From ad60de0ba0cf4644f8b0b3352d33aee09c1b6888 Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Mon, 9 Mar 2026 13:32:15 +0100 Subject: [PATCH 01/13] blank_grabber --- ...s_lookup_to_public_file_sharing_domain.yml | 50 +++++++++++++ .../endpoint/windows_hosts_file_access.yml | 52 ++++++++++++++ ...s_mpcmdrun_removedefinitions_execution.yml | 68 ++++++++++++++++++ .../windows_product_key_registry_query.yml | 50 +++++++++++++ ...outside_default_installation_directory.yml | 70 ++++++++++++++++++ ...windows_wmi_reconnaissance_class_query.yml | 72 +++++++++++++++++++ lookups/browser_process_and_path.csv | 47 ++++++++++++ lookups/browser_process_and_path.yml | 11 +++ stories/blankgrabber_stealer.yml | 18 +++++ 9 files changed, 438 insertions(+) create mode 100644 detections/endpoint/windows_dns_lookup_to_public_file_sharing_domain.yml create mode 100644 detections/endpoint/windows_hosts_file_access.yml create mode 100644 detections/endpoint/windows_mpcmdrun_removedefinitions_execution.yml create mode 100644 detections/endpoint/windows_product_key_registry_query.yml create mode 100644 detections/endpoint/windows_winrar_launched_outside_default_installation_directory.yml create mode 100644 detections/endpoint/windows_wmi_reconnaissance_class_query.yml create mode 100644 lookups/browser_process_and_path.csv create mode 100644 lookups/browser_process_and_path.yml create mode 100644 stories/blankgrabber_stealer.yml diff --git a/detections/endpoint/windows_dns_lookup_to_public_file_sharing_domain.yml b/detections/endpoint/windows_dns_lookup_to_public_file_sharing_domain.yml new file mode 100644 index 0000000000..eabe84b6f2 --- /dev/null +++ b/detections/endpoint/windows_dns_lookup_to_public_file_sharing_domain.yml @@ -0,0 +1,50 @@ +name: Windows DNS Lookup to Public File Sharing Domain +id: 3c6e77aa-7b7d-4a20-bd59-9221a0b9f2c9 +version: 1 +date: '2026-03-03' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: This Analytics detects DNS queries to public file sharing domains, such as api.anonfiles.com and api.gofile.io. These services allow users to anonymously upload and distribute files, which can be abused by threat actors for data exfiltration, malware staging, or command-and-control communications. Monitoring DNS requests to these domains helps identify potentially unauthorized data transfers or suspicious outbound activity. While legitimate use may exist, such queries originating from servers, restricted systems, or non-browser processes should be investigated to determine whether sensitive data is being staged or transmitted externally. +data_source: + - Sysmon EventID 22 +search: '`sysmon` EventCode=22 QueryName IN ("*api.anonfiles.com", "*api.gofile.io") | eval answer=coalesce(answer,"none") | eval answer_count=coalesce(answer_count,0) | stats min(_time) as firstTime max(_time) as lastTime count BY answer answer_count dvc process_exec process_guid process_name query query_count reply_code_id signature signature_id src user_id vendor_product QueryName QueryResults QueryStatus | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dns_lookup_to_public_file_sharing_domain_filter`' +how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and eventcode = 22 dnsquery executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used. +known_false_positives: No false positives have been identified at this time. +references: + - https://malpedia.caad.fkie.fraunhofer.de/details/py.blankgrabber +drilldown_searches: + - name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A process [$process_name$] made a DNS query for [$QueryName$] from host [$dest$]. + risk_objects: + - field: dest + type: system + score: 50 + threat_objects: + - field: process_name + type: process_name +tags: + analytic_story: + - Lokibot + asset_type: Endpoint + mitre_attack_id: + - T1071.004 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1071.004/upload_files_dns/upload_files.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_hosts_file_access.yml b/detections/endpoint/windows_hosts_file_access.yml new file mode 100644 index 0000000000..4c60411f0b --- /dev/null +++ b/detections/endpoint/windows_hosts_file_access.yml @@ -0,0 +1,52 @@ +name: Windows Hosts File Access +id: b34bcf35-5380-4b00-b208-5531303fb751 +version: 1 +date: '2026-03-03' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: This Analytics detects the execution of a process attempting to access the hosts file. This behavior is significant as it indicates potential malware activity or attempts to bypass security measures. Hosts file is a critical file for network configuration and DNS resolution. If an attacker gains access to the hosts file, they can redirect traffic to malicious websites, serve fake content or block legitimate security websites. +data_source: + - Windows Security 4663 +search: '`wineventlog_security` EventCode=4663 object_file_path="*:\\Windows\\System32\\drivers\\etc\\hosts" AND NOT ( process_path IN ( "*:\\Windows\\System32\\svchost.exe", "*:\\Windows\\SysWow64\\svchost.exe", "*:\\Windows\\System32\\lsass.exe", "*:\\Windows\\SysWow64\\lsass.exe", "*:\\Windows\\System32\\services.exe", "*:\\Windows\\SysWow64\\services.exe", "*:\\Windows\\System32\\SearchIndexer.exe", "*:\\Windows\\SysWow64\\SearchIndexer.exe", "*:\\Windows\\explorer.exe" )) + + | stats count by _time object_file_path object_file_name dest process_name process_path process_id EventCode | eval process_path = lower(process_path) | lookup browser_process_and_path browser_process_path as process_path OUTPUT is_valid_browser_path | eval is_valid_browser_path=coalesce(is_valid_browser_path,"false") | where is_valid_browser_path = "false" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_hosts_file_access_filter`' +how_to_implement: To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." This search may trigger on a browser application that is not included in the browser_app_list lookup file. +known_false_positives: Administrator may access this registry for product key recovery purposes. +references: + - https://cert.gov.ua/article/6284730 +drilldown_searches: + - name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: a [$process_name$] attempting to access the hosts file [$object_file_path$] on [$dest$] by [$user$] . + risk_objects: + - field: dest + type: system + score: 20 + threat_objects: + - field: process_name + type: process_name +tags: + analytic_story: + - BlankGrabber Stealer + asset_type: Endpoint + mitre_attack_id: + - T1012 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1012/host_file_accessed/hosts_accessed.log + source: XmlWinEventLog:Security + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_mpcmdrun_removedefinitions_execution.yml b/detections/endpoint/windows_mpcmdrun_removedefinitions_execution.yml new file mode 100644 index 0000000000..fb5aa81148 --- /dev/null +++ b/detections/endpoint/windows_mpcmdrun_removedefinitions_execution.yml @@ -0,0 +1,68 @@ +name: Windows MpCmdRun RemoveDefinitions Execution +id: b2442e49-bd3f-4685-a2dc-2bdc292563bf +version: 1 +date: '2026-03-03' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: This detection identifies the execution of MpCmdRun.exe with the -RemoveDefinitions argument, which is commonly used by malware to remove definitions from the Windows Malware Protection Engine. This behavior is significant as it indicates potential malware activity or attempts to bypass security measures. +data_source: + - Sysmon EventID 1 + - Windows Event Log Security 4688 + - CrowdStrike ProcessRollup2 +search: |- + | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where (Processes.process_name ="MpCmdRun.exe" OR Processes.original_file_name = MpCmdRun.exe) AND Processes.process = "*-RemoveDefinitions *" + by Processes.action Processes.dest Processes.original_file_name Processes.parent_process + Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id + Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec + Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level + Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_mpcmdrun_removedefinitions_execution_filter` +how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: Administrators may execute this command for testing or auditing. +references: + - https://cert.gov.ua/article/6284730 +drilldown_searches: + - name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: An instance of [$process_name$] attempting to remove definitions from the Windows Malware Protection Engine on [$dest$] by user [$user$]. + risk_objects: + - field: dest + type: system + score: 20 + - field: user + type: user + score: 20 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name +tags: + analytic_story: + - BlankGrabber Ransomware + asset_type: Endpoint + mitre_attack_id: + - T1562.001 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.001/mpcmdrun_remove/mpcmdrun_remove.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_product_key_registry_query.yml b/detections/endpoint/windows_product_key_registry_query.yml new file mode 100644 index 0000000000..377555c0a3 --- /dev/null +++ b/detections/endpoint/windows_product_key_registry_query.yml @@ -0,0 +1,50 @@ +name: Windows Product Key Registry Query +id: 977da0c0-c7d5-45de-8b7e-f79e959ca13d +version: 1 +date: '2026-03-03' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: This Analytics detects the execution of a process attempting to access the registry for product key recovery purposes. This behavior is significant as it indicates potential malware activity or attempts to bypass security measures or data exfiltration. +data_source: + - Windows Security 4663 +search: '`wineventlog_security` EventCode=4663 object_file_path="*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform" by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_product_key_registry_query_filter`' +how_to_implement: To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." This search may trigger on a browser application that is not included in the browser_app_list lookup file. +known_false_positives: Administrator may access this registry for product key recovery purposes. +references: + - https://malpedia.caad.fkie.fraunhofer.de/details/py.blankgrabber +drilldown_searches: + - name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: a [$process_name$] attempting to access the registry on [$dest$] by [$user$] . + risk_objects: + - field: dest + type: system + score: 20 + threat_objects: + - field: process_name + type: process_name +tags: + analytic_story: + - BlankGrabber Stealer + asset_type: Endpoint + mitre_attack_id: + - T1012 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1012/backup_product_key_registry/backup_protection.log + source: XmlWinEventLog:Security + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_winrar_launched_outside_default_installation_directory.yml b/detections/endpoint/windows_winrar_launched_outside_default_installation_directory.yml new file mode 100644 index 0000000000..7baa8b0575 --- /dev/null +++ b/detections/endpoint/windows_winrar_launched_outside_default_installation_directory.yml @@ -0,0 +1,70 @@ +name: Windows WinRAR Launched Outside Default Installation Directory +id: 3b711292-9793-4a88-8e89-6e016cfbc09c +version: 1 +date: '2026-03-03' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: This Analytics detects the execution of WinRAR or RAR outside the default installation directory. This behavior is significant as it indicates potential malware activity or attempts to archive collected sensitive data from the endpoint for exfiltration. We recommend reviewing the process path and the parent process path to determine if the execution is legitimate and if possible validate the data being archived. +data_source: + - Sysmon EventID 1 + - Windows Event Log Security 4688 + - CrowdStrike ProcessRollup2 +search: |- + | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes + where Processes.process_name IN ("Winrar.exe", "rar.exe") AND NOT (Processes.process_path IN ("*:\\Program Files (x86)\\WinRAR\\*", "*:\\Program Files\\WinRAR\\*")) + by Processes.action Processes.dest Processes.original_file_name Processes.parent_process + Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id + Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec + Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level + Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_winrar_launched_outside_default_installation_directory_filter` +how_to_implement: he detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: No false positives have been identified at this time. +references: + - https://malpedia.caad.fkie.fraunhofer.de/details/py.blankgrabber +drilldown_searches: + - name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: A winrar [$process_name$] execution in [$process_path$] was identified on endpoint [$dest$] by user [$user$]. + risk_objects: + - field: dest + type: system + score: 20 + - field: user + type: user + score: 20 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name + - field: process_path + type: process_path +tags: + analytic_story: + - BlankGrabber Ransomware + asset_type: Endpoint + mitre_attack_id: + - T1047 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/susp_winrar/blank123.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/detections/endpoint/windows_wmi_reconnaissance_class_query.yml b/detections/endpoint/windows_wmi_reconnaissance_class_query.yml new file mode 100644 index 0000000000..7f59d200ea --- /dev/null +++ b/detections/endpoint/windows_wmi_reconnaissance_class_query.yml @@ -0,0 +1,72 @@ +name: Windows WMI Reconnaissance Class Query +id: 5e38bd3e-5da7-483d-aa61-27f7e8c27ad1 +version: 1 +date: '2026-03-03' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: The following analytic detects the use of WMIC (Windows Management Instrumentation Command-line) for reconnaissance and system information discovery on Windows endpoints. It identifies command-line queries targeting common Win32 WMI classes such as Win32_OperatingSystem, Win32_Processor, csproduct, Win32_DiskDrive, and Win32_PhysicalMemory, which are frequently leveraged to enumerate hardware, operating system details, and system configuration. Adversaries often use these queries during post-exploitation to fingerprint hosts, assess virtualization, and tailor follow-on activity. While WMIC usage can be legitimate for administrative and inventory tasks, suspicious or unexpected execution—particularly by non-administrative users or uncommon parent processes—may indicate malicious reconnaissance aligned with system discovery techniques. +data_source: + - Sysmon EventID 1 + - Windows Event Log Security 4688 + - CrowdStrike ProcessRollup2 +search: |- + | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) + as lastTime from datamodel=Endpoint.Processes + where Processes.parent_process_path NOT IN ("*\\Windows\\System32\\*", "*\\Windows\\SysWOW64\\*", "*:\\Program Files\\*", "*:\\Program Files (x86)\\*") + Processes.process_name = "wmic.exe" OR Processes.original_file_name = "wmic.exe" + AND Processes.process IN ("*Win32_Bios*", "*Win32_OperatingSystem*", "*Win32_Processor*", "*Win32_PnPEntity*", "*Win32_ShadowCopy*", "*Win32_DiskDrive*", + "*Win32_PhysicalMemory*", "*Win32_BaseBoard*", "*Win32_DisplayConfiguration*", "*win32_VideoController*", "*win32_shortcutfile*", "*csproduct*") + by Processes.action Processes.dest Processes.original_file_name Processes.parent_process + Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id + Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec + Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level + Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product + | `drop_dm_object_name(Processes)` + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_wmi_reconnaissance_class_query_filter` +how_to_implement: he detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. +known_false_positives: Administrators may execute this command for testing or auditing. +references: + - https://malpedia.caad.fkie.fraunhofer.de/details/py.blankgrabber +drilldown_searches: + - name: View the detection results for - "$user$" and "$dest$" + search: '%original_detection_search% | search user = "$user$" dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$user$" and "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +rba: + message: An instance of [$parent_process_name$] spawning [$process_name$] was identified on endpoint [$dest$] by user [$user$] attempting to enumerate system information via WMI classes. + risk_objects: + - field: dest + type: system + score: 20 + - field: user + type: user + score: 20 + threat_objects: + - field: parent_process_name + type: parent_process_name + - field: process_name + type: process_name +tags: + analytic_story: + - BlankGrabber Ransomware + asset_type: Endpoint + mitre_attack_id: + - T1047 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: endpoint +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1047/wmic_classes/wmic_cmd.log + source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational + sourcetype: XmlWinEventLog diff --git a/lookups/browser_process_and_path.csv b/lookups/browser_process_and_path.csv new file mode 100644 index 0000000000..f6eeb00556 --- /dev/null +++ b/lookups/browser_process_and_path.csv @@ -0,0 +1,47 @@ +browser_process_name,browser_process_path,is_valid_browser_path +"sputnik.exe","*sputnik\sputnik\application\sputnik.exe*",true +"chromeplus.exe","*maplestudio\chromeplus\application\chromeplus.exe*",true +"qip surf.exe","*qip surf\application\qip surf.exe*",true +"blackhawk.exe","*blackhawk\application\blackhawk.exe*",true +"7star.exe","*7star\7star\application\7star.exe*",true +"sleipnir5.exe","*fenrir inc\sleipnir5\sleipnir5.exe*",true +"citrio.exe","*catalinagroup\citrio\application\citrio.exe*",true +"chrome sxs.exe","*google\chrome sxs\application\chrome sxs.exe*",true +"chrome.exe","*google\chrome\application\chrome.exe*",true +"coowon.exe","*coowon\coowon\application\coowon.exe*",true +"coccocbrowser.exe","*coccoc\browser\application\coccocbrowser.exe*",true +"uran.exe","*ucozmedia\uran\application\uran.exe*",true +"qqbrowser.exe","*tencent\qqbrowser\application\qqbrowser.exe*",true +"orbitum.exe","*orbitum\application\orbitum.exe*",true +"slimjet.exe","*slimjet\application\slimjet.exe*",true +"iridium.exe","*iridium\application\iridium.exe*",true +"vivaldi.exe","*vivaldi\application\vivaldi.exe*",true +"chromium.exe","*chromium\application\chrome.exe*",true +"ghostbrowser.exe","*ghostbrowser\application\ghostbrowser.exe*",true +"centbrowser.exe","*centbrowser\application\centbrowser.exe*",true +"xvast.exe","*xvast\application\xvast.exe*",true +"chedot.exe","*chedot\application\chedot.exe*",true +"superbird.exe","*superbird\application\superbird.exe*",true +"360browser.exe","*360browser\browser\application\360browser.exe*",true +"360chrome.exe","*360chrome\chrome\application\360chrome.exe*",true +"dragon.exe","*comodo\dragon\application\dragon.exe*",true +"brave.exe","*bravesoftware\brave-browser\application\brave.exe*",true +"torch.exe","*torch\application\torch.exe*",true +"ucbrowser.exe","*ucbrowser\application\ucbrowser.exe*",true +"bliskbrowser.exe","*blisk\application\bliskbrowser.exe*",true +"epic privacy browser.exe","*epic privacy browser\application\epic privacy browser.exe*",true +"nichrome.exe","*nichrome\application\nichrome.exe*",true +"amigobrowser.exe","*amigo\application\amigobrowser.exe*",true +"kometabrowser.exe","*kometa\application\kometabrowser.exe*",true +"xpombrowser.exe","*xpom\application\xpombrowser.exe*",true +"msedge.exe","*microsoft\edge\application\msedge.exe*",true +"liebaobrowser.exe","*liebao7\application\liebaobrowser.exe*",true +"avastbrowser.exe","*avast software\browser\application\avastbrowser.exe*",true +"kinza.exe","*kinza\application\kinza.exe*",true +"seamonkey.exe","*mozilla\seamonkey\seamonkey.exe*",true +"icedragon.exe","*comodo\icedragon\icedragon.exe*",true +"cyberfox.exe","*8pecxstudios\cyberfox\cyberfox.exe*",true +"slimbrowser.exe","*flashpeak\slimbrowser\slimbrowser.exe*",true +"palemoon.exe","*moonchild productions\pale moon\palemoon.exe*",true +"opera.exe","*opera software\opera*\opera.exe*",true +"yandex.exe","*yandex\yandexbrowser\yandex.exe*",true diff --git a/lookups/browser_process_and_path.yml b/lookups/browser_process_and_path.yml new file mode 100644 index 0000000000..ee3fa12398 --- /dev/null +++ b/lookups/browser_process_and_path.yml @@ -0,0 +1,11 @@ +name: browser_process_and_path +date: 2025-03-09 +version: 1 +id: browser-process-and-path-lookup +author: Splunk Threat Research Team +lookup_type: csv +description: Legitimate browser process executable paths; used to filter out known browsers (e.g. when detecting hosts file access). +default_match: false +match_type: +- WILDCARD(browser_process_path) +case_sensitive_match: false diff --git a/stories/blankgrabber_stealer.yml b/stories/blankgrabber_stealer.yml new file mode 100644 index 0000000000..533cf6c590 --- /dev/null +++ b/stories/blankgrabber_stealer.yml @@ -0,0 +1,18 @@ +name: BlackGrabber Stealer +id: 19342670-28e0-4efa-89d9-e709ba5534a4 +version: 1 +date: '2026-03-03' +author: Teoderick Contreras, Splunk +status: production +description: BlankGrabber is a Windows-based information-stealing malware typically distributed through phishing emails, malicious downloads, cracked software, and fake game cheats. Once executed, it harvests sensitive data such as saved browser passwords, cookies, autofill data, cryptocurrency wallet information, Discord tokens, and system details. Stolen data is commonly exfiltrated to attacker-controlled servers via webhooks or encrypted channels. BlankGrabber often includes basic anti-analysis and obfuscation techniques to evade detection. It poses significant risks to individuals and organizations by enabling account takeover, financial theft, and broader network compromise. +narrative: When BlankGrabber slips onto a system, it rarely announces itself. Disguised as cracked software, a game cheat, or an innocent attachment, it quietly installs and begins sifting through the victim’s digital life. Browsers yield saved passwords and cookies, cryptocurrency wallets expose valuable keys, and messaging apps hand over authentication tokens. In the background, the malware packages this information and transmits it to an attacker-controlled server, often using encrypted channels. With subtle persistence and basic anti-analysis tricks, BlankGrabber enables account takeovers, financial theft, and deeper compromise before the victim realizes anything is wrong. +references: +- https://malpedia.caad.fkie.fraunhofer.de/details/py.blankgrabber +tags: + category: + - Malware + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection \ No newline at end of file From 7c26102ad9010b6dd971c08859ef433948a2a7fa Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Mon, 9 Mar 2026 13:37:53 +0100 Subject: [PATCH 02/13] blank_grabber --- lookups/browser_process_and_path.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lookups/browser_process_and_path.yml b/lookups/browser_process_and_path.yml index ee3fa12398..c2221896d7 100644 --- a/lookups/browser_process_and_path.yml +++ b/lookups/browser_process_and_path.yml @@ -4,8 +4,9 @@ version: 1 id: browser-process-and-path-lookup author: Splunk Threat Research Team lookup_type: csv -description: Legitimate browser process executable paths; used to filter out known browsers (e.g. when detecting hosts file access). +description: Legitimate browser process executable paths; used to filter out known browsers e.g. when detecting hosts file access. default_match: false match_type: - WILDCARD(browser_process_path) +min_matches: 1 case_sensitive_match: false From a05a1ef3b8d6e4e10331dd85098f80380e0cd19c Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Mon, 9 Mar 2026 13:40:34 +0100 Subject: [PATCH 03/13] blank_grabber --- lookups/browser_process_and_path.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lookups/browser_process_and_path.yml b/lookups/browser_process_and_path.yml index c2221896d7..2b261020a9 100644 --- a/lookups/browser_process_and_path.yml +++ b/lookups/browser_process_and_path.yml @@ -1,7 +1,7 @@ name: browser_process_and_path date: 2025-03-09 version: 1 -id: browser-process-and-path-lookup +id: c35eb14c-2a12-4556-8c9d-d11e31c8915f author: Splunk Threat Research Team lookup_type: csv description: Legitimate browser process executable paths; used to filter out known browsers e.g. when detecting hosts file access. From a9923fc3f4a163f51ac748d6f317f170d9da3f2a Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Mon, 9 Mar 2026 13:43:09 +0100 Subject: [PATCH 04/13] blank_grabber --- stories/blankgrabber_stealer.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stories/blankgrabber_stealer.yml b/stories/blankgrabber_stealer.yml index 533cf6c590..71bbad3c11 100644 --- a/stories/blankgrabber_stealer.yml +++ b/stories/blankgrabber_stealer.yml @@ -1,4 +1,4 @@ -name: BlackGrabber Stealer +name: BlankGrabber Stealer id: 19342670-28e0-4efa-89d9-e709ba5534a4 version: 1 date: '2026-03-03' From 30efc63b443ff4a4093bdcef8fc352a2c0501cb5 Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Mon, 9 Mar 2026 13:53:57 +0100 Subject: [PATCH 05/13] blank_grabber --- .../windows_dns_lookup_to_public_file_sharing_domain.yml | 6 +++--- detections/endpoint/windows_hosts_file_access.yml | 2 +- .../windows_mpcmdrun_removedefinitions_execution.yml | 2 +- detections/endpoint/windows_product_key_registry_query.yml | 2 +- ...nrar_launched_outside_default_installation_directory.yml | 2 +- .../endpoint/windows_wmi_reconnaissance_class_query.yml | 2 +- 6 files changed, 8 insertions(+), 8 deletions(-) diff --git a/detections/endpoint/windows_dns_lookup_to_public_file_sharing_domain.yml b/detections/endpoint/windows_dns_lookup_to_public_file_sharing_domain.yml index eabe84b6f2..c8849f05d0 100644 --- a/detections/endpoint/windows_dns_lookup_to_public_file_sharing_domain.yml +++ b/detections/endpoint/windows_dns_lookup_to_public_file_sharing_domain.yml @@ -8,7 +8,7 @@ type: Anomaly description: This Analytics detects DNS queries to public file sharing domains, such as api.anonfiles.com and api.gofile.io. These services allow users to anonymously upload and distribute files, which can be abused by threat actors for data exfiltration, malware staging, or command-and-control communications. Monitoring DNS requests to these domains helps identify potentially unauthorized data transfers or suspicious outbound activity. While legitimate use may exist, such queries originating from servers, restricted systems, or non-browser processes should be investigated to determine whether sensitive data is being staged or transmitted externally. data_source: - Sysmon EventID 22 -search: '`sysmon` EventCode=22 QueryName IN ("*api.anonfiles.com", "*api.gofile.io") | eval answer=coalesce(answer,"none") | eval answer_count=coalesce(answer_count,0) | stats min(_time) as firstTime max(_time) as lastTime count BY answer answer_count dvc process_exec process_guid process_name query query_count reply_code_id signature signature_id src user_id vendor_product QueryName QueryResults QueryStatus | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dns_lookup_to_public_file_sharing_domain_filter`' +search: '`sysmon` EventCode=22 QueryName IN ("*api.anonfiles.com", "*api.gofile.io") | eval answer=coalesce(answer,"none") | eval answer_count=coalesce(answer_count,0) | stats min(_time) as firstTime max(_time) as lastTime count BY answer answer_count dvc process_exec process_guid process_name query query_count reply_code_id signature signature_id src user_id vendor_product QueryName QueryResults QueryStatus dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dns_lookup_to_public_file_sharing_domain_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and eventcode = 22 dnsquery executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used. known_false_positives: No false positives have been identified at this time. references: @@ -23,7 +23,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: A process [$process_name$] made a DNS query for [$QueryName$] from host [$dest$]. + message: A process [$process_name$] made a DNS query for [$QueryName$] from host [$dvc$]. risk_objects: - field: dest type: system @@ -33,7 +33,7 @@ rba: type: process_name tags: analytic_story: - - Lokibot + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1071.004 diff --git a/detections/endpoint/windows_hosts_file_access.yml b/detections/endpoint/windows_hosts_file_access.yml index 4c60411f0b..0a4357c609 100644 --- a/detections/endpoint/windows_hosts_file_access.yml +++ b/detections/endpoint/windows_hosts_file_access.yml @@ -7,7 +7,7 @@ status: production type: Anomaly description: This Analytics detects the execution of a process attempting to access the hosts file. This behavior is significant as it indicates potential malware activity or attempts to bypass security measures. Hosts file is a critical file for network configuration and DNS resolution. If an attacker gains access to the hosts file, they can redirect traffic to malicious websites, serve fake content or block legitimate security websites. data_source: - - Windows Security 4663 + - Windows Event Log Security 4663 search: '`wineventlog_security` EventCode=4663 object_file_path="*:\\Windows\\System32\\drivers\\etc\\hosts" AND NOT ( process_path IN ( "*:\\Windows\\System32\\svchost.exe", "*:\\Windows\\SysWow64\\svchost.exe", "*:\\Windows\\System32\\lsass.exe", "*:\\Windows\\SysWow64\\lsass.exe", "*:\\Windows\\System32\\services.exe", "*:\\Windows\\SysWow64\\services.exe", "*:\\Windows\\System32\\SearchIndexer.exe", "*:\\Windows\\SysWow64\\SearchIndexer.exe", "*:\\Windows\\explorer.exe" )) | stats count by _time object_file_path object_file_name dest process_name process_path process_id EventCode | eval process_path = lower(process_path) | lookup browser_process_and_path browser_process_path as process_path OUTPUT is_valid_browser_path | eval is_valid_browser_path=coalesce(is_valid_browser_path,"false") | where is_valid_browser_path = "false" | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_hosts_file_access_filter`' diff --git a/detections/endpoint/windows_mpcmdrun_removedefinitions_execution.yml b/detections/endpoint/windows_mpcmdrun_removedefinitions_execution.yml index fb5aa81148..1e527e9b14 100644 --- a/detections/endpoint/windows_mpcmdrun_removedefinitions_execution.yml +++ b/detections/endpoint/windows_mpcmdrun_removedefinitions_execution.yml @@ -51,7 +51,7 @@ rba: type: process_name tags: analytic_story: - - BlankGrabber Ransomware + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1562.001 diff --git a/detections/endpoint/windows_product_key_registry_query.yml b/detections/endpoint/windows_product_key_registry_query.yml index 377555c0a3..9a764b3a12 100644 --- a/detections/endpoint/windows_product_key_registry_query.yml +++ b/detections/endpoint/windows_product_key_registry_query.yml @@ -7,7 +7,7 @@ status: production type: Anomaly description: This Analytics detects the execution of a process attempting to access the registry for product key recovery purposes. This behavior is significant as it indicates potential malware activity or attempts to bypass security measures or data exfiltration. data_source: - - Windows Security 4663 + - Windows Event Log Security 4663 search: '`wineventlog_security` EventCode=4663 object_file_path="*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform" by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_product_key_registry_query_filter`' how_to_implement: To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." This search may trigger on a browser application that is not included in the browser_app_list lookup file. known_false_positives: Administrator may access this registry for product key recovery purposes. diff --git a/detections/endpoint/windows_winrar_launched_outside_default_installation_directory.yml b/detections/endpoint/windows_winrar_launched_outside_default_installation_directory.yml index 7baa8b0575..fdb586dee4 100644 --- a/detections/endpoint/windows_winrar_launched_outside_default_installation_directory.yml +++ b/detections/endpoint/windows_winrar_launched_outside_default_installation_directory.yml @@ -53,7 +53,7 @@ rba: type: process_path tags: analytic_story: - - BlankGrabber Ransomware + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1047 diff --git a/detections/endpoint/windows_wmi_reconnaissance_class_query.yml b/detections/endpoint/windows_wmi_reconnaissance_class_query.yml index 7f59d200ea..4ce84076b8 100644 --- a/detections/endpoint/windows_wmi_reconnaissance_class_query.yml +++ b/detections/endpoint/windows_wmi_reconnaissance_class_query.yml @@ -55,7 +55,7 @@ rba: type: process_name tags: analytic_story: - - BlankGrabber Ransomware + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1047 From 693cc2a618e41869c09626f14c66a5e7fd6c70e4 Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Mon, 9 Mar 2026 13:58:29 +0100 Subject: [PATCH 06/13] blank_grabber --- detections/endpoint/windows_hosts_file_access.yml | 2 +- detections/endpoint/windows_product_key_registry_query.yml | 2 +- ...s_winrar_launched_outside_default_installation_directory.yml | 2 -- 3 files changed, 2 insertions(+), 4 deletions(-) diff --git a/detections/endpoint/windows_hosts_file_access.yml b/detections/endpoint/windows_hosts_file_access.yml index 0a4357c609..7ee8105b0c 100644 --- a/detections/endpoint/windows_hosts_file_access.yml +++ b/detections/endpoint/windows_hosts_file_access.yml @@ -25,7 +25,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: a [$process_name$] attempting to access the hosts file [$object_file_path$] on [$dest$] by [$user$] . + message: a [$process_name$] attempting to access the hosts file [$object_file_path$] on [$dest$]. risk_objects: - field: dest type: system diff --git a/detections/endpoint/windows_product_key_registry_query.yml b/detections/endpoint/windows_product_key_registry_query.yml index 9a764b3a12..65b715cb55 100644 --- a/detections/endpoint/windows_product_key_registry_query.yml +++ b/detections/endpoint/windows_product_key_registry_query.yml @@ -23,7 +23,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: a [$process_name$] attempting to access the registry on [$dest$] by [$user$] . + message: a [$process_name$] attempting to access the registry on [$dest$]. risk_objects: - field: dest type: system diff --git a/detections/endpoint/windows_winrar_launched_outside_default_installation_directory.yml b/detections/endpoint/windows_winrar_launched_outside_default_installation_directory.yml index fdb586dee4..f77a1bdfc8 100644 --- a/detections/endpoint/windows_winrar_launched_outside_default_installation_directory.yml +++ b/detections/endpoint/windows_winrar_launched_outside_default_installation_directory.yml @@ -49,8 +49,6 @@ rba: type: parent_process_name - field: process_name type: process_name - - field: process_path - type: process_path tags: analytic_story: - BlankGrabber Stealer From 019206184faaad0af66da984c002c96995d7fa14 Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Mon, 9 Mar 2026 14:14:11 +0100 Subject: [PATCH 07/13] blank_grabber --- detections/endpoint/windows_wmi_reconnaissance_class_query.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_wmi_reconnaissance_class_query.yml b/detections/endpoint/windows_wmi_reconnaissance_class_query.yml index 4ce84076b8..57fbb87d27 100644 --- a/detections/endpoint/windows_wmi_reconnaissance_class_query.yml +++ b/detections/endpoint/windows_wmi_reconnaissance_class_query.yml @@ -13,7 +13,7 @@ data_source: search: |- | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes - where Processes.parent_process_path NOT IN ("*\\Windows\\System32\\*", "*\\Windows\\SysWOW64\\*", "*:\\Program Files\\*", "*:\\Program Files (x86)\\*") + where (NOT (Processes.parent_process_path IN ("*\\Windows\\System32\\*", "*\\Windows\\SysWOW64\\*", "*:\\Program Files\\*", "*:\\Program Files (x86)\\*")) OR Processes.parent_process_name IN("cmd.exe", "powershell*", "pwsh*")) AND Processes.process_name = "wmic.exe" OR Processes.original_file_name = "wmic.exe" AND Processes.process IN ("*Win32_Bios*", "*Win32_OperatingSystem*", "*Win32_Processor*", "*Win32_PnPEntity*", "*Win32_ShadowCopy*", "*Win32_DiskDrive*", "*Win32_PhysicalMemory*", "*Win32_BaseBoard*", "*Win32_DisplayConfiguration*", "*win32_VideoController*", "*win32_shortcutfile*", "*csproduct*") From d776df2f6a6d36ae297a6827577623dcf84d16c1 Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Mon, 9 Mar 2026 15:00:50 +0100 Subject: [PATCH 08/13] blank_grabber --- .../windows_dns_lookup_to_public_file_sharing_domain.yml | 4 ++-- detections/endpoint/windows_product_key_registry_query.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/detections/endpoint/windows_dns_lookup_to_public_file_sharing_domain.yml b/detections/endpoint/windows_dns_lookup_to_public_file_sharing_domain.yml index c8849f05d0..fa949b759b 100644 --- a/detections/endpoint/windows_dns_lookup_to_public_file_sharing_domain.yml +++ b/detections/endpoint/windows_dns_lookup_to_public_file_sharing_domain.yml @@ -8,7 +8,7 @@ type: Anomaly description: This Analytics detects DNS queries to public file sharing domains, such as api.anonfiles.com and api.gofile.io. These services allow users to anonymously upload and distribute files, which can be abused by threat actors for data exfiltration, malware staging, or command-and-control communications. Monitoring DNS requests to these domains helps identify potentially unauthorized data transfers or suspicious outbound activity. While legitimate use may exist, such queries originating from servers, restricted systems, or non-browser processes should be investigated to determine whether sensitive data is being staged or transmitted externally. data_source: - Sysmon EventID 22 -search: '`sysmon` EventCode=22 QueryName IN ("*api.anonfiles.com", "*api.gofile.io") | eval answer=coalesce(answer,"none") | eval answer_count=coalesce(answer_count,0) | stats min(_time) as firstTime max(_time) as lastTime count BY answer answer_count dvc process_exec process_guid process_name query query_count reply_code_id signature signature_id src user_id vendor_product QueryName QueryResults QueryStatus dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dns_lookup_to_public_file_sharing_domain_filter`' +search: '`sysmon` EventCode=22 QueryName IN ("*api.anonfiles.com", "*api.gofile.io") | eval answer=coalesce(answer,"none") | eval answer_count=coalesce(answer_count,0) | stats min(_time) as firstTime max(_time) as lastTime count BY answer answer_count dvc process_exec process_guid process_name query query_count reply_code_id signature signature_id src user_id vendor_product QueryName QueryResults QueryStatus | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dns_lookup_to_public_file_sharing_domain_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and eventcode = 22 dnsquery executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used. known_false_positives: No false positives have been identified at this time. references: @@ -25,7 +25,7 @@ drilldown_searches: rba: message: A process [$process_name$] made a DNS query for [$QueryName$] from host [$dvc$]. risk_objects: - - field: dest + - field: dvc type: system score: 50 threat_objects: diff --git a/detections/endpoint/windows_product_key_registry_query.yml b/detections/endpoint/windows_product_key_registry_query.yml index 65b715cb55..dabb6a0b49 100644 --- a/detections/endpoint/windows_product_key_registry_query.yml +++ b/detections/endpoint/windows_product_key_registry_query.yml @@ -8,7 +8,7 @@ type: Anomaly description: This Analytics detects the execution of a process attempting to access the registry for product key recovery purposes. This behavior is significant as it indicates potential malware activity or attempts to bypass security measures or data exfiltration. data_source: - Windows Event Log Security 4663 -search: '`wineventlog_security` EventCode=4663 object_file_path="*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform" by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_product_key_registry_query_filter`' +search: '`wineventlog_security` EventCode=4663 object_file_path="*\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\SoftwareProtectionPlatform" | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_product_key_registry_query_filter`' how_to_implement: To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." This search may trigger on a browser application that is not included in the browser_app_list lookup file. known_false_positives: Administrator may access this registry for product key recovery purposes. references: From e5566f7f824f9b26abe10925f2e2cbf175cdcb51 Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Tue, 10 Mar 2026 11:43:29 +0100 Subject: [PATCH 09/13] blank_grabber --- ..._mshtml_or_mshta_network_execution_without_url_in_cli.yml | 3 ++- ...o_nvm___suspicious_download_from_file_sharing_website.yml | 3 ++- ...o_nvm___suspicious_file_download_via_headless_browser.yml | 3 ++- ...uspicious_network_connection_to_ip_lookup_service_api.yml | 3 ++- detections/endpoint/detect_mshta_inline_hta_execution.yml | 3 ++- .../disable_defender_submit_samples_consent_feature.yml | 3 ++- detections/endpoint/disable_windows_behavior_monitoring.yml | 3 ++- detections/endpoint/excessive_usage_of_taskkill.yml | 3 ++- detections/endpoint/fodhelper_uac_bypass.yml | 3 ++- ...alicious_powershell_process___execution_policy_bypass.yml | 3 ++- .../non_chrome_process_accessing_chrome_default_dir.yml | 3 ++- .../non_firefox_process_access_firefox_profile_dir.yml | 3 ++- .../potential_telegram_api_request_via_commandline.yml | 3 ++- .../endpoint/powershell_disable_security_monitoring.yml | 3 ++- .../powershell_windows_defender_exclusion_commands.yml | 3 ++- .../process_creating_lnk_file_in_suspicious_location.yml | 3 ++- detections/endpoint/recon_using_wmi_class.yml | 3 ++- .../endpoint/system_information_discovery_detection.yml | 3 ++- ...s_boot_or_logon_autostart_execution_in_startup_folder.yml | 3 ++- .../endpoint/windows_clipboard_data_via_get_clipboard.yml | 3 ++- ...windows_cmdline_tool_execution_from_non_shell_process.yml | 3 ++- .../endpoint/windows_computerdefaults_spawning_a_process.yml | 3 ++- ...windows_credential_access_from_browser_password_store.yml | 3 ++- ...ntials_from_password_stores_chrome_copied_in_temp_dir.yml | 3 ++- ...dentials_from_password_stores_chrome_extension_access.yml | 3 ++- ...entials_from_password_stores_chrome_localstate_access.yml | 3 ++- ...entials_from_password_stores_chrome_login_data_access.yml | 3 ++- .../windows_disable_or_modify_tools_via_taskkill.yml | 3 ++- .../endpoint/windows_disable_or_stop_browser_process.yml | 3 ++- ...ows_eventlog_recon_activity_using_log_query_utilities.yml | 3 ++- ...ndows_impair_defense_disable_controlled_folder_access.yml | 3 ++- ...mpair_defense_disable_win_defender_network_protection.yml | 3 ++- .../windows_non_discord_app_access_discord_leveldb.yml | 3 ++- .../endpoint/windows_screen_capture_via_powershell.yml | 5 +++-- .../windows_system_network_connections_discovery_netsh.yml | 3 ++- detections/endpoint/windows_time_based_evasion.yml | 3 ++- detections/endpoint/windows_wmic_systeminfo_discovery.yml | 3 ++- ...suspicious_process_dns_query_known_abuse_web_services.yml | 3 ++- .../network/suspicious_process_with_discord_dns_query.yml | 3 ++- detections/network/windows_abused_web_services.yml | 3 ++- .../windows_dns_query_request_by_telegram_bot_api.yml | 3 ++- ...her_victim_network_info_through_ip_check_web_services.yml | 3 ++- 42 files changed, 85 insertions(+), 43 deletions(-) diff --git a/detections/endpoint/cisco_nvm___mshtml_or_mshta_network_execution_without_url_in_cli.yml b/detections/endpoint/cisco_nvm___mshtml_or_mshta_network_execution_without_url_in_cli.yml index 83ed7414f7..51c6baf24b 100644 --- a/detections/endpoint/cisco_nvm___mshtml_or_mshta_network_execution_without_url_in_cli.yml +++ b/detections/endpoint/cisco_nvm___mshtml_or_mshta_network_execution_without_url_in_cli.yml @@ -1,6 +1,6 @@ name: Cisco NVM - MSHTML or MSHTA Network Execution Without URL in CLI id: f2a9df84-9b01-4a21-9e3a-7aa1a217f69e -version: 4 +version: 5 date: '2026-03-10' author: Nasreddine Bencherchali, Splunk status: production @@ -83,6 +83,7 @@ rba: tags: analytic_story: - Cisco Network Visibility Module Analytics + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1218.005 diff --git a/detections/endpoint/cisco_nvm___suspicious_download_from_file_sharing_website.yml b/detections/endpoint/cisco_nvm___suspicious_download_from_file_sharing_website.yml index efdb37db50..16e4a22128 100644 --- a/detections/endpoint/cisco_nvm___suspicious_download_from_file_sharing_website.yml +++ b/detections/endpoint/cisco_nvm___suspicious_download_from_file_sharing_website.yml @@ -1,6 +1,6 @@ name: Cisco NVM - Suspicious Download From File Sharing Website id: 94ebc001-35e7-4ae8-9b0e-52766b2f99c7 -version: 5 +version: 6 date: '2026-03-10' author: Nasreddine Bencherchali, Splunk status: production @@ -94,6 +94,7 @@ tags: analytic_story: - APT37 Rustonotto and FadeStealer - Cisco Network Visibility Module Analytics + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1197 diff --git a/detections/endpoint/cisco_nvm___suspicious_file_download_via_headless_browser.yml b/detections/endpoint/cisco_nvm___suspicious_file_download_via_headless_browser.yml index c897513dab..48fb4ac407 100644 --- a/detections/endpoint/cisco_nvm___suspicious_file_download_via_headless_browser.yml +++ b/detections/endpoint/cisco_nvm___suspicious_file_download_via_headless_browser.yml @@ -1,6 +1,6 @@ name: Cisco NVM - Suspicious File Download via Headless Browser id: cd0e816f-f67d-4dbe-a153-480b546e867e -version: 4 +version: 5 date: '2026-03-10' author: Nasreddine Bencherchali, Splunk status: production @@ -111,6 +111,7 @@ rba: tags: analytic_story: - Cisco Network Visibility Module Analytics + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1105 diff --git a/detections/endpoint/cisco_nvm___suspicious_network_connection_to_ip_lookup_service_api.yml b/detections/endpoint/cisco_nvm___suspicious_network_connection_to_ip_lookup_service_api.yml index 7af8728791..3e66a65e30 100644 --- a/detections/endpoint/cisco_nvm___suspicious_network_connection_to_ip_lookup_service_api.yml +++ b/detections/endpoint/cisco_nvm___suspicious_network_connection_to_ip_lookup_service_api.yml @@ -1,6 +1,6 @@ name: Cisco NVM - Suspicious Network Connection to IP Lookup Service API id: 568cb83e-d79e-4a23-85ec-6e1f6c30cb2f -version: 6 +version: 7 date: '2026-03-10' author: Nasreddine Bencherchali, Splunk, Janantha Marasinghe status: production @@ -88,6 +88,7 @@ tags: analytic_story: - Cisco Network Visibility Module Analytics - Castle RAT + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1590.005 diff --git a/detections/endpoint/detect_mshta_inline_hta_execution.yml