splunk · tccontre · Mar 9, 2026 · Mar 9, 2026 · Mar 9, 2026 · Mar 9, 2026
@@ -1,6 +1,6 @@
 name: Cisco NVM - MSHTML or MSHTA Network Execution Without URL in CLI
 id: f2a9df84-9b01-4a21-9e3a-7aa1a217f69e
-version: 4
+version: 5
 date: '2026-03-10'
 author: Nasreddine Bencherchali, Splunk
 status: production
@@ -83,6 +83,7 @@ rba:
 tags:
     analytic_story:
         - Cisco Network Visibility Module Analytics
+        - BlankGrabber Stealer
     asset_type: Endpoint
     mitre_attack_id:
         - T1218.005

@@ -1,6 +1,6 @@
 name: Cisco NVM - Suspicious Download From File Sharing Website
 id: 94ebc001-35e7-4ae8-9b0e-52766b2f99c7
-version: 5
+version: 6
 date: '2026-03-10'
 author: Nasreddine Bencherchali, Splunk
 status: production
@@ -94,6 +94,7 @@ tags:
     analytic_story:
         - APT37 Rustonotto and FadeStealer
         - Cisco Network Visibility Module Analytics
+        - BlankGrabber Stealer
     asset_type: Endpoint
     mitre_attack_id:
         - T1197

@@ -1,6 +1,6 @@
 name: Cisco NVM - Suspicious File Download via Headless Browser
 id: cd0e816f-f67d-4dbe-a153-480b546e867e
-version: 4
+version: 5
 date: '2026-03-10'
 author: Nasreddine Bencherchali, Splunk
 status: production
@@ -111,6 +111,7 @@ rba:
 tags:
     analytic_story:
         - Cisco Network Visibility Module Analytics
+        - BlankGrabber Stealer
     asset_type: Endpoint
     mitre_attack_id:
         - T1105

@@ -1,6 +1,6 @@
 name: Cisco NVM - Suspicious Network Connection to IP Lookup Service API
 id: 568cb83e-d79e-4a23-85ec-6e1f6c30cb2f
-version: 6
+version: 7
 date: '2026-03-10'
 author: Nasreddine Bencherchali, Splunk, Janantha Marasinghe
 status: production
@@ -88,6 +88,7 @@ tags:
     analytic_story:
         - Cisco Network Visibility Module Analytics
         - Castle RAT
+        - BlankGrabber Stealer
     asset_type: Endpoint
     mitre_attack_id:
         - T1590.005

@@ -1,6 +1,6 @@
 name: Detect mshta inline hta execution
 id: a0873b32-5b68-11eb-ae93-0242ac130002
-version: 20
+version: 21
 date: '2026-03-10'
 author: Bhavin Patel, Michael Haag, Splunk
 status: production
@@ -66,6 +66,7 @@ tags:
         - Suspicious MSHTA Activity
         - XWorm
         - APT37 Rustonotto and FadeStealer
+        - BlankGrabber Stealer
     asset_type: Endpoint
     mitre_attack_id:
         - T1218.005

@@ -1,6 +1,6 @@
 name: Disable Defender Submit Samples Consent Feature
 id: 73922ff8-3022-11ec-bf5e-acde48001122
-version: 12
+version: 13
 date: '2026-03-10'
 author: Teoderick Contreras, Splunk, Steven Dick
 status: production
@@ -38,6 +38,7 @@ tags:
         - CISA AA23-347A
         - IcedID
         - Windows Registry Abuse
+        - BlankGrabber Stealer
     asset_type: Endpoint
     mitre_attack_id:
         - T1562.001

@@ -1,6 +1,6 @@
 name: Disable Windows Behavior Monitoring
 id: 79439cae-9200-11eb-a4d3-acde48001122
-version: 20
+version: 21
 date: '2026-03-10'
 author: Teoderick Contreras, Splunk, Steven Dick
 status: production
@@ -44,6 +44,7 @@ tags:
         - Scattered Lapsus$ Hunters
         - NetSupport RMM Tool Abuse
         - Storm-0501 Ransomware
+        - BlankGrabber Stealer
     asset_type: Endpoint
     mitre_attack_id:
         - T1562.001

@@ -1,6 +1,6 @@
 name: Excessive Usage Of Taskkill
 id: fe5bca48-accb-11eb-a67c-acde48001122
-version: 11
+version: 12
 date: '2026-03-10'
 author: Teoderick Contreras, Splunk
 status: production
@@ -52,6 +52,7 @@ tags:
         - CISA AA22-264A
         - XMRig
         - Crypto Stealer
+        - BlankGrabber Stealer
     asset_type: Endpoint
     mitre_attack_id:
         - T1562.001

