc36-484d-11ec-a6bc-acde48001122 -version: 15 +version: 16 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production @@ -45,6 +45,7 @@ tags: - Cactus Ransomware - Braodo Stealer - RedLine Stealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1059.005 diff --git a/detections/network/suspicious_process_with_discord_dns_query.yml b/detections/network/suspicious_process_with_discord_dns_query.yml index 4029cf5ea4..fb17f02847 100644 --- a/detections/network/suspicious_process_with_discord_dns_query.yml +++ b/detections/network/suspicious_process_with_discord_dns_query.yml @@ -1,6 +1,6 @@ name: Suspicious Process With Discord DNS Query id: 4d4332ae-792c-11ec-89c1-acde48001122 -version: 11 +version: 12 date: '2026-03-10' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production @@ -39,6 +39,7 @@ tags: - WhisperGate - PXA Stealer - Cactus Ransomware + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1059.005 diff --git a/detections/network/windows_abused_web_services.yml b/detections/network/windows_abused_web_services.yml index 1d5b6bdf73..a01cfc23f0 100644 --- a/detections/network/windows_abused_web_services.yml +++ b/detections/network/windows_abused_web_services.yml @@ -1,6 +1,6 @@ name: Windows Abused Web Services id: 01f0aef4-8591-4daa-a53d-0ed49823b681 -version: 10 +version: 11 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production @@ -47,6 +47,7 @@ tags: - NjRAT - CISA AA24-241A - Malicious Inno Setup Loader + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1102 diff --git a/detections/network/windows_dns_query_request_by_telegram_bot_api.yml b/detections/network/windows_dns_query_request_by_telegram_bot_api.yml index 0c7d614d5d..638a15ecfc 100644 --- a/detections/network/windows_dns_query_request_by_telegram_bot_api.yml +++ b/detections/network/windows_dns_query_request_by_telegram_bot_api.yml @@ -1,6 +1,6 @@ name: Windows DNS Query Request by Telegram Bot API id: 86f66f44-94d9-412d-a71d-5d8ed0fef72e -version: 7 +version: 8 date: '2026-03-10' author: Teoderick Contreras, Splunk data_source: @@ -44,6 +44,7 @@ tags: analytic_story: - Crypto Stealer - 0bj3ctivity Stealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1071.004 diff --git a/detections/network/windows_gather_victim_network_info_through_ip_check_web_services.yml b/detections/network/windows_gather_victim_network_info_through_ip_check_web_services.yml index 13ae9ee3ef..8283f7d88e 100644 --- a/detections/network/windows_gather_victim_network_info_through_ip_check_web_services.yml +++ b/detections/network/windows_gather_victim_network_info_through_ip_check_web_services.yml @@ -1,6 +1,6 @@ name: Windows Gather Victim Network Info Through Ip Check Web Services id: 70f7c952-0758-46d6-9148-d8969c4481d1 -version: 17 +version: 18 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production @@ -55,6 +55,7 @@ tags: - Quasar RAT - 0bj3ctivity Stealer - Castle RAT + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1590.005 diff --git a/lookups/browser_process_and_path.csv b/lookups/browser_process_and_path.csv new file mode 100644 index 0000000000..f6eeb00556 --- /dev/null +++ b/lookups/browser_process_and_path.csv @@ -0,0 +1,47 @@ +browser_process_name,browser_process_path,is_valid_browser_path +"sputnik.exe","*sputnik\sputnik\application\sputnik.exe*",true +"chromeplus.exe","*maplestudio\chromeplus\application\chromeplus.exe*",true +"qip surf.exe","*qip surf\application\qip surf.exe*",true +"blackhawk.exe","*blackhawk\application\blackhawk.exe*",true +"7star.exe","*7star\7star\application\7star.exe*",true +"sleipnir5.exe","*fenrir inc\sleipnir5\sleipnir5.exe*",true +"citrio.exe","*catalinagroup\citrio\application\citrio.exe*",true +"chrome sxs.exe","*google\chrome sxs\application\chrome sxs.exe*",true +"chrome.exe","*google\chrome\application\chrome.exe*",true +"coowon.exe","*coowon\coowon\application\coowon.exe*",true +"coccocbrowser.exe","*coccoc\browser\application\coccocbrowser.exe*",true +"uran.exe","*ucozmedia\uran\application\uran.exe*",true +"qqbrowser.exe","*tencent\qqbrowser\application\qqbrowser.exe*",true +"orbitum.exe","*orbitum\application\orbitum.exe*",true +"slimjet.exe","*slimjet\application\slimjet.exe*",true +"iridium.exe","*iridium\application\iridium.exe*",true +"vivaldi.exe","*vivaldi\application\vivaldi.exe*",true +"chromium.exe","*chromium\application\chrome.exe*",true +"ghostbrowser.exe","*ghostbrowser\application\ghostbrowser.exe*",true +"centbrowser.exe","*centbrowser\application\centbrowser.exe*",true +"xvast.exe","*xvast\application\xvast.exe*",true +"chedot.exe","*chedot\application\chedot.exe*",true +"superbird.exe","*superbird\application\superbird.exe*",true +"360browser.exe","*360browser\browser\application\360browser.exe*",true +"360chrome.exe","*360chrome\chrome\application\360chrome.exe*",true +"dragon.exe","*comodo\dragon\application\dragon.exe*",true +"brave.exe","*bravesoftware\brave-browser\application\brave.exe*",true +"torch.exe","*torch\application\torch.exe*",true +"ucbrowser.exe","*ucbrowser\application\ucbrowser.exe*",true +"bliskbrowser.exe","*blisk\application\bliskbrowser.exe*",true +"epic privacy browser.exe","*epic privacy browser\application\epic privacy browser.exe*",true +"nichrome.exe","*nichrome\application\nichrome.exe*",true +"amigobrowser.exe","*amigo\application\amigobrowser.exe*",true +"kometabrowser.exe","*kometa\application\kometabrowser.exe*",true +"xpombrowser.exe","*xpom\application\xpombrowser.exe*",true +"msedge.exe","*microsoft\edge\application\msedge.exe*",true +"liebaobrowser.exe","*liebao7\application\liebaobrowser.exe*",true +"avastbrowser.exe","*avast software\browser\application\avastbrowser.exe*",true +"kinza.exe","*kinza\application\kinza.exe*",true +"seamonkey.exe","*mozilla\seamonkey\seamonkey.exe*",true +"icedragon.exe","*comodo\icedragon\icedragon.exe*",true +"cyberfox.exe","*8pecxstudios\cyberfox\cyberfox.exe*",true +"slimbrowser.exe","*flashpeak\slimbrowser\slimbrowser.exe*",true +"palemoon.exe","*moonchild productions\pale moon\palemoon.exe*",true +"opera.exe","*opera software\opera*\opera.exe*",true +"yandex.exe","*yandex\yandexbrowser\yandex.exe*",true diff --git a/lookups/browser_process_and_path.yml b/lookups/browser_process_and_path.yml new file mode 100644 index 0000000000..2b261020a9 --- /dev/null +++ b/lookups/browser_process_and_path.yml @@ -0,0 +1,12 @@ +name: browser_process_and_path +date: 2025-03-09 +version: 1 +id: c35eb14c-2a12-4556-8c9d-d11e31c8915f +author: Splunk Threat Research Team +lookup_type: csv +description: Legitimate browser process executable paths; used to filter out known browsers e.g. when detecting hosts file access. +default_match: false +match_type: +- WILDCARD(browser_process_path) +min_matches: 1 +case_sensitive_match: false diff --git a/stories/blankgrabber_stealer.yml b/stories/blankgrabber_stealer.yml new file mode 100644 index 0000000000..71bbad3c11 --- /dev/null +++ b/stories/blankgrabber_stealer.yml @@ -0,0 +1,18 @@ +name: BlankGrabber Stealer +id: 19342670-28e0-4efa-89d9-e709ba5534a4 +version: 1 +date: '2026-03-03' +author: Teoderick Contreras, Splunk +status: production +description: BlankGrabber is a Windows-based information-stealing malware typically distributed through phishing emails, malicious downloads, cracked software, and fake game cheats. Once executed, it harvests sensitive data such as saved browser passwords, cookies, autofill data, cryptocurrency wallet information, Discord tokens, and system details. Stolen data is commonly exfiltrated to attacker-controlled servers via webhooks or encrypted channels. BlankGrabber often includes basic anti-analysis and obfuscation techniques to evade detection. It poses significant risks to individuals and organizations by enabling account takeover, financial theft, and broader network compromise. +narrative: When BlankGrabber slips onto a system, it rarely announces itself. Disguised as cracked software, a game cheat, or an innocent attachment, it quietly installs and begins sifting through the victim’s digital life. Browsers yield saved passwords and cookies, cryptocurrency wallets expose valuable keys, and messaging apps hand over authentication tokens. In the background, the malware packages this information and transmits it to an attacker-controlled server, often using encrypted channels. With subtle persistence and basic anti-analysis tricks, BlankGrabber enables account takeovers, financial theft, and deeper compromise before the victim realizes anything is wrong. +references: +- https://malpedia.caad.fkie.fraunhofer.de/details/py.blankgrabber +tags: + category: + - Malware + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection \ No newline at end of file