b/detections/endpoint/detect_mshta_inline_hta_execution.yml index 1aa9410385..f411285702 100644 --- a/detections/endpoint/detect_mshta_inline_hta_execution.yml +++ b/detections/endpoint/detect_mshta_inline_hta_execution.yml @@ -1,6 +1,6 @@ name: Detect mshta inline hta execution id: a0873b32-5b68-11eb-ae93-0242ac130002 -version: 20 +version: 21 date: '2026-03-10' author: Bhavin Patel, Michael Haag, Splunk status: production @@ -66,6 +66,7 @@ tags: - Suspicious MSHTA Activity - XWorm - APT37 Rustonotto and FadeStealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1218.005 diff --git a/detections/endpoint/disable_defender_submit_samples_consent_feature.yml b/detections/endpoint/disable_defender_submit_samples_consent_feature.yml index b1bbd449ac..8b86ab51b7 100644 --- a/detections/endpoint/disable_defender_submit_samples_consent_feature.yml +++ b/detections/endpoint/disable_defender_submit_samples_consent_feature.yml @@ -1,6 +1,6 @@ name: Disable Defender Submit Samples Consent Feature id: 73922ff8-3022-11ec-bf5e-acde48001122 -version: 12 +version: 13 date: '2026-03-10' author: Teoderick Contreras, Splunk, Steven Dick status: production @@ -38,6 +38,7 @@ tags: - CISA AA23-347A - IcedID - Windows Registry Abuse + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1562.001 diff --git a/detections/endpoint/disable_windows_behavior_monitoring.yml b/detections/endpoint/disable_windows_behavior_monitoring.yml index 321a6fc081..16588899e1 100644 --- a/detections/endpoint/disable_windows_behavior_monitoring.yml +++ b/detections/endpoint/disable_windows_behavior_monitoring.yml @@ -1,6 +1,6 @@ name: Disable Windows Behavior Monitoring id: 79439cae-9200-11eb-a4d3-acde48001122 -version: 20 +version: 21 date: '2026-03-10' author: Teoderick Contreras, Splunk, Steven Dick status: production @@ -44,6 +44,7 @@ tags: - Scattered Lapsus$ Hunters - NetSupport RMM Tool Abuse - Storm-0501 Ransomware + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1562.001 diff --git a/detections/endpoint/excessive_usage_of_taskkill.yml b/detections/endpoint/excessive_usage_of_taskkill.yml index d0f66bd254..b496ad57c5 100644 --- a/detections/endpoint/excessive_usage_of_taskkill.yml +++ b/detections/endpoint/excessive_usage_of_taskkill.yml @@ -1,6 +1,6 @@ name: Excessive Usage Of Taskkill id: fe5bca48-accb-11eb-a67c-acde48001122 -version: 11 +version: 12 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production @@ -52,6 +52,7 @@ tags: - CISA AA22-264A - XMRig - Crypto Stealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1562.001 diff --git a/detections/endpoint/fodhelper_uac_bypass.yml b/detections/endpoint/fodhelper_uac_bypass.yml index 1c713e9a9c..135e7f6611 100644 --- a/detections/endpoint/fodhelper_uac_bypass.yml +++ b/detections/endpoint/fodhelper_uac_bypass.yml @@ -1,6 +1,6 @@ name: FodHelper UAC Bypass id: 909f8fd8-7ac8-11eb-a1f3-acde48001122 -version: 13 +version: 14 date: '2026-03-10' author: Michael Haag, Splunk status: production @@ -58,6 +58,7 @@ tags: - ValleyRAT - Compromised Windows Host - Windows Defense Evasion Tactics + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1112 diff --git a/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml b/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml index 9c60b80ece..7dd695348f 100644 --- a/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml +++ b/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml @@ -1,6 +1,6 @@ name: Malicious PowerShell Process - Execution Policy Bypass id: 9be56c82-b1cc-4318-87eb-d138afaaca39 -version: 18 +version: 19 date: '2026-03-10' author: Rico Valdez, Mauricio Velazco, Splunk status: production @@ -58,6 +58,7 @@ tags: - DarkCrystal RAT - 0bj3ctivity Stealer - APT37 Rustonotto and FadeStealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1059.001 diff --git a/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml b/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml index 5bd341fba4..ad9ea22a08 100644 --- a/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml +++ b/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml @@ -1,6 +1,6 @@ name: Non Chrome Process Accessing Chrome Default Dir id: 81263de4-160a-11ec-944f-acde48001122 -version: 15 +version: 16 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production @@ -48,6 +48,7 @@ tags: - Snake Keylogger - China-Nexus Threat Activity - Lokibot + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1555.003 diff --git a/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml b/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml index 0a89dece8f..561cc93cbd 100644 --- a/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml +++ b/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml @@ -1,6 +1,6 @@ name: Non Firefox Process Access Firefox Profile Dir id: e6fc13b0-1609-11ec-b533-acde48001122 -version: 15 +version: 16 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production @@ -50,6 +50,7 @@ tags: - China-Nexus Threat Activity - 0bj3ctivity Stealer - Lokibot + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1555.003 diff --git a/detections/endpoint/potential_telegram_api_request_via_commandline.yml b/detections/endpoint/potential_telegram_api_request_via_commandline.yml index 6381e8bd30..e34a1db987 100644 --- a/detections/endpoint/potential_telegram_api_request_via_commandline.yml +++ b/detections/endpoint/potential_telegram_api_request_via_commandline.yml @@ -1,6 +1,6 @@ name: Potential Telegram API Request Via CommandLine id: d6b0d627-d0bf-46b1-936f-c48284767d21 -version: 8 +version: 9 date: '2026-03-10' author: Nasreddine Bencherchali, Splunk, Zaki Zarkasih Al Mustafa status: production @@ -55,6 +55,7 @@ tags: - Water Gamayun - 0bj3ctivity Stealer - Hellcat Ransomware + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1102.002 diff --git a/detections/endpoint/powershell_disable_security_monitoring.yml b/detections/endpoint/powershell_disable_security_monitoring.yml index 48adf72d39..35a9ab2fbf 100644 --- a/detections/endpoint/powershell_disable_security_monitoring.yml +++ b/detections/endpoint/powershell_disable_security_monitoring.yml @@ -1,6 +1,6 @@ name: Powershell Disable Security Monitoring id: c148a894-dd93-11eb-bf2a-acde48001122 -version: 13 +version: 14 date: '2026-03-10' author: Michael Haag, Nasreddine Bencherchali, Splunk status: production @@ -112,6 +112,7 @@ tags: - Ransomware - Revil Ransomware - CISA AA24-241A + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1562.001 diff --git a/detections/endpoint/powershell_windows_defender_exclusion_commands.yml b/detections/endpoint/powershell_windows_defender_exclusion_commands.yml index b73cfd05f8..bbb9c46f9f 100644 --- a/detections/endpoint/powershell_windows_defender_exclusion_commands.yml +++ b/detections/endpoint/powershell_windows_defender_exclusion_commands.yml @@ -1,6 +1,6 @@ name: Powershell Windows Defender Exclusion Commands id: 907ac95c-4dd9-11ec-ba2c-acde48001122 -version: 12 +version: 13 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production @@ -55,6 +55,7 @@ tags: - WhisperGate - Warzone RAT - NetSupport RMM Tool Abuse + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1562.001 diff --git a/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml b/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml index 023180bcdf..2c7a077391 100644 --- a/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml +++ b/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml @@ -1,6 +1,6 @@ name: Process Creating LNK file in Suspicious Location id: 5d814af1-1041-47b5-a9ac-d754e82e9a26 -version: 15 +version: 16 date: '2026-03-10' author: Jose Hernandez, Michael Haag, Splunk status: production @@ -93,6 +93,7 @@ tags: - Amadey - Gozi Malware - APT37 Rustonotto and FadeStealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1566.002 diff --git a/detections/endpoint/recon_using_wmi_class.yml b/detections/endpoint/recon_using_wmi_class.yml index 347a4b7ae6..47a5589a7d 100644 --- a/detections/endpoint/recon_using_wmi_class.yml +++ b/detections/endpoint/recon_using_wmi_class.yml @@ -1,6 +1,6 @@ name: Recon Using WMI Class id: 018c1972-ca07-11eb-9473-acde48001122 -version: 13 +version: 14 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production @@ -63,6 +63,7 @@ tags: - Qakbot - Industroyer2 - Scattered Spider + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1592 diff --git a/detections/endpoint/system_information_discovery_detection.yml b/detections/endpoint/system_information_discovery_detection.yml index 7f7c154094..90d491e4f2 100644 --- a/detections/endpoint/system_information_discovery_detection.yml +++ b/detections/endpoint/system_information_discovery_detection.yml @@ -1,6 +1,6 @@ name: System Information Discovery Detection id: 8e99f89e-ae58-4ebc-bf52-ae0b1a277e72 -version: 14 +version: 15 date: '2026-03-10' author: Patrick Bareiss, Splunk status: production @@ -45,6 +45,7 @@ tags: - Interlock Ransomware - LAMEHUG - NetSupport RMM Tool Abuse + - BlankGrabber Stealer asset_type: Windows mitre_attack_id: - T1082 diff --git a/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml b/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml index 6493da06a3..a4d737c3e3 100644 --- a/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml +++ b/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml @@ -1,6 +1,6 @@ name: Windows Boot or Logon Autostart Execution In Startup Folder id: 99d157cb-923f-4a00-aee9-1f385412146f -version: 13 +version: 14 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production @@ -47,6 +47,7 @@ tags: - Interlock Ransomware - APT37 Rustonotto and FadeStealer - PromptFlux + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1547.001 diff --git a/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml b/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml index b3a1f07543..f4f1289811 100644 --- a/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml +++ b/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml @@ -1,6 +1,6 @@ name: Windows ClipBoard Data via Get-ClipBoard id: ab73289e-2246-4de0-a14b-67006c72a893 -version: 9 +version: 11 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production @@ -49,6 +49,7 @@ tags: analytic_story: - Windows Post-Exploitation - Prestige Ransomware + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1115 diff --git a/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml b/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml index 869d432f9a..f6e5b58d16 100644 --- a/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml +++ b/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml @@ -1,6 +1,6 @@ name: Windows Cmdline Tool Execution From Non-Shell Process id: 2afa393f-b88d-41b7-9793-623c93a2dfde -version: 10 +version: 11 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production @@ -54,6 +54,7 @@ tags: - Water Gamayun - Tuoni - SolarWinds WHD RCE Post Exploitation + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1059.007 diff --git a/detections/endpoint/windows_computerdefaults_spawning_a_process.yml b/detections/endpoint/windows_computerdefaults_spawning_a_process.yml index 3a31d3f43f..ec8dc7a50e 100644 --- a/detections/endpoint/windows_computerdefaults_spawning_a_process.yml +++ b/detections/endpoint/windows_computerdefaults_spawning_a_process.yml @@ -1,6 +1,6 @@ name: Windows ComputerDefaults Spawning a Process id: 697eb4c0-1008-4c3c-b5ae-7bd9b39adbd6 -version: 4 +version: 5 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production @@ -47,6 +47,7 @@ rba: tags: analytic_story: - Castle RAT + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1548.002 diff --git a/detections/endpoint/windows_credential_access_from_browser_password_store.yml b/detections/endpoint/windows_credential_access_from_browser_password_store.yml index 9ccbfbabe7..44ea4a4231 100644 --- a/detections/endpoint/windows_credential_access_from_browser_password_store.yml +++ b/detections/endpoint/windows_credential_access_from_browser_password_store.yml @@ -1,6 +1,6 @@ name: Windows Credential Access From Browser Password Store id: 72013a8e-5cea-408a-9d51-5585386b4d69 -version: 18 +version: 19 date: '2026-03-10' author: Teoderick Contreras, Bhavin Patel Splunk data_source: @@ -47,6 +47,7 @@ tags: - Scattered Spider - 0bj3ctivity Stealer - Scattered Lapsus$ Hunters + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1012 diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml index 959681d1e4..1fb9d76ffe 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml @@ -1,6 +1,6 @@ name: Windows Credentials from Password Stores Chrome Copied in TEMP Dir id: 4d14c86d-fdee-4393-94da-238d2706902f -version: 8 +version: 9 date: '2026-03-10' author: Teoderick Contreras, Splunk data_source: @@ -34,6 +34,7 @@ tags: analytic_story: - Braodo Stealer - Scattered Lapsus$ Hunters + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1555.003 diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml index 7cc7024fe9..8614a0392b 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml @@ -1,6 +1,6 @@ name: Windows Credentials from Password Stores Chrome Extension Access id: 2e65afe0-9a75-4487-bd87-ada9a9f1b9af -version: 10 +version: 11 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production @@ -42,6 +42,7 @@ tags: - Braodo Stealer - MoonPeak - 0bj3ctivity Stealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1012 diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml index 94938fe225..b24710c55f 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml @@ -1,6 +1,6 @@ name: Windows Credentials from Password Stores Chrome LocalState Access id: 3b1d09a8-a26f-473e-a510-6c6613573657 -version: 18 +version: 19 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production @@ -52,6 +52,7 @@ tags: - 0bj3ctivity Stealer - Lokibot - Scattered Lapsus$ Hunters + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1012 diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml index 4a7c8c5929..79c8c486bc 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml @@ -1,6 +1,6 @@ name: Windows Credentials from Password Stores Chrome Login Data Access id: 0d32ba37-80fc-4429-809c-0ba15801aeaf -version: 18 +version: 19 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production @@ -52,6 +52,7 @@ tags: - 0bj3ctivity Stealer - Lokibot - Scattered Lapsus$ Hunters + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1012 diff --git a/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml b/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml index 4b424e0cf4..90cf805b61 100644 --- a/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml +++ b/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml @@ -1,6 +1,6 @@ name: Windows Disable or Modify Tools Via Taskkill id: a43ae66f-c410-4b3d-8741-9ce1ad17ddb0 -version: 11 +version: 12 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production @@ -51,6 +51,7 @@ tags: - PXA Stealer - NjRAT - Crypto Stealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1562.001 diff --git a/detections/endpoint/windows_disable_or_stop_browser_process.yml b/detections/endpoint/windows_disable_or_stop_browser_process.yml index 2c34396dc9..32667eabd8 100644 --- a/detections/endpoint/windows_disable_or_stop_browser_process.yml +++ b/detections/endpoint/windows_disable_or_stop_browser_process.yml @@ -1,6 +1,6 @@ name: Windows Disable or Stop Browser Process id: 220d34b7-b6c7-45fe-8dbb-c35cdd9fe6d5 -version: 9 +version: 11 date: '2026-03-10' author: Teoderick Contreras, Splunk data_source: @@ -52,6 +52,7 @@ tags: - Scattered Lapsus$ Hunters - Hellcat Ransomware - Castle RAT + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1562.001 diff --git