@@ -1,6 +1,6 @@
 name: FodHelper UAC Bypass
 id: 909f8fd8-7ac8-11eb-a1f3-acde48001122
-version: 13
+version: 14
 date: '2026-03-10'
 author: Michael Haag, Splunk
 status: production
@@ -58,6 +58,7 @@ tags:
         - ValleyRAT
         - Compromised Windows Host
         - Windows Defense Evasion Tactics
+        - BlankGrabber Stealer
     asset_type: Endpoint
     mitre_attack_id:
         - T1112

@@ -1,6 +1,6 @@
 name: Malicious PowerShell Process - Execution Policy Bypass
 id: 9be56c82-b1cc-4318-87eb-d138afaaca39
-version: 18
+version: 19
 date: '2026-03-10'
 author: Rico Valdez, Mauricio Velazco, Splunk
 status: production
@@ -58,6 +58,7 @@ tags:
         - DarkCrystal RAT
         - 0bj3ctivity Stealer
         - APT37 Rustonotto and FadeStealer
+        - BlankGrabber Stealer
         - MuddyWater
     asset_type: Endpoint
     mitre_attack_id:

@@ -1,6 +1,6 @@
 name: Non Chrome Process Accessing Chrome Default Dir
 id: 81263de4-160a-11ec-944f-acde48001122
-version: 15
+version: 16
 date: '2026-03-10'
 author: Teoderick Contreras, Splunk
 status: production
@@ -48,6 +48,7 @@ tags:
         - Snake Keylogger
         - China-Nexus Threat Activity
         - Lokibot
+        - BlankGrabber Stealer
     asset_type: Endpoint
     mitre_attack_id:
         - T1555.003

@@ -1,6 +1,6 @@
 name: Non Firefox Process Access Firefox Profile Dir
 id: e6fc13b0-1609-11ec-b533-acde48001122
-version: 15
+version: 16
 date: '2026-03-10'
 author: Teoderick Contreras, Splunk
 status: production
@@ -50,6 +50,7 @@ tags:
         - China-Nexus Threat Activity
         - 0bj3ctivity Stealer
         - Lokibot
+        - BlankGrabber Stealer
     asset_type: Endpoint
     mitre_attack_id:
         - T1555.003

@@ -1,6 +1,6 @@
 name: Potential Telegram API Request Via CommandLine
 id: d6b0d627-d0bf-46b1-936f-c48284767d21
-version: 8
+version: 9
 date: '2026-03-10'
 author: Nasreddine Bencherchali, Splunk, Zaki Zarkasih Al Mustafa
 status: production
@@ -55,6 +55,7 @@ tags:
         - Water Gamayun
         - 0bj3ctivity Stealer
         - Hellcat Ransomware
+        - BlankGrabber Stealer
     asset_type: Endpoint
     mitre_attack_id:
         - T1102.002

@@ -1,6 +1,6 @@
 name: Powershell Disable Security Monitoring
 id: c148a894-dd93-11eb-bf2a-acde48001122
-version: 13
+version: 14
 date: '2026-03-10'
 author: Michael Haag, Nasreddine Bencherchali, Splunk
 status: production
@@ -112,6 +112,7 @@ tags:
         - Ransomware
         - Revil Ransomware
         - CISA AA24-241A
+        - BlankGrabber Stealer
     asset_type: Endpoint
     mitre_attack_id:
         - T1562.001

@@ -1,6 +1,6 @@
 name: Powershell Windows Defender Exclusion Commands
 id: 907ac95c-4dd9-11ec-ba2c-acde48001122
-version: 12
+version: 13
 date: '2026-03-10'
 author: Teoderick Contreras, Splunk
 status: production
@@ -55,6 +55,7 @@ tags:
         - WhisperGate
         - Warzone RAT
         - NetSupport RMM Tool Abuse
+        - BlankGrabber Stealer
     asset_type: Endpoint
     mitre_attack_id:
         - T1562.001

@@ -1,6 +1,6 @@
 name: Process Creating LNK file in Suspicious Location
 id: 5d814af1-1041-47b5-a9ac-d754e82e9a26
-version: 15
+version: 16
 date: '2026-03-10'
 author: Jose Hernandez, Michael Haag, Splunk
 status: production
@@ -93,6 +93,7 @@ tags:
         - Amadey
         - Gozi Malware
         - APT37 Rustonotto and FadeStealer
+        - BlankGrabber Stealer
     asset_type: Endpoint
     mitre_attack_id:
         - T1566.002

