diff --git a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml index 3e652f2994..c14be99c02 100644 --- a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml +++ b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml @@ -1,8 +1,8 @@ name: Executables Or Script Creation In Suspicious Path id: a7e3f0f0-ae42-11eb-b245-acde48001122 -version: 28 +version: 29 creation_date: '2021-05-07' -modification_date: '2026-05-13' +modification_date: '2026-06-25' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -138,6 +138,7 @@ analytic_story: - Void Manticore - Axios Supply Chain Post Compromise - VIP Keylogger + - Phantom Stealer asset_type: Endpoint mitre_attack_id: - T1036 diff --git a/detections/endpoint/executables_or_script_creation_in_temp_path.yml b/detections/endpoint/executables_or_script_creation_in_temp_path.yml index 598c7fa87e..6f4f9aa1ce 100644 --- a/detections/endpoint/executables_or_script_creation_in_temp_path.yml +++ b/detections/endpoint/executables_or_script_creation_in_temp_path.yml @@ -1,8 +1,8 @@ name: Executables Or Script Creation In Temp Path id: e0422b71-2c05-4f32-8754-01fb415f49c9 -version: 25 +version: 26 creation_date: '2021-05-07' -modification_date: '2026-06-11' +modification_date: '2026-06-25' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -132,6 +132,7 @@ analytic_story: - VIP Keylogger - RoguePlanet - Salat Stealer + - Phantom Stealer asset_type: Endpoint mitre_attack_id: - T1036 diff --git a/detections/endpoint/headless_browser_usage.yml b/detections/endpoint/headless_browser_usage.yml index 0bdd9aadf5..d0bf216862 100644 --- a/detections/endpoint/headless_browser_usage.yml +++ b/detections/endpoint/headless_browser_usage.yml @@ -1,8 +1,8 @@ name: Headless Browser Usage id: 869ba261-c272-47d7-affe-5c0aa85c93d6 -version: 10 +version: 11 creation_date: '2023-09-11' -modification_date: '2026-05-13' +modification_date: '2026-06-25' author: Michael Haag, Teoderick Contreras, Splunk status: production type: Anomaly @@ -48,6 +48,7 @@ threat_objects: analytic_story: - Browser Hijacking - Forest Blizzard + - Phantom Stealer asset_type: Endpoint mitre_attack_id: - T1497 diff --git a/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml b/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml index 6502ac2a3d..9eed7ce0f7 100644 --- a/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml +++ b/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml @@ -1,8 +1,8 @@ name: Non Chrome Process Accessing Chrome Default Dir id: 81263de4-160a-11ec-944f-acde48001122 -version: 19 +version: 20 creation_date: '2021-09-15' -modification_date: '2026-06-08' +modification_date: '2026-06-25' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -50,6 +50,7 @@ analytic_story: - BlankGrabber Stealer - VIP Keylogger - Salat Stealer + - Phantom Stealer asset_type: Endpoint mitre_attack_id: - T1555.003 diff --git a/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml b/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml index eb994db77b..bdd370d7ef 100644 --- a/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml +++ b/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml @@ -1,8 +1,8 @@ name: Non Firefox Process Access Firefox Profile Dir id: e6fc13b0-1609-11ec-b533-acde48001122 -version: 19 +version: 20 creation_date: '2021-09-15' -modification_date: '2026-06-08' +modification_date: '2026-06-25' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -52,6 +52,7 @@ analytic_story: - BlankGrabber Stealer - VIP Keylogger - Salat Stealer + - Phantom Stealer asset_type: Endpoint mitre_attack_id: - T1555.003 diff --git a/detections/endpoint/powershell_4104_hunting.yml b/detections/endpoint/powershell_4104_hunting.yml index 657df258aa..8428f645ad 100644 --- a/detections/endpoint/powershell_4104_hunting.yml +++ b/detections/endpoint/powershell_4104_hunting.yml @@ -1,8 +1,8 @@ name: PowerShell 4104 Hunting id: d6f2b006-0041-11ec-8885-acde48001122 -version: 26 +version: 27 creation_date: '2021-08-19' -modification_date: '2026-06-08' +modification_date: '2026-06-25' author: Michael Haag, Splunk