a/detections/endpoint/windows_eventlog_recon_activity_using_log_query_utilities.yml b/detections/endpoint/windows_eventlog_recon_activity_using_log_query_utilities.yml index 7f60af1356..16aa626f9c 100644 --- a/detections/endpoint/windows_eventlog_recon_activity_using_log_query_utilities.yml +++ b/detections/endpoint/windows_eventlog_recon_activity_using_log_query_utilities.yml @@ -1,6 +1,6 @@ name: Windows EventLog Recon Activity Using Log Query Utilities id: dc167f8b-3f9d-4460-9c98-8b6e703fd628 -version: 5 +version: 6 date: '2026-03-10' author: Nasreddine Bencherchali, Splunk status: production @@ -106,6 +106,7 @@ rba: tags: analytic_story: - Windows Discovery Techniques + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1654 diff --git a/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml b/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml index 0eefcb8797..246bea562d 100644 --- a/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml +++ b/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml @@ -1,6 +1,6 @@ name: Windows Impair Defense Disable Controlled Folder Access id: 3032741c-d6fc-4c69-8988-be8043d6478c -version: 8 +version: 9 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production @@ -34,6 +34,7 @@ tags: analytic_story: - Windows Defense Evasion Tactics - Windows Registry Abuse + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1562.001 diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml index b41be54166..c3e6f60d18 100644 --- a/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml +++ b/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml @@ -1,6 +1,6 @@ name: Windows Impair Defense Disable Win Defender Network Protection id: 8b6c15c7-5556-463d-83c7-986326c21f12 -version: 9 +version: 10 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production @@ -35,6 +35,7 @@ tags: - Windows Defense Evasion Tactics - Windows Registry Abuse - Scattered Lapsus$ Hunters + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1562.001 diff --git a/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml b/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml index 57f80d4573..9d8e3d3ccf 100644 --- a/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml +++ b/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml @@ -1,6 +1,6 @@ name: Windows Non Discord App Access Discord LevelDB id: 1166360c-d495-45ac-87a6-8948aac1fa07 -version: 8 +version: 9 date: '2026-03-10' author: Teoderick Contreras, Splunk data_source: @@ -34,6 +34,7 @@ tags: - StealC Stealer - Snake Keylogger - PXA Stealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1012 diff --git a/detections/endpoint/windows_screen_capture_via_powershell.yml b/detections/endpoint/windows_screen_capture_via_powershell.yml index a753de9117..6abb74cf82 100644 --- a/detections/endpoint/windows_screen_capture_via_powershell.yml +++ b/detections/endpoint/windows_screen_capture_via_powershell.yml @@ -1,6 +1,6 @@ name: Windows Screen Capture Via Powershell id: 5e0b1936-8f99-4399-8ee2-9edc5b32e170 -version: 12 +version: 13 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production @@ -9,7 +9,7 @@ data_source: - Powershell Script Block Logging 4104 description: The following analytic detects the execution of a PowerShell script designed to capture screen images on a host. It leverages PowerShell Script Block Logging to identify specific script block text patterns associated with screen capture activities. This behavior is significant as it may indicate an attempt to exfiltrate sensitive information by capturing desktop screenshots. If confirmed malicious, this activity could allow an attacker to gather visual data from the compromised system, potentially leading to data breaches or further exploitation. search: |- - `powershell` EventCode=4104 ScriptBlockText = "*[Drawing.Graphics]::FromImage(*" AND ScriptBlockText = "*New-Object Drawing.Bitmap*" AND ScriptBlockText = "*.CopyFromScreen*" + `powershell` EventCode=4104 ScriptBlockText IN ("*[Drawing.Graphics]::FromImage*", "*Drawing.Bitmap*, "*Graphics.FromImage*") AND ScriptBlockText = "*.CopyFromScreen*" | fillnull | stats count min(_time) as firstTime max(_time) as lastTime BY dest signature signature_id @@ -46,6 +46,7 @@ tags: - APT37 Rustonotto and FadeStealer - Winter Vivern - Water Gamayun + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1113 diff --git a/detections/endpoint/windows_system_network_connections_discovery_netsh.yml b/detections/endpoint/windows_system_network_connections_discovery_netsh.yml index bf1e45869d..3a71d6c679 100644 --- a/detections/endpoint/windows_system_network_connections_discovery_netsh.yml +++ b/detections/endpoint/windows_system_network_connections_discovery_netsh.yml @@ -1,6 +1,6 @@ name: Windows System Network Connections Discovery Netsh id: abfb7cc5-c275-4a97-9029-62cd8d4ffeca -version: 8 +version: 9 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production @@ -51,6 +51,7 @@ tags: - Windows Post-Exploitation - Prestige Ransomware - Snake Keylogger + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1049 diff --git a/detections/endpoint/windows_time_based_evasion.yml b/detections/endpoint/windows_time_based_evasion.yml index f8160a94c0..f2859f16a3 100644 --- a/detections/endpoint/windows_time_based_evasion.yml +++ b/detections/endpoint/windows_time_based_evasion.yml @@ -1,6 +1,6 @@ name: Windows Time Based Evasion id: 34502357-deb1-499a-8261-ffe144abf561 -version: 11 +version: 12 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production @@ -48,6 +48,7 @@ rba: tags: analytic_story: - NjRAT + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1497.003 diff --git a/detections/endpoint/windows_wmic_systeminfo_discovery.yml b/detections/endpoint/windows_wmic_systeminfo_discovery.yml index e6a5203ce4..8c40fda1a2 100644 --- a/detections/endpoint/windows_wmic_systeminfo_discovery.yml +++ b/detections/endpoint/windows_wmic_systeminfo_discovery.yml @@ -1,6 +1,6 @@ name: Windows Wmic Systeminfo Discovery id: 97937ece-cb13-4dbc-9684-c0dc3afd400a -version: 3 +version: 4 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production @@ -54,6 +54,7 @@ rba: tags: analytic_story: - LAMEHUG + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1082 diff --git a/detections/network/suspicious_process_dns_query_known_abuse_web_services.yml b/detections/network/suspicious_process_dns_query_known_abuse_web_services.yml index c5d287ba50..50742de7cd 100644 --- a/detections/network/suspicious_process_dns_query_known_abuse_web_services.yml +++ b/detections/network/suspicious_process_dns_query_known_abuse_web_services.yml @@ -1,6 +1,6 @@ name: Suspicious Process DNS Query Known Abuse Web Services id: 3cf0dc36-484d-11ec-a6bc-acde48001122 -version: 15 +version: 16 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production @@ -45,6 +45,7 @@ tags: - Cactus Ransomware - Braodo Stealer - RedLine Stealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1059.005 diff --git a/detections/network/suspicious_process_with_discord_dns_query.yml b/detections/network/suspicious_process_with_discord_dns_query.yml index 4029cf5ea4..fb17f02847 100644 --- a/detections/network/suspicious_process_with_discord_dns_query.yml +++ b/detections/network/suspicious_process_with_discord_dns_query.yml @@ -1,6 +1,6 @@ name: Suspicious Process With Discord DNS Query id: 4d4332ae-792c-11ec-89c1-acde48001122 -version: 11 +version: 12 date: '2026-03-10' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production @@ -39,6 +39,7 @@ tags: - WhisperGate - PXA Stealer - Cactus Ransomware + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1059.005 diff --git a/detections/network/windows_abused_web_services.yml b/detections/network/windows_abused_web_services.yml index 1d5b6bdf73..a01cfc23f0 100644 --- a/detections/network/windows_abused_web_services.yml +++ b/detections/network/windows_abused_web_services.yml @@ -1,6 +1,6 @@ name: Windows Abused Web Services id: 01f0aef4-8591-4daa-a53d-0ed49823b681 -version: 10 +version: 11 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production @@ -47,6 +47,7 @@ tags: - NjRAT - CISA AA24-241A - Malicious Inno Setup Loader + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1102 diff --git a/detections/network/windows_dns_query_request_by_telegram_bot_api.yml b/detections/network/windows_dns_query_request_by_telegram_bot_api.yml index 0c7d614d5d..638a15ecfc 100644 --- a/detections/network/windows_dns_query_request_by_telegram_bot_api.yml +++ b/detections/network/windows_dns_query_request_by_telegram_bot_api.yml @@ -1,6 +1,6 @@ name: Windows DNS Query Request by Telegram Bot API id: 86f66f44-94d9-412d-a71d-5d8ed0fef72e -version: 7 +version: 8 date: '2026-03-10' author: Teoderick Contreras, Splunk data_source: @@ -44,6 +44,7 @@ tags: analytic_story: - Crypto Stealer - 0bj3ctivity Stealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1071.004 diff --git a/detections/network/windows_gather_victim_network_info_through_ip_check_web_services.yml b/detections/network/windows_gather_victim_network_info_through_ip_check_web_services.yml index 13ae9ee3ef..8283f7d88e 100644 --- a/detections/network/windows_gather_victim_network_info_through_ip_check_web_services.yml +++ b/detections/network/windows_gather_victim_network_info_through_ip_check_web_services.yml @@ -1,6 +1,6 @@ name: Windows Gather Victim Network Info Through Ip Check Web Services id: 70f7c952-0758-46d6-9148-d8969c4481d1 -version: 17 +version: 18 date: '2026-03-10' author: Teoderick Contreras, Splunk status: production @@ -55,6 +55,7 @@ tags: - Quasar RAT - 0bj3ctivity Stealer - Castle RAT + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1590.005 From da0c142c6136319433c5f5e06340c62864cc592e Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Tue, 10 Mar 2026 11:50:35 +0100 Subject: [PATCH 10/13] blank_grabber --- ...a_network_execution_without_url_in_cli.yml | 2 +- ...ous_download_from_file_sharing_website.yml | 2 +- ...ous_file_download_via_headless_browser.yml | 2 +- ...rk_connection_to_ip_lookup_service_api.yml | 2 +- .../detect_mshta_inline_hta_execution.yml | 2 +- ...efender_submit_samples_consent_feature.yml | 2 +- .../disable_windows_behavior_monitoring.yml | 2 +- .../endpoint/excessive_usage_of_taskkill.yml | 2 +- detections/endpoint/fodhelper_uac_bypass.yml | 2 +- ...hell_process___execution_policy_bypass.yml | 2 +- ...e_process_accessing_chrome_default_dir.yml | 2 +- ...fox_process_access_firefox_profile_dir.yml | 2 +- ...l_telegram_api_request_via_commandline.yml | 2 +- ...powershell_disable_security_monitoring.yml | 2 +- ...ll_windows_defender_exclusion_commands.yml | 2 +- ...eating_lnk_file_in_suspicious_location.yml | 2 +- detections/endpoint/recon_using_wmi_class.yml | 2 +- ...system_information_discovery_detection.yml | 2 +- ..._autostart_execution_in_startup_folder.yml | 2 +- ...ndows_clipboard_data_via_get_clipboard.yml | 2 +- ..._tool_execution_from_non_shell_process.yml | 2 +- ...ws_computerdefaults_spawning_a_process.yml | 2 +- ...ial_access_from_browser_password_store.yml | 2 +- ...sword_stores_chrome_copied_in_temp_dir.yml | 2 +- ...assword_stores_chrome_extension_access.yml | 2 +- ...ssword_stores_chrome_localstate_access.yml | 2 +- ...ssword_stores_chrome_login_data_access.yml | 2 +- ...s_disable_or_modify_tools_via_taskkill.yml | 2 +- ...indows_disable_or_stop_browser_process.yml | 2 +- ...con_activity_using_log_query_utilities.yml | 2 +- ...fense_disable_controlled_folder_access.yml | 2 +- ...isable_win_defender_network_protection.yml | 2 +- ...non_discord_app_access_discord_leveldb.yml | 2 +- .../windows_screen_capture_via_powershell.yml | 24 +++++++++---------- ...em_network_connections_discovery_netsh.yml | 2 +- .../endpoint/windows_time_based_evasion.yml | 2 +- .../windows_wmic_systeminfo_discovery.yml | 2 +- ...ess_dns_query_known_abuse_web_services.yml | 2 +- ...picious_process_with_discord_dns_query.yml | 2 +- .../network/windows_abused_web_services.yml | 2 +- ..._dns_query_request_by_telegram_bot_api.yml | 2 +- ...ork_info_through_ip_check_web_services.yml | 2 +- 42 files changed, 53 insertions(+), 53 deletions(-) diff --git a/detections/endpoint/cisco_nvm___mshtml_or_mshta_network_execution_without_url_in_cli.yml b/detections/endpoint/cisco_nvm___mshtml_or_mshta_network_execution_without_url_in_cli.yml index 51c6baf24b..1101262170 100644 --- a/detections/endpoint/cisco_nvm___mshtml_or_mshta_network_execution_without_url_in_cli.yml +++ b/detections/endpoint/cisco_nvm___mshtml_or_mshta_network_execution_without_url_in_cli.yml @@ -83,7 +83,7 @@ rba: tags: analytic_story: - Cisco Network Visibility Module Analytics - - BlankGrabber Stealer + - BlankGrabberStealer asset_type: Endpoint mitre_attack_id: - T1218.005 diff --git a/detections/endpoint/cisco_nvm___suspicious_download_from_file_sharing_website.yml b/detections/endpoint/cisco_nvm___suspicious_download_from_file_sharing_website.yml index 16e4a22128..1d50c69417 100644 --- a/detections/endpoint/cisco_nvm___suspicious_download_from_file_sharing_website.yml +++ b/detections/endpoint/cisco_nvm___suspicious_download_from_file_sharing_website.yml @@ -94,7 +94,7 @@ tags: analytic_story: - APT37 Rustonotto and FadeStealer - Cisco Network Visibility Module Analytics - - BlankGrabber Stealer + - BlankGrabberStealer asset_type: Endpoint mitre_attack_id: - T1197 diff --git a/detections/endpoint/cisco_nvm___suspicious_file_download_via_headless_browser.yml b/detections/endpoint/cisco_nvm___suspicious_file_download_via_headless_browser.yml index 48fb4ac407..2762d76a6e 100644 --- a/detections/endpoint/cisco_nvm___suspicious_file_download_via_headless_browser.yml +++ b/detections/endpoint/cisco_nvm___suspicious_file_download_via_headless_browser.yml @@ -111,7 +111,7 @@ rba: tags: analytic_story: - Cisco Network Visibility Module Analytics - - BlankGrabber Stealer + - BlankGrabberStealer asset_type: Endpoint mitre_attack_id: - T1105 diff --git a/detections/endpoint/cisco_nvm___suspicious_network_connection_to_ip_lookup_service_api.yml b/detections/endpoint/cisco_nvm___suspicious_network_connection_to_ip_lookup_service_api.yml index 3e66a65e30..484025a1cc 100644 --- a/detections/endpoint/cisco_nvm___suspicious_network_connection_to_ip_lookup_service_api.yml +++ b/detections/endpoint/cisco_nvm___suspicious_network_connection_to_ip_lookup_service_api.yml @@ -88,7 +88,7 @@ tags: analytic_story: - Cisco Network Visibility Module Analytics - Castle RAT - - BlankGrabber Stealer + - BlankGrabberStealer asset_type: Endpoint mitre_attack_id: - T1590.005 diff --git a/detections/endpoint/detect_mshta_inline_hta_execution.yml b/detections/endpoint/detect_mshta_inline_hta_execution.yml index f411285702..5839ca160d 100644 --- a/detections/endpoint/detect_mshta_inline_hta_execution.yml +++ b/detections/endpoint/detect_mshta_inline_hta_execution.yml @@ -66,7 +66,7 @@ tags: - Suspicious MSHTA Activity - XWorm - APT37 Rustonotto and FadeStealer - - BlankGrabber Stealer + - BlankGrabberStealer asset_type: Endpoint mitre_attack_id: - T1218.005 diff --git a/detections/endpoint/disable_defender_submit_samples_consent_feature.yml b/detections/endpoint/disable_defender_submit_samples_consent_feature.yml index 8b86ab51b7..ab5c00c3ce 100644 --- a/detections/endpoint/disable_defender_submit_samples_consent_feature.yml +++ b/detections/endpoint/disable_defender_submit_samples_consent_feature.yml @@ -38,7 +38,7 @@ tags: - CISA AA23-347A - IcedID - Windows Registry Abuse - - BlankGrabber Stealer + - BlankGrabberStealer asset_type: Endpoint mitre_attack_id: - T1562.001 diff --git a/detections/endpoint/disable_windows_behavior_monitoring.yml b/detections/endpoint/disable_windows_behavior_monitoring.yml index 16588899e1..4371335f22 