@@ -1,6 +1,6 @@
 name: Recon Using WMI Class
 id: 018c1972-ca07-11eb-9473-acde48001122
-version: 13
+version: 14
 date: '2026-03-10'
 author: Teoderick Contreras, Splunk
 status: production
@@ -63,6 +63,7 @@ tags:
         - Qakbot
         - Industroyer2
         - Scattered Spider
+        - BlankGrabber Stealer
     asset_type: Endpoint
     mitre_attack_id:
         - T1592

@@ -1,6 +1,6 @@
 name: System Information Discovery Detection
 id: 8e99f89e-ae58-4ebc-bf52-ae0b1a277e72
-version: 14
+version: 15
 date: '2026-03-10'
 author: Patrick Bareiss, Splunk
 status: production
@@ -45,6 +45,7 @@ tags:
         - Interlock Ransomware
         - LAMEHUG
         - NetSupport RMM Tool Abuse
+        - BlankGrabber Stealer
     asset_type: Windows
     mitre_attack_id:
         - T1082

@@ -1,6 +1,6 @@
 name: Windows Boot or Logon Autostart Execution In Startup Folder
 id: 99d157cb-923f-4a00-aee9-1f385412146f
-version: 13
+version: 14
 date: '2026-03-10'
 author: Teoderick Contreras, Splunk
 status: production
@@ -47,6 +47,7 @@ tags:
         - Interlock Ransomware
         - APT37 Rustonotto and FadeStealer
         - PromptFlux
+        - BlankGrabber Stealer
     asset_type: Endpoint
     mitre_attack_id:
         - T1547.001

@@ -1,6 +1,6 @@
 name: Windows ClipBoard Data via Get-ClipBoard
 id: ab73289e-2246-4de0-a14b-67006c72a893
-version: 9
+version: 11
 date: '2026-03-10'
 author: Teoderick Contreras, Splunk
 status: production
@@ -49,6 +49,7 @@ tags:
     analytic_story:
         - Windows Post-Exploitation
         - Prestige Ransomware
+        - BlankGrabber Stealer
     asset_type: Endpoint
     mitre_attack_id:
         - T1115

@@ -1,6 +1,6 @@
 name: Windows Cmdline Tool Execution From Non-Shell Process
 id: 2afa393f-b88d-41b7-9793-623c93a2dfde
-version: 10
+version: 11
 date: '2026-03-10'
 author: Teoderick Contreras, Splunk
 status: production
@@ -54,6 +54,7 @@ tags:
         - Water Gamayun
         - Tuoni
         - SolarWinds WHD RCE Post Exploitation
+        - BlankGrabber Stealer
     asset_type: Endpoint
     mitre_attack_id:
         - T1059.007

@@ -1,6 +1,6 @@
 name: Windows ComputerDefaults Spawning a Process
 id: 697eb4c0-1008-4c3c-b5ae-7bd9b39adbd6
-version: 4
+version: 5
 date: '2026-03-10'
 author: Teoderick Contreras, Splunk
 status: production
@@ -47,6 +47,7 @@ rba:
 tags:
     analytic_story:
         - Castle RAT
+        - BlankGrabber Stealer
     asset_type: Endpoint
     mitre_attack_id:
         - T1548.002

@@ -1,6 +1,6 @@
 name: Windows Credential Access From Browser Password Store
 id: 72013a8e-5cea-408a-9d51-5585386b4d69
-version: 18
+version: 19
 date: '2026-03-10'
 author: Teoderick Contreras, Bhavin Patel Splunk
 data_source:
@@ -47,6 +47,7 @@ tags:
         - Scattered Spider
         - 0bj3ctivity Stealer
         - Scattered Lapsus$ Hunters
+        - BlankGrabber Stealer
     asset_type: Endpoint
     mitre_attack_id:
         - T1012

@@ -1,6 +1,6 @@
 name: Windows Credentials from Password Stores Chrome Copied in TEMP Dir
 id: 4d14c86d-fdee-4393-94da-238d2706902f
-version: 8
+version: 9
 date: '2026-03-10'
 author: Teoderick Contreras, Splunk
 data_source:
@@ -34,6 +34,7 @@ tags:
     analytic_story:
         - Braodo Stealer
         - Scattered Lapsus$ Hunters
+        - BlankGrabber Stealer
     asset_type: Endpoint
     mitre_attack_id:
         - T1555.003

@@ -1,6 +1,6 @@
 name: Windows Credentials from Password Stores Chrome Extension Access
 id: 2e65afe0-9a75-4487-bd87-ada9a9f1b9af
-version: 10
+version: 11
 date: '2026-03-10'
 author: Teoderick Contreras, Splunk
 status: production
@@ -42,6 +42,7 @@ tags:
         - Braodo Stealer
         - MoonPeak
         - 0bj3ctivity Stealer
+        - BlankGrabber Stealer
     asset_type: Endpoint
     mitre_attack_id:
         - T1012