status: production type: Hunting @@ -85,6 +85,7 @@ analytic_story: - MuddyWater - Axios Supply Chain Post Compromise - Salat Stealer + - Phantom Stealer asset_type: Endpoint mitre_attack_id: - T1059.001 diff --git a/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml b/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml index 5ce2244b6c..9343d1a1b2 100644 --- a/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml +++ b/detections/endpoint/powershell_fileless_script_contains_base64_encoded_content.yml @@ -1,8 +1,8 @@ name: Powershell Fileless Script Contains Base64 Encoded Content id: 8acbc04c-c882-11eb-b060-acde48001122 -version: 21 +version: 22 creation_date: '2021-06-09' -modification_date: '2026-06-08' +modification_date: '2026-06-25' author: Michael Haag, Splunk status: production type: TTP @@ -53,6 +53,7 @@ analytic_story: - Axios Supply Chain Post Compromise - VIP Keylogger - Salat Stealer + - Phantom Stealer asset_type: Endpoint mitre_attack_id: - T1027 diff --git a/detections/endpoint/powershell_pinvoke_process_injection_api_chain.yml b/detections/endpoint/powershell_pinvoke_process_injection_api_chain.yml index be300e3118..5474df66a4 100644 --- a/detections/endpoint/powershell_pinvoke_process_injection_api_chain.yml +++ b/detections/endpoint/powershell_pinvoke_process_injection_api_chain.yml @@ -1,8 +1,8 @@ name: PowerShell PInvoke Process Injection API Chain id: 3f1a2b4c-d5e6-7890-abcd-ef1234567890 -version: 2 +version: 3 creation_date: '2026-04-29' -modification_date: '2026-05-13' +modification_date: '2026-06-25' author: Teoderick Contreras, Splunk status: production type: TTP @@ -103,6 +103,7 @@ intermediate_findings: message: A PowerShell script Script block ID [$ScriptBlockId$] contains a possible P-Invoke process injection API chain via either inline Add-Type class declaration or direct static method invocation on [$dest$] analytic_story: - VIP Keylogger + - Phantom Stealer asset_type: Endpoint mitre_attack_id: - T1055.001 diff --git a/detections/endpoint/registry_keys_used_for_persistence.yml b/detections/endpoint/registry_keys_used_for_persistence.yml index 4a8943311b..af50fd3916 100644 --- a/detections/endpoint/registry_keys_used_for_persistence.yml +++ b/detections/endpoint/registry_keys_used_for_persistence.yml @@ -1,8 +1,8 @@ name: Registry Keys Used For Persistence id: f5f6af30-7aa7-4295-bfe9-07fe87c01a4b -version: 33 +version: 34 creation_date: '2020-04-29' -modification_date: '2026-06-08' +modification_date: '2026-06-25' author: Jose Hernandez, David Dorsey, Teoderick Contreras, Rod Soto, Splunk status: production type: TTP @@ -82,6 +82,7 @@ analytic_story: - Gh0st RAT - Axios Supply Chain Post Compromise - Salat Stealer + - Phantom Stealer asset_type: Endpoint mitre_attack_id: - T1547.001 diff --git a/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml b/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml index 91dcfb0218..6b3f2e9d5f 100644 --- a/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml +++ b/detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml @@ -1,8 +1,8 @@ name: Windows Boot or Logon Autostart Execution In Startup Folder id: 99d157cb-923f-4a00-aee9-1f385412146f -version: 15 +version: 16 creation_date: '2023-01-16' -modification_date: '2026-05-13' +modification_date: '2026-06-25' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -49,6 +49,7 @@ analytic_story: - APT37 Rustonotto and FadeStealer - PromptFlux - BlankGrabber Stealer + - Phantom Stealer asset_type: Endpoint mitre_attack_id: - T1547.001 diff --git a/detections/endpoint/windows_browser_process_launched_with_unusual_flags.yml b/detections/endpoint/windows_browser_process_launched_with_unusual_flags.yml index dbb903e277..d57c7b2711 100644 --- a/detections/endpoint/windows_browser_process_launched_with_unusual_flags.yml +++ b/detections/endpoint/windows_browser_process_launched_with_unusual_flags.yml @@ -1,15 +1,15 @@ name: Windows Browser Process Launched with Unusual Flags id: 841e2abc-0442-4e7f-b445-b22680632a08 -version: 4 +version: 5 creation_date: '2023-09-19' -modification_date: '2026-05-13' +modification_date: '2026-06-25' author: Teoderick Contreras, Splunk status: production type: Anomaly description: The following analytic detects the use of unusual browser flags, specifically --mute-audio and --do-not-elevate, which deviate from standard browser launch behavior. These flags may indicate automated scripts, testing environments, or attempts to modify browser functionality for silent operation or restricted privilege execution. Detection focuses on non-standard launch parameters, unexpected process behavior, or deviations from baseline configurations. Monitoring such flag usage helps identify potentially suspicious activity, misconfigurations, or policy violations, enabling security teams to investigate anomalies, ensure system compliance, and differentiate legitimate administrative or testing uses from unusual or unauthorized operations. data_source: - Sysmon EventID 1 -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where NOT (Processes.parent_process_name IN ("chrome.exe", "msedge.exe", "brave.exe", "firefox.exe", "explorer.exe")) AND NOT (Processes.parent_process_path IN("C:\\Program Files*", "C:\\Windows\\System32\\*", "C:\\Windows\\SysWow64\\*",)) AND Processes.process_name IN ("chrome.exe", "msedge.exe", "brave.exe", "firefox.exe") AND Processes.process IN ("*--mute-audio*","*--no-de-elevate*", "*--do-not-de-elevate*") by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_browser_process_launched_with_unusual_flags_filter`' +search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where NOT (Processes.parent_process_name IN ("chrome.exe", "msedge.exe", "brave.exe", "firefox.exe", "explorer.exe")) AND NOT (Processes.parent_process_path IN("C:\\Program Files*", "C:\\Windows\\System32\\*", "C:\\Windows\\SysWow64\\*",)) AND Processes.process_name IN ("chrome.exe", "msedge.exe", "brave.exe", "firefox.exe") AND Processes.process IN ("*--mute-audio*","*--no-de-elevate*", "*--do-not-de-elevate*", "*--disable-audio*") by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_browser_process_launched_with_unusual_flags_filter`' how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. known_false_positives: It is possible false positives will be present based on third party applications. Filtering may be needed. references: @@ -35,6 +35,7 @@ threat_objects: type: parent_process_name analytic_story: - Castle RAT + - Phantom Stealer asset_type: Endpoint mitre_attack_id: - T1185 diff --git a/detections/endpoint/windows_chromium_browser_no_security_sandbox_process.yml b/detections/endpoint/windows_chromium_browser_no_security_sandbox_process.yml index 3cf5834c13..b7bb1200ce 100644 --- a/detections/endpoint/windows_chromium_browser_no_security_sandbox_process.yml +++ b/detections/endpoint/windows_chromium_browser_no_security_sandbox_process.yml @@ -1,8 +1,8 @@ name: Windows Chromium Browser No Security Sandbox Process id: 314cb263-7eeb-4d45-b693-bb21699c73d2 -version: 5 +version: 6 creation_date: '2025-05-28' -modification_date: '2026-05-13' +modification_date: '2026-06-25' author: Teoderick Contreras, Splunk status: production type: TTP @@ -16,7 +16,7 @@ search: | | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where Processes.process_name IN ("Chrome.exe","Brave.exe", "Opera.exe", "Vivaldi.exe", "msedge.exe") - Processes.process = "*--no-sandbox*" + Processes.process IN ("*--no-sandbox*", "*--allow-no-sandbox-job*") by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec @@ -55,6 +55,7 @@ threat_objects: type: parent_process_name analytic_story: - Malicious Inno Setup Loader + - Phantom Stealer asset_type: Endpoint mitre_attack_id: - T1497 diff --git a/detections/endpoint/windows_chromium_browser_with_custom_user_data_directory.yml b/detections/endpoint/windows_chromium_browser_with_custom_user_data_directory.yml index 6e9f3b144b..6438deca8f 100644 --- a/detections/endpoint/windows_chromium_browser_with_custom_user_data_directory.yml +++ b/detections/endpoint/windows_chromium_browser_with_custom_user_data_directory.yml @@ -1,8 +1,8 @@ name: Windows Chromium Browser with Custom User Data Directory id: 4f546cf4-15aa-4368-80f7-940e92bc551e -version: 7 +version: 8 creation_date: '2025-05-28' -modification_date: '2026-05-13' +modification_date: '2026-06-25' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -58,6 +58,7 @@ analytic_story: - StealC Stealer - Malicious Inno Setup Loader - Lokibot + - Phantom Stealer asset_type: Endpoint mitre_attack_id: - T1497 diff --git a/detections/endpoint/windows_credential_access_from_browser_password_store.yml b/detections/endpoint/windows_credential_access_from_browser_password_store.yml index b1cd70305e..53e4dea2ce 100644 --- a/detections/endpoint/windows_credential_access_from_browser_password_store.yml +++ b/detections/endpoint/windows_credential_access_from_browser_password_store.yml @@ -1,8 +1,8 @@ name: Windows Credential Access From Browser Password Store id: 72013a8e-5cea-408a-9d51-5585386b4d69 -version: 22 +version: 23 creation_date: '2024-03-20' -modification_date: '2026-06-08' +modification_date: '2026-06-25' author: Teoderick Contreras, Bhavin Patel Splunk status: production type: Anomaly @@ -49,6 +49,7 @@ analytic_story: - BlankGrabber Stealer - VIP Keylogger - Salat Stealer + - Phantom Stealer asset_type: Endpoint mitre_attack_id: - T1012 diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml index 5c6230b8e6..f6e3777794 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml @@ -1,8 +1,8 @@ name: Windows Credentials from Password Stores Chrome Copied in TEMP Dir id: 4d14c86d-fdee-4393-94da-238d2706902f -version: 10 +version: 11 creation_date: '2024-10-18' -modification_date: '2026-05-13' +modification_date: '2026-06-25' author: Teoderick Contreras, Splunk status: production type: TTP @@ -34,6 +34,7 @@ analytic_story: - Braodo Stealer - Scattered Lapsus$ Hunters - BlankGrabber Stealer + - Phantom Stealer asset_type: Endpoint mitre_attack_id: - T1555.003 diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml index cfcf82f98e..e4f8a81b82 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml @@ -1,17 +1,45 @@ name: Windows Credentials from Password Stores Chrome Extension Access id: 2e65afe0-9a75-4487-bd87-ada9a9f1b9af -version: 12 +version: 13 creation_date: '2023-05-02' -modification_date: '2026-05-13' +modification_date: '2026-06-25' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects non-Chrome processes attempting to access the Chrome extensions file. It leverages Windows Security Event logs, specifically event code 4663, to identify this behavior. This activity is significant because adversaries may exploit this file to extract sensitive information from the Chrome browser, posing a security risk. If confirmed malicious, this could lead to unauthorized access to stored credentials and other sensitive data, potentially compromising the security of the affected system and broader network. +description: |- + The following analytic detects non-Chrome processes attempting to access the Chrome extensions file. + It leverages Windows Security Event logs, specifically event code 4663, to identify this behavior. + This activity is significant because adversaries may exploit this file to extract sensitive information from the Chrome browser, posing a security risk. + If confirmed malicious, this could lead to unauthorized access to stored credentials and other sensitive data, potentially compromising the security of the affected system and broader network. data_source: - Windows Event Log Security 4663 -search: '`wineventlog_security` EventCode=4663 object_file_path="*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\*" AND NOT (process_path IN ("*:\\Windows\\explorer.exe", "*\\chrome.exe")) | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_chrome_extension_access_filter`' -how_to_implement: To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." -known_false_positives: Uninstall chrome browser extension application may access this file and folder path to removed chrome installation in the target host. Filter is needed. +search: | + `wineventlog_security` + EventCode