100644 --- a/detections/endpoint/disable_windows_behavior_monitoring.yml +++ b/detections/endpoint/disable_windows_behavior_monitoring.yml @@ -44,7 +44,7 @@ tags: - Scattered Lapsus$ Hunters - NetSupport RMM Tool Abuse - Storm-0501 Ransomware - - BlankGrabber Stealer + - BlankGrabberStealer asset_type: Endpoint mitre_attack_id: - T1562.001 diff --git a/detections/endpoint/excessive_usage_of_taskkill.yml b/detections/endpoint/excessive_usage_of_taskkill.yml index b496ad57c5..f4822ee0cb 100644 --- a/detections/endpoint/excessive_usage_of_taskkill.yml +++ b/detections/endpoint/excessive_usage_of_taskkill.yml @@ -52,7 +52,7 @@ tags: - CISA AA22-264A - XMRig - Crypto Stealer - - BlankGrabber Stealer + - BlankGrabberStealer asset_type: Endpoint mitre_attack_id: - T1562.001 diff --git a/detections/endpoint/fodhelper_uac_bypass.yml b/detections/endpoint/fodhelper_uac_bypass.yml index 135e7f6611..97bbe598d2 100644 --- a/detections/endpoint/fodhelper_uac_bypass.yml +++ b/detections/endpoint/fodhelper_uac_bypass.yml @@ -58,7 +58,7 @@ tags: - ValleyRAT - Compromised Windows Host - Windows Defense Evasion Tactics - - BlankGrabber Stealer + - BlankGrabberStealer asset_type: Endpoint mitre_attack_id: - T1112 diff --git a/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml b/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml index 7dd695348f..19f55082c7 100644 --- a/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml +++ b/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml @@ -58,7 +58,7 @@ tags: - DarkCrystal RAT - 0bj3ctivity Stealer - APT37 Rustonotto and FadeStealer - - BlankGrabber Stealer + - BlankGrabberStealer asset_type: Endpoint mitre_attack_id: - T1059.001 diff --git a/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml b/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml index ad9ea22a08..89657646bf 100644 --- a/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml +++ b/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml @@ -48,7 +48,7 @@ tags: - Snake Keylogger - China-Nexus Threat Activity - Lokibot - - BlankGrabber Stealer + - BlankGrabberStealer asset_type: Endpoint mitre_attack_id: - T1555.003 diff --git a/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml b/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml index 561cc93cbd..5d35c88c13 100644 --- a/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml +++ b/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml @@ -50,7 +50,7 @@ tags: - China-Nexus Threat Activity - 0bj3ctivity Stealer - Lokibot - - BlankGrabber Stealer + - BlankGrabberStealer asset_type: Endpoint mitre_attack_id: - T1555.003 diff --git a/detections/endpoint/potential_telegram_api_request_via_commandline.yml b/detections/endpoint/potential_telegram_api_request_via_commandline.yml index e34a1db987..6133a6b08f 100644 --- a/detections/endpoint/potential_telegram_api_request_via_commandline.yml +++ b/detections/endpoint/potential_telegram_api_request_via_commandline.yml @@ -55,7 +55,7 @@ tags: - Water Gamayun - 0bj3ctivity Stealer - Hellcat Ransomware - - BlankGrabber Stealer + - BlankGrabberStealer asset_type: Endpoint mitre_attack_id: - T1102.002 diff --git a/detections/endpoint/powershell_disable_security_monitoring.yml b/detections/endpoint/powershell_disable_security_monitoring.yml index 35a9ab2fbf..ad1996c5f7 100644 --- a/detections/endpoint/powershell_disable_security_monitoring.yml +++ b/detections/endpoint/powershell_disable_security_monitoring.yml @@ -112,7 +112,7 @@ tags: - Ransomware - Revil Ransomware - CISA AA24-241A - - BlankGrabber Stealer + - BlankGrabberStealer asset_type: Endpoint mitre_attack_id: - T1562.001 diff --git a/detections/endpoint/powershell_windows_defender_exclusion_commands.yml b/detections/endpoint/powershell_windows_defender_exclusion_commands.yml index bbb9c46f9f..3d4adc9027 100644 --- a/detections/endpoint/powershell_windows_defender_exclusion_commands.yml +++ b/detections/endpoint/powershell_windows_defender_exclusion_commands.yml @@ -55,7 +55,7 @@ tags: - WhisperGate - Warzone RAT - NetSupport RMM Tool Abuse - - BlankGrabber Stealer + - BlankGrabberStealer asset_type: Endpoint mitre_attack_id: - T1562.001 diff --git a/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml b/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml index 2c7a077391..db095387e8 100644 --- a/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml +++ b/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml @@ -93,7 +93,7 @@ tags: - Amadey - Gozi Malware - APT37 Rustonotto and FadeStealer - - BlankGrabber Stealer + - BlankGrabberStealer asset_type: Endpoint mitre_attack_id: - T1566.002 diff --git a/detections/endpoint/recon_using_wmi_class.yml b/detections/endpoint/recon_using_wmi_class.yml index 47a5589a7d..7bf664a6ed 100644 --- a/detections/endpoint/recon_using_wmi_class.yml +++ b/detections/endpoint/recon_using_wmi_class.yml @@ -63,7 +63,7 @@ tags: - Qakbot - Industroyer2 - Scattered Spider - - BlankGrabber Stealer + - BlankGrabberStealer asset_type: Endpoint mitre_attack_id: - T1592 diff --git a/detections/endpoint/system_information_discovery_detection.yml b/detections/endpoint/system_information_discovery_detection.yml index 90d491e4f2..e5b0cbe342 100644 --- a/detections/endpoint/system_information_discovery_detection.yml +++ b/detections/endpoint/system_information_discovery_detection.yml @@ -45,7 +45,7 @@ tags: - Interlock Ransomware - LAMEHUG - NetSupport RMM Tool Abuse - - BlankGrabber Stealer + - BlankGrabberStealer asset_type: Windows mitre_attack_id: - T1082 diff --git a/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml b/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml index a4d737c3e3..f005a0d627 100644 --- a/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml +++ b/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml @@ -47,7 +47,7 @@ tags: - Interlock Ransomware - APT37 Rustonotto and FadeStealer - PromptFlux - - BlankGrabber Stealer + - BlankGrabberStealer asset_type: Endpoint mitre_attack_id: - T1547.001 diff --git a/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml b/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml index f4f1289811..eabe5a92fe 100644 --- a/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml +++ b/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml @@ -49,7 +49,7 @@ tags: analytic_story: - Windows Post-Exploitation - Prestige Ransomware - - BlankGrabber Stealer + - BlankGrabberStealer asset_type: Endpoint mitre_attack_id: - T1115 diff --git a/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml b/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml index f6e5b58d16..3700b7ccb2 100644 --- a/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml +++ b/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml @@ -54,7 +54,7 @@ tags: - Water Gamayun - Tuoni - SolarWinds WHD RCE Post Exploitation - - BlankGrabber Stealer + - BlankGrabberStealer asset_type: Endpoint mitre_attack_id: - T1059.007 diff --git a/detections/endpoint/windows_computerdefaults_spawning_a_process.yml b/detections/endpoint/windows_computerdefaults_spawning_a_process.yml index ec8dc7a50e..092a391533 100644 --- a/detections/endpoint/windows_computerdefaults_spawning_a_process.yml +++ b/detections/endpoint/windows_computerdefaults_spawning_a_process.yml @@ -47,7 +47,7 @@ rba: tags: analytic_story: - Castle RAT - - BlankGrabber Stealer + - BlankGrabberStealer asset_type: Endpoint mitre_attack_id: - T1548.002 diff --git a/detections/endpoint/windows_credential_access_from_browser_password_store.yml b/detections/endpoint/windows_credential_access_from_browser_password_store.yml index 44ea4a4231..d6beae2350 100644 --- a/detections/endpoint/windows_credential_access_from_browser_password_store.yml +++ b/detections/endpoint/windows_credential_access_from_browser_password_store.yml @@ -47,7 +47,7 @@ tags: - Scattered Spider - 0bj3ctivity Stealer - Scattered Lapsus$ Hunters - - BlankGrabber Stealer + - BlankGrabberStealer asset_type: Endpoint mitre_attack_id: - T1012 diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml index 1fb9d76ffe..8a806c8497 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml @@ -34,7 +34,7 @@ tags: analytic_story: - Braodo Stealer - Scattered Lapsus$ Hunters - - BlankGrabber Stealer + - BlankGrabberStealer asset_type: Endpoint mitre_attack_id: - T1555.003 diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml index 8614a0392b..627fd9c662 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml @@ -42,7 +42,7 @@ tags: - Braodo Stealer - MoonPeak - 0bj3ctivity Stealer - - BlankGrabber Stealer + - BlankGrabberStealer asset_type: Endpoint mitre_attack_id: - T1012 diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml index b24710c55f..13ff273715 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml @@ -52,7 +52,7 @@ tags: - 0bj3ctivity Stealer - Lokibot - Scattered Lapsus$ Hunters - - BlankGrabber Stealer + - BlankGrabberStealer asset_type: Endpoint mitre_attack_id: - T1012 diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml index 79c8c486bc..4079a9dbdb 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml @@ -52,7 +52,7 @@ tags: - 0bj3ctivity Stealer - Lokibot - Scattered Lapsus$ Hunters - - BlankGrabber Stealer + - BlankGrabberStealer asset_type: Endpoint mitre_attack_id: - T1012 diff --git a/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml b/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml index 90cf805b61..eb5ff2ffcb 100644 --- a/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml +++ b/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml @@ -51,7 +51,7 @@ tags: - PXA Stealer - NjRAT - Crypto Stealer - - BlankGrabber Stealer + - BlankGrabberStealer asset_type: Endpoint mitre_attack_id: - T1562.001 diff --git a/detections/endpoint/windows_disable_or_stop_browser_process.yml b/detections/endpoint/windows_disable_or_stop_browser_process.yml index 32667eabd8..c1c351310e 100644 --- a/detections/endpoint/windows_disable_or_stop_browser_process.yml +++ b/detections/endpoint/windows_disable_or_stop_browser_process.yml @@ -52,7 +52,7 @@ tags: - Scattered Lapsus$ Hunters - Hellcat Ransomware - Castle RAT - - BlankGrabber Stealer + - BlankGrabberStealer asset_type: Endpoint mitre_attack_id: - T1562.001 diff --git a/detections/endpoint/windows_eventlog_recon_activity_using_log_query_utilities.yml b/detections/endpoint/windows_eventlog_recon_activity_using_log_query_utilities.yml index 16aa626f9c..e5a1e54248 100644 --- a/detections/endpoint/windows_eventlog_recon_activity_using_log_query_utilities.yml +++ b/detections/endpoint/windows_eventlog_recon_activity_using_log_query_utilities.yml @@ -106,7 +106,7 @@ rba: tags: analytic_story: - Windows Discovery Techniques - - BlankGrabber Stealer + - BlankGrabberStealer asset_type: Endpoint mitre_attack_id: - T1654 diff --git a/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml b/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml index 246bea562d..92a40b4769 100644 --- a/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml +++ b/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml @@ -34,7 +34,7 @@ tags: analytic_story: - Windows Defense Evasion Tactics - Windows Registry Abuse - - BlankGrabber Stealer + - BlankGrabberStealer asset_type: Endpoint mitre_attack_id: - T1562.001 diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml index c3e6f60d18..4a60bdbce7 100644 --- a/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml +++ b/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml @@ -35,7 +35,7 @@ tags: - Windows Defense Evasion Tactics - Windows Registry Abuse - Scattered Lapsus$ Hunters - - BlankGrabber Stealer + - BlankGrabberStealer asset_type: Endpoint mitre_attack_id: - T1562.001 diff --git a/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml b/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml index 9d8e3d3ccf..25f156a654 100644 --- a/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml +++ b/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml @@ -34,7 +34,7 @@ tags: - StealC Stealer - Snake Keylogger - PXA Stealer - - BlankGrabber Stealer + - BlankGrabberStealer asset_type: Endpoint mitre_attack_id: - T1012 diff --git a/detections/endpoint/windows_screen_capture_via_powershell.yml b/detections/endpoint/windows_screen_capture_via_powershell.yml index 6abb74cf82..d561e61efe 100644 --- a/detections/endpoint/windows_screen_capture_via_powershell.yml +++ b/detections/endpoint/windows_screen_capture_via_powershell.yml @@ -9,17 +9,17 @@ data_source: - Powershell Script Block Logging 4104 description: The following analytic detects the execution of a PowerShell script designed to capture screen images on a host. It leverages PowerShell Script Block Logging to identify specific script block text patterns associated with screen capture activities. This behavior is significant as it may indicate an attempt to exfiltrate sensitive information by capturing desktop screenshots. If confirmed malicious, this activity could allow an attacker to gather visual data from the compromised system, potentially leading to data breaches or further exploitation. search: |- - `powershell` EventCode=4104 ScriptBlockText IN ("*[Drawing.Graphics]::FromImage*", "*Drawing.Bitmap*, "*Graphics.FromImage*") AND ScriptBlockText = "*.CopyFromScreen*" - | fillnull - | stats count min(_time) as firstTime max(_time) as lastTime - BY dest signature signature_id - user_id vendor_product EventID - Guid Opcode Name - Path ProcessID ScriptBlockId - ScriptBlockText - | `security_content_ctime(firstTime)` - | `security_content_ctime(lastTime)` - | `windows_screen_capture_via_powershell_filter` + `powershell` EventCode=4104 ScriptBlockText IN ("*[Drawing.Graphics]::FromImage*", "*Drawing.Bitmap*, "*Graphics.FromImage*") AND ScriptBlockText = "*.CopyFromScreen*" + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime + BY dest signature signature_id + user_id vendor_product EventID + Guid Opcode Name + Path ProcessID ScriptBlockId + ScriptBlockText + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_screen_capture_via_powershell_filter` how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.1/add-other-data-to-splunk-uba/configure-powershell-logging-to-see-powershell-anomalies-in-splunk-uba. known_false_positives: No false positives have been identified at this time. references: @@ -46,7 +46,7 @@ tags: - APT37 Rustonotto and FadeStealer - Winter Vivern - Water Gamayun - - BlankGrabber Stealer + - BlankGrabberStealer asset_type: Endpoint mitre_attack_id: - T1113 diff --git a/detections/endpoint/windows_system_network_connections_discovery_netsh.yml b/detections/endpoint/windows_system_network_connections_discovery_netsh.yml index 3a71d6c679..3833353f3d 100644 --- a/detections/endpoint/windows_system_network_connections_discovery_netsh.yml +++ b/detections/endpoint/windows_system_network_connections_discovery_netsh.yml @@ -51,7 +51,7 @@ tags: - Windows Post-Exploitation - Prestige Ransomware - Snake Keylogger - - BlankGrabber Stealer + - BlankGrabberStealer asset_type: Endpoint mitre_attack_id: - T1049 diff --git a/detections/endpoint/windows_time_based_evasion.yml b/detections/endpoint/windows_time_based_evasion.yml index f2859f16a3..b3a72c7803 100644 --- a/detections/endpoint/windows_time_based_evasion.yml +++ b/detections/endpoint/windows_time_based_evasion.yml @@ -48,7 +48,7 @@ rba: tags: analytic_story: - NjRAT - - BlankGrabber Stealer + - BlankGrabberStealer asset_type: Endpoint mitre_attack_id: - T1497.003 diff --git a/detections/endpoint/windows_wmic_systeminfo_discovery.yml b/detections/endpoint/windows_wmic_systeminfo_discovery.yml index 8c40fda1a2..c9f5aeaf0a 100644 --- a/detections/endpoint/windows_wmic_systeminfo_discovery.yml +++ b/detections/endpoint/windows_wmic_systeminfo_discovery.yml @@ -54,7 +54,7 @@ rba: tags: analytic_story: - LAMEHUG - - BlankGrabber Stealer + - BlankGrabberStealer asset_type: Endpoint mitre_attack_id: - T1082 diff --git a/detections/network/suspicious_process_dns_query_known_abuse_web_services.yml b/detections/network/suspicious_process_dns_query_known_abuse_web_services.yml index 50742de7cd..8a0a7fd8a2 100644 --- a/detections/network/suspicious_process_dns_query_known_abuse_web_services.yml +++ b/detections/network/suspicious_process_dns_query_known_abuse_web_services.yml @@ -45,7 +45,7 @@ tags: - Cactus Ransomware - Braodo Stealer - RedLine Stealer - - BlankGrabber Stealer + - BlankGrabberStealer asset_type: Endpoint mitre_attack_id: - T1059.005 diff --git a/detections/network/suspicious_process_with_discord_dns_query.yml b/detections/network/suspicious_process_with_discord_dns_query.yml index fb17f02847..6ab8232fa0 100644 --- a/detections/network/suspicious_process_with_discord_dns_query.yml +++ b/detections/network/suspicious_process_with_discord_dns_query.yml @@ -39,7 +39,7 @@ tags: - WhisperGate - PXA Stealer - Cactus Ransomware - - BlankGrabber Stealer + - BlankGrabberStealer asset_type: Endpoint mitre_attack_id: - T1059.005 diff --git a/detections/network/windows_abused_web_services.yml b/detections/network/windows_abused_web_services.yml index a01cfc23f0..87a8d86156 100644 --- a/detections/network/windows_abused_web_services.yml +++ b/detections/network/windows_abused_web_services.yml @@ -47,7 +47,7 @@ tags: - NjRAT - CISA AA24-241A - Malicious Inno Setup Loader - - BlankGrabber Stealer + - BlankGrabberStealer asset_type: Endpoint mitre_attack_id: - T1102 diff --git a/detections/network/windows_dns_query_request_by_telegram_bot_api.yml b/detections/network/windows_dns_query_request_by_telegram_bot_api.yml index 638a15ecfc..b021233d71 100644 --- a/detections/network/windows_dns_query_request_by_telegram_bot_api.yml +++ b/detections/network/windows_dns_query_request_by_telegram_bot_api.yml @@ -44,7 +44,7 @@ tags: analytic_story: - Crypto Stealer - 0bj3ctivity Stealer - - BlankGrabber Stealer + - BlankGrabberStealer asset_type: Endpoint mitre_attack_id: - T1071.004 diff --git a/detections/network/windows_gather_victim_network_info_through_ip_check_web_services.yml b/detections/network/windows_gather_victim_network_info_through_ip_check_web_services.yml index 8283f7d88e..b6678327f1 100644 --- a/detections/network/windows_gather_victim_network_info_through_ip_check_web_services.yml +++ b/detections/network/windows_gather_victim_network_info_through_ip_check_web_services.yml @@ -55,7 +55,7 @@ tags: - Quasar RAT - 0bj3ctivity Stealer - Castle RAT - - BlankGrabber Stealer + - BlankGrabberStealer asset_type: Endpoint mitre_attack_id: - T1590.005 From 611733185b8f1eb28d4873872ceb03a8b70790b3 Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Tue, 10 Mar 2026 11:51:22 +0100 Subject: [PATCH 11/13] blank_grabber --- ...m___mshtml_or_mshta_network_execution_without_url_in_cli.yml | 2 +- ...isco_nvm___suspicious_download_from_file_sharing_website.yml | 2 +- ...isco_nvm___suspicious_file_download_via_headless_browser.yml | 2 +- ...__suspicious_network_connection_to_ip_lookup_service_api.yml | 2 +- detections/endpoint/detect_mshta_inline_hta_execution.yml | 2 +- .../disable_defender_submit_samples_consent_feature.yml | 2 +- detections/endpoint/disable_windows_behavior_monitoring.yml | 2 +- detections/endpoint/excessive_usage_of_taskkill.yml | 2 +- detections/endpoint/fodhelper_uac_bypass.yml | 2 +- .../malicious_powershell_process___execution_policy_bypass.yml | 2 +- .../non_chrome_process_accessing_chrome_default_dir.yml | 2 +- .../endpoint/non_firefox_process_access_firefox_profile_dir.yml | 2 +- .../endpoint/potential_telegram_api_request_via_commandline.yml | 2 +- detections/endpoint/powershell_disable_security_monitoring.yml | 2 +- .../endpoint/powershell_windows_defender_exclusion_commands.yml | 2 +- .../process_creating_lnk_file_in_suspicious_location.yml | 2 +- detections/endpoint/recon_using_wmi_class.yml | 2 +- detections/endpoint/system_information_discovery_detection.yml | 2 +- ...dows_boot_or_logon_autostart_execution_in_startup_folder.yml | 2 +- .../endpoint/windows_clipboard_data_via_get_clipboard.yml | 2 +- .../windows_cmdline_tool_execution_from_non_shell_process.yml | 2 +- .../endpoint/windows_computerdefaults_spawning_a_process.yml | 2 +- .../windows_credential_access_from_browser_password_store.yml | 2 +- ...edentials_from_password_stores_chrome_copied_in_temp_dir.yml | 2 +- ...credentials_from_password_stores_chrome_extension_access.yml | 2 +- ...redentials_from_password_stores_chrome_localstate_access.yml | 2 +- ...redentials_from_password_stores_chrome_login_data_access.yml | 2 +- .../endpoint/windows_disable_or_modify_tools_via_taskkill.yml | 2 +- detections/endpoint/windows_disable_or_stop_browser_process.yml | 2 +- ...indows_eventlog_recon_activity_using_log_query_utilities.yml | 2 +- .../windows_impair_defense_disable_controlled_folder_access.yml | 2 +- ...s_impair_defense_disable_win_defender_network_protection.yml | 2 +- .../endpoint/windows_non_discord_app_access_discord_leveldb.yml | 2 +- detections/endpoint/windows_screen_capture_via_powershell.yml | 2 +- .../windows_system_network_connections_discovery_netsh.yml | 2 +- detections/endpoint/windows_time_based_evasion.yml | 2 +- detections/endpoint/windows_wmic_systeminfo_discovery.yml | 2 +- .../suspicious_process_dns_query_known_abuse_web_services.yml | 2 +- .../network/suspicious_process_with_discord_dns_query.yml | 2 +- detections/network/windows_abused_web_services.yml | 2 +- .../network/windows_dns_query_request_by_telegram_bot_api.yml | 2 +- ...gather_victim_network_info_through_ip_check_web_services.yml | 2 +- 42 files changed, 42 insertions(+), 42 deletions(-) diff --git a/detections/endpoint/cisco_nvm___mshtml_or_mshta_network_execution_without_url_in_cli.yml b/detections/endpoint/cisco_nvm___mshtml_or_mshta_network_execution_without_url_in_cli.yml index 1101262170..51c6baf24b 100644 --- a/detections/endpoint/cisco_nvm___mshtml_or_mshta_network_execution_without_url_in_cli.yml +++ b/detections/endpoint/cisco_nvm___mshtml_or_mshta_network_execution_without_url_in_cli.yml @@ -83,7 +83,7 @@ rba: tags: analytic_story: - Cisco Network Visibility Module Analytics - - BlankGrabberStealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1218.005 diff --git a/detections/endpoint/cisco_nvm___suspicious_download_from_file_sharing_website.yml b/detections/endpoint/cisco_nvm___suspicious_download_from_file_sharing_website.yml index 1d50c69417..16e4a22128 100644 --- a/detections/endpoint/cisco_nvm___suspicious_download_from_file_sharing_website.yml +++ b/detections/endpoint/cisco_nvm___suspicious_download_from_file_sharing_website.yml @@ -94,7 +94,7 @@ tags: analytic_story: - APT37 Rustonotto and FadeStealer - Cisco Network Visibility Module Analytics - - BlankGrabberStealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1197 diff --git a/detections/endpoint/cisco_nvm___suspicious_file_download_via_headless_browser.yml b/detections/endpoint/cisco_nvm___suspicious_file_download_via_headless_browser.yml index 2762d76a6e..48fb4ac407 100644 --- a/detections/endpoint/cisco_nvm___suspicious_file_download_via_headless_browser.yml +++ b/detections/endpoint/cisco_nvm___suspicious_file_download_via_headless_browser.yml @@ -111,7 +111,7 @@ rba: tags: analytic_story: - Cisco Network Visibility Module Analytics - - BlankGrabberStealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1105 diff --git a/detections/endpoint/cisco_nvm___suspicious_network_connection_to_ip_lookup_service_api.yml b/detections/endpoint/cisco_nvm___suspicious_network_connection_to_ip_lookup_service_api.yml index 484025a1cc..3e66a65e30 100644 --- a/detections/endpoint/cisco_nvm___suspicious_network_connection_to_ip_lookup_service_api.yml +++ b/detections/endpoint/cisco_nvm___suspicious_network_connection_to_ip_lookup_service_api.yml @@ -88,7 +88,7 @@ tags: analytic_story: - Cisco Network Visibility Module Analytics - Castle RAT - - BlankGrabberStealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1590.005 diff --git a/detections/endpoint/detect_mshta_inline_hta_execution.yml b/detections/endpoint/detect_mshta_inline_hta_execution.yml index 5839ca160d..f411285702 100644 --- a/detections/endpoint/detect_mshta_inline_hta_execution.yml +++ b/detections/endpoint/detect_mshta_inline_hta_execution.yml @@ -66,7 +66,7 @@ tags: - Suspicious MSHTA Activity - XWorm - APT37 Rustonotto and FadeStealer - - BlankGrabberStealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1218.005 diff --git a/detections/endpoint/disable_defender_submit_samples_consent_feature.yml b/detections/endpoint/disable_defender_submit_samples_consent_feature.yml index ab5c00c3ce..8b86ab51b7 100644 --- a/detections/endpoint/disable_defender_submit_samples_consent_feature.yml +++ b/detections/endpoint/disable_defender_submit_samples_consent_feature.yml @@ -38,7 +38,7 @@ tags: - CISA AA23-347A - IcedID - Windows Registry Abuse - - BlankGrabberStealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1562.001 diff --git a/detections/endpoint/disable_windows_behavior_monitoring.yml b/detections/endpoint/disable_windows_behavior_monitoring.yml index 4371335f22..16588899e1 100644 --- a/detections/endpoint/disable_windows_behavior_monitoring.yml +++ b/detections/endpoint/disable_windows_behavior_monitoring.yml @@ -44,7 +44,7 @@ tags: - Scattered Lapsus$ Hunters - NetSupport RMM Tool Abuse - Storm-0501 Ransomware - - BlankGrabberStealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1562.001 diff --git a/detections/endpoint/excessive_usage_of_taskkill.yml b/detections/endpoint/excessive_usage_of_taskkill.yml index f4822ee0cb..b496ad57c5 100644 --- a/detections/endpoint/excessive_usage_of_taskkill.yml +++ b/detections/endpoint/excessive_usage_of_taskkill.yml @@ -52,7 +52,7 @@ tags: - CISA AA22-264A - XMRig - Crypto Stealer - - BlankGrabberStealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1562.001 diff --git a/detections/endpoint/fodhelper_uac_bypass.yml b/detections/endpoint/fodhelper_uac_bypass.yml index 97bbe598d2..135e7f6611 100644 --- a/detections/endpoint/fodhelper_uac_bypass.yml +++ b/detections/endpoint/fodhelper_uac_bypass.yml @@ -58,7 +58,7 @@ tags: - ValleyRAT - Compromised Windows Host - Windows Defense Evasion Tactics - - BlankGrabberStealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1112 diff --git a/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml b/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml index 19f55082c7..7dd695348f 100644 --- a/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml +++ b/detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml @@ -58,7 +58,7 @@ tags: - DarkCrystal RAT - 0bj3ctivity Stealer - APT37 Rustonotto and FadeStealer - - BlankGrabberStealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1059.001 diff --git a/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml b/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml index 89657646bf..ad9ea22a08 100644 --- a/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml +++ b/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml @@ -48,7 +48,7 @@ tags: - Snake Keylogger - China-Nexus Threat Activity - Lokibot - - BlankGrabberStealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1555.003 diff --git a/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml b/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml index 5d35c88c13..561cc93cbd 100644 --- a/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml +++ b/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml @@ -50,7 +50,7 @@ tags: - China-Nexus Threat Activity - 0bj3ctivity Stealer - Lokibot - - BlankGrabberStealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1555.003 diff --git a/detections/endpoint/potential_telegram_api_request_via_commandline.yml b/detections/endpoint/potential_telegram_api_request_via_commandline.yml index 6133a6b08f..e34a1db987 100644 --- a/detections/endpoint/potential_telegram_api_request_via_commandline.yml +++ b/detections/endpoint/potential_telegram_api_request_via_commandline.yml @@ -55,7 +55,7 @@ tags: - Water Gamayun - 0bj3ctivity Stealer - Hellcat Ransomware - - BlankGrabberStealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1102.002 diff --git a/detections/endpoint/powershell_disable_security_monitoring.yml b/detections/endpoint/powershell_disable_security_monitoring.yml index ad1996c5f7..35a9ab2fbf 100644 --- a/detections/endpoint/powershell_disable_security_monitoring.yml +++ b/detections/endpoint/powershell_disable_security_monitoring.yml @@ -112,7 +112,7 @@ tags: - Ransomware - Revil Ransomware - CISA AA24-241A - - BlankGrabberStealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1562.001 diff --git a/detections/endpoint/powershell_windows_defender_exclusion_commands.yml b/detections/endpoint/powershell_windows_defender_exclusion_commands.yml index 3d4adc9027..bbb9c46f9f 100644 --- a/detections/endpoint/powershell_windows_defender_exclusion_commands.yml +++ b/detections/endpoint/powershell_windows_defender_exclusion_commands.yml @@ -55,7 +55,7 @@ tags: - WhisperGate - Warzone RAT - NetSupport RMM Tool Abuse - - BlankGrabberStealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1562.001 diff --git a/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml b/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml index db095387e8..2c7a077391 100644 --- a/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml +++ b/detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml @@ -93,7 +93,7 @@ tags: - Amadey - Gozi Malware - APT37 Rustonotto and FadeStealer - - BlankGrabberStealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1566.002 diff --git a/detections/endpoint/recon_using_wmi_class.yml b/detections/endpoint/recon_using_wmi_class.yml index 7bf664a6ed..47a5589a7d 100644 --- a/detections/endpoint/recon_using_wmi_class.yml +++ b/detections/endpoint/recon_using_wmi_class.yml @@ -63,7 +63,7 @@ tags: - Qakbot - Industroyer2 - Scattered Spider - - BlankGrabberStealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1592 diff --git a/detections/endpoint/system_information_discovery_detection.yml b/detections/endpoint/system_information_discovery_detection.yml index e5b0cbe342..90d491e4f2 100644 --- a/detections/endpoint/system_information_discovery_detection.yml +++ b/detections/endpoint/system_information_discovery_detection.yml @@ -45,7 +45,7 @@ tags: - Interlock Ransomware - LAMEHUG - NetSupport RMM Tool Abuse - - BlankGrabberStealer + - BlankGrabber Stealer asset_type: Windows mitre_attack_id: - T1082 diff --git a/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml b/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml index f005a0d627..a4d737c3e3 100644 --- a/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml +++ b/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml @@ -47,7 +47,7 @@ tags: - Interlock Ransomware - APT37 Rustonotto and FadeStealer - PromptFlux - - BlankGrabberStealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1547.001 diff --git a/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml b/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml index eabe5a92fe..f4f1289811 100644 --- a/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml +++ b/detections/endpoint/windows_clipboard_data_via_get_clipboard.yml @@ -49,7 +49,7 @@ tags: analytic_story: - Windows Post-Exploitation - Prestige Ransomware - - BlankGrabberStealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1115 diff --git a/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml b/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml index 3700b7ccb2..f6e5b58d16 100644 --- a/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml +++ b/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml @@ -54,7 +54,7 @@ tags: - Water Gamayun - Tuoni - SolarWinds WHD RCE Post Exploitation - - BlankGrabberStealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1059.007 diff --git a/detections/endpoint/windows_computerdefaults_spawning_a_process.yml b/detections/endpoint/windows_computerdefaults_spawning_a_process.yml index 092a391533..ec8dc7a50e 100644 --- a/detections/endpoint/windows_computerdefaults_spawning_a_process.yml +++ b/detections/endpoint/windows_computerdefaults_spawning_a_process.yml @@ -47,7 +47,7 @@ rba: tags: analytic_story: - Castle RAT - - BlankGrabberStealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1548.002 diff --git a/detections/endpoint/windows_credential_access_from_browser_password_store.yml b/detections/endpoint/windows_credential_access_from_browser_password_store.yml index d6beae2350..44ea4a4231 100644 --- a/detections/endpoint/windows_credential_access_from_browser_password_store.yml +++ b/detections/endpoint/windows_credential_access_from_browser_password_store.yml @@ -47,7 +47,7 @@ tags: - Scattered Spider - 0bj3ctivity Stealer - Scattered Lapsus$ Hunters - - BlankGrabberStealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1012 diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml index 8a806c8497..1fb9d76ffe 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml @@ -34,7 +34,7 @@ tags: analytic_story: - Braodo Stealer - Scattered Lapsus$ Hunters - - BlankGrabberStealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1555.003 diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml index 627fd9c662..8614a0392b 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml @@ -42,7 +42,7 @@ tags: - Braodo Stealer - MoonPeak - 0bj3ctivity Stealer - - BlankGrabberStealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1012 diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml index 13ff273715..b24710c55f 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml @@ -52,7 +52,7 @@ tags: - 0bj3ctivity Stealer - Lokibot - Scattered Lapsus$ Hunters - - BlankGrabberStealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1012 diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml index 4079a9dbdb..79c8c486bc 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml @@ -52,7 +52,7 @@ tags: - 0bj3ctivity Stealer - Lokibot - Scattered Lapsus$ Hunters - - BlankGrabberStealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1012 diff --git a/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml b/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml index eb5ff2ffcb..90cf805b61 100644 --- a/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml +++ b/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml @@ -51,7 +51,7 @@ tags: - PXA Stealer - NjRAT - Crypto Stealer - - BlankGrabberStealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1562.001 diff --git a/detections/endpoint/windows_disable_or_stop_browser_process.yml b/detections/endpoint/windows_disable_or_stop_browser_process.yml index c1c351310e..32667eabd8 100644 --- a/detections/endpoint/windows_disable_or_stop_browser_process.yml +++ b/detections/endpoint/windows_disable_or_stop_browser_process.yml @@ -52,7 +52,7 @@ tags: - Scattered Lapsus$ Hunters - Hellcat Ransomware - Castle RAT - - BlankGrabberStealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1562.001 diff --git a/detections/endpoint/windows_eventlog_recon_activity_using_log_query_utilities.yml b/detections/endpoint/windows_eventlog_recon_activity_using_log_query_utilities.yml index e5a1e54248..16aa626f9c 100644 --- a/detections/endpoint/windows_eventlog_recon_activity_using_log_query_utilities.yml +++ b/detections/endpoint/windows_eventlog_recon_activity_using_log_query_utilities.yml @@ -106,7 +106,7 @@ rba: tags: analytic_story: - Windows Discovery Techniques - - BlankGrabberStealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1654 diff --git a/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml b/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml index 92a40b4769..246bea562d 100644 --- a/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml +++ b/detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml @@ -34,7 +34,7 @@ tags: analytic_story: - Windows Defense Evasion Tactics - Windows Registry Abuse - - BlankGrabberStealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1562.001 diff --git a/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml b/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml index 4a60bdbce7..c3e6f60d18 100644 --- a/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml +++ b/detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml @@ -35,7 +35,7 @@ tags: - Windows Defense Evasion Tactics - Windows Registry Abuse - Scattered Lapsus$ Hunters - - BlankGrabberStealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1562.001 diff --git a/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml b/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml index 25f156a654..9d8e3d3ccf 100644 --- a/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml +++ b/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml @@ -34,7 +34,7 @@ tags: - StealC Stealer - Snake Keylogger - PXA Stealer - - BlankGrabberStealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1012 diff --git a/detections/endpoint/windows_screen_capture_via_powershell.yml b/detections/endpoint/windows_screen_capture_via_powershell.yml index d561e61efe..8064a23b5b 100644 --- a/detections/endpoint/windows_screen_capture_via_powershell.yml +++ b/detections/endpoint/windows_screen_capture_via_powershell.yml @@ -46,7 +46,7 @@ tags: - APT37 Rustonotto and FadeStealer - Winter Vivern - Water Gamayun - - BlankGrabberStealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1113 diff --git a/detections/endpoint/windows_system_network_connections_discovery_netsh.yml b/detections/endpoint/windows_system_network_connections_discovery_netsh.yml index 3833353f3d..3a71d6c679 100644 --- a/detections/endpoint/windows_system_network_connections_discovery_netsh.yml +++ b/detections/endpoint/windows_system_network_connections_discovery_netsh.yml @@ -51,7 +51,7 @@ tags: - Windows Post-Exploitation - Prestige Ransomware - Snake Keylogger - - BlankGrabberStealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1049 diff --git a/detections/endpoint/windows_time_based_evasion.yml b/detections/endpoint/windows_time_based_evasion.yml index b3a72c7803..f2859f16a3 100644 --- a/detections/endpoint/windows_time_based_evasion.yml +++ b/detections/endpoint/windows_time_based_evasion.yml @@ -48,7 +48,7 @@ rba: tags: analytic_story: - NjRAT - - BlankGrabberStealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1497.003 diff --git a/detections/endpoint/windows_wmic_systeminfo_discovery.yml b/detections/endpoint/windows_wmic_systeminfo_discovery.yml index c9f5aeaf0a..8c40fda1a2 100644 --- a/detections/endpoint/windows_wmic_systeminfo_discovery.yml +++ b/detections/endpoint/windows_wmic_systeminfo_discovery.yml @@ -54,7 +54,7 @@ rba: tags: analytic_story: - LAMEHUG - - BlankGrabberStealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1082 diff --git a/detections/network/suspicious_process_dns_query_known_abuse_web_services.yml b/detections/network/suspicious_process_dns_query_known_abuse_web_services.yml index 8a0a7fd8a2..50742de7cd 100644 --- a/detections/network/suspicious_process_dns_query_known_abuse_web_services.yml +++ b/detections/network/suspicious_process_dns_query_known_abuse_web_services.yml @@ -45,7 +45,7 @@ tags: - Cactus Ransomware - Braodo Stealer - RedLine Stealer - - BlankGrabberStealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1059.005 diff --git a/detections/network/suspicious_process_with_discord_dns_query.yml b/detections/network/suspicious_process_with_discord_dns_query.yml index 6ab8232fa0..fb17f02847 100644 --- a/detections/network/suspicious_process_with_discord_dns_query.yml +++ b/detections/network/suspicious_process_with_discord_dns_query.yml @@ -39,7 +39,7 @@ tags: - WhisperGate - PXA Stealer - Cactus Ransomware - - BlankGrabberStealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1059.005 diff --git a/detections/network/windows_abused_web_services.yml b/detections/network/windows_abused_web_services.yml index 87a8d86156..a01cfc23f0 100644 --- a/detections/network/windows_abused_web_services.yml +++ b/detections/network/windows_abused_web_services.yml @@ -47,7 +47,7 @@ tags: - NjRAT - CISA AA24-241A - Malicious Inno Setup Loader - - BlankGrabberStealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1102 diff --git a/detections/network/windows_dns_query_request_by_telegram_bot_api.yml b/detections/network/windows_dns_query_request_by_telegram_bot_api.yml index b021233d71..638a15ecfc 100644 --- a/detections/network/windows_dns_query_request_by_telegram_bot_api.yml +++ b/detections/network/windows_dns_query_request_by_telegram_bot_api.yml @@ -44,7 +44,7 @@ tags: analytic_story: - Crypto Stealer - 0bj3ctivity Stealer - - BlankGrabberStealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1071.004 diff --git a/detections/network/windows_gather_victim_network_info_through_ip_check_web_services.yml b/detections/network/windows_gather_victim_network_info_through_ip_check_web_services.yml index b6678327f1..8283f7d88e 100644 --- a/detections/network/windows_gather_victim_network_info_through_ip_check_web_services.yml +++ b/detections/network/windows_gather_victim_network_info_through_ip_check_web_services.yml @@ -55,7 +55,7 @@ tags: - Quasar RAT - 0bj3ctivity Stealer - Castle RAT - - BlankGrabberStealer + - BlankGrabber Stealer asset_type: Endpoint mitre_attack_id: - T1590.005 From 83c18c5f79b152b623689159a4665062a4ca5a4a Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Tue, 10 Mar 2026 12:19:00 +0100 Subject: [PATCH 12/13] blank_grabber --- detections/endpoint/windows_screen_capture_via_powershell.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/endpoint/windows_screen_capture_via_powershell.yml b/detections/endpoint/windows_screen_capture_via_powershell.yml index 8064a23b5b..a8cffb1342 100644 --- a/detections/endpoint/windows_screen_capture_via_powershell.yml +++ b/detections/endpoint/windows_screen_capture_via_powershell.yml @@ -9,7 +9,7 @@ data_source: - Powershell Script Block Logging 4104 description: The following analytic detects the execution of a PowerShell script designed to capture screen images on a host. It leverages PowerShell Script Block Logging to identify specific script block text patterns associated with screen capture activities. This behavior is significant as it may indicate an attempt to exfiltrate sensitive information by capturing desktop screenshots. If confirmed malicious, this activity could allow an attacker to gather visual data from the compromised system, potentially leading to data breaches or further exploitation. search: |- - `powershell` EventCode=4104 ScriptBlockText IN ("*[Drawing.Graphics]::FromImage*", "*Drawing.Bitmap*, "*Graphics.FromImage*") AND ScriptBlockText = "*.CopyFromScreen*" + `powershell` EventCode=4104 ScriptBlockText IN ("*[Drawing.Graphics]::FromImage*", "*Drawing.Bitmap*", "*Graphics.FromImage*") AND ScriptBlockText = "*.CopyFromScreen*" | fillnull | stats count min(_time) as firstTime max(_time) as lastTime BY dest signature signature_id From 26fc2a9f37b7cfb87eeecb12581698e34cd5a93f Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Fri, 13 Mar 2026 12:45:01 +0100 Subject: [PATCH 13/13] blank_grabber --- .../windows_dns_lookup_to_public_file_sharing_domain.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/detections/endpoint/windows_dns_lookup_to_public_file_sharing_domain.yml b/detections/endpoint/windows_dns_lookup_to_public_file_sharing_domain.yml index fa949b759b..ea53f1c350 100644 --- a/detections/endpoint/windows_dns_lookup_to_public_file_sharing_domain.yml +++ b/detections/endpoint/windows_dns_lookup_to_public_file_sharing_domain.yml @@ -5,10 +5,10 @@ date: '2026-03-03' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: This Analytics detects DNS queries to public file sharing domains, such as api.anonfiles.com and api.gofile.io. These services allow users to anonymously upload and distribute files, which can be abused by threat actors for data exfiltration, malware staging, or command-and-control communications. Monitoring DNS requests to these domains helps identify potentially unauthorized data transfers or suspicious outbound activity. While legitimate use may exist, such queries originating from servers, restricted systems, or non-browser processes should be investigated to determine whether sensitive data is being staged or transmitted externally. +description: This Analytics detects DNS queries to public file sharing domains, such as api.anonfiles.com, api.gofile.io and many more These services allow users to anonymously upload and distribute files, which can be abused by threat actors for data exfiltration, malware staging, or command-and-control communications. Monitoring DNS requests to these domains helps identify potentially unauthorized data transfers or suspicious outbound activity. While legitimate use may exist, such queries originating from servers, restricted systems, or non-browser processes should be investigated to determine whether sensitive data is being staged or transmitted externally. data_source: - Sysmon EventID 22 -search: '`sysmon` EventCode=22 QueryName IN ("*api.anonfiles.com", "*api.gofile.io") | eval answer=coalesce(answer,"none") | eval answer_count=coalesce(answer_count,0) | stats min(_time) as firstTime max(_time) as lastTime count BY answer answer_count dvc process_exec process_guid process_name query query_count reply_code_id signature signature_id src user_id vendor_product QueryName QueryResults QueryStatus | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dns_lookup_to_public_file_sharing_domain_filter`' +search: '`sysmon` EventCode=22 QueryName IN ("*//objects.githubusercontent.com*", "*anonfiles.com*", "*cdn.discordapp.com*", "*ddns.net*", "*dl.dropboxusercontent.com*", "*ghostbin.co*", "*glitch.me*", "*gofile.io*", "*hastebin.com*", "*mediafire.com*", "*mega.nz*", "*onrender.com*", "*pages.dev*", "*paste.ee*", "*pastebin.com*", "*pastebin.pl*", "*pastetext.net*", "*privatlab.com*", "*privatlab.net*", "*send.exploit.in*", "*sendspace.com*", "*storage.googleapis.com*", "*storjshare.io*", "*supabase.co*", "*temp.sh*", "*transfer.sh*", "*trycloudflare.com*", "*ufile.io*", "*w3spaces.com*", "*workers.dev*") | eval answer=coalesce(answer,"none") | eval answer_count=coalesce(answer_count,0) | stats min(_time) as firstTime max(_time) as lastTime count BY answer answer_count dvc process_exec process_guid process_name query query_count reply_code_id signature signature_id src user_id vendor_product QueryName QueryResults QueryStatus | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_dns_lookup_to_public_file_sharing_domain_filter`' how_to_implement: To successfully implement this search, you need to be ingesting logs with the process name and eventcode = 22 dnsquery executions from your endpoints. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA. Tune and filter known instances where renamed rundll32.exe may be used. known_false_positives: No false positives have been identified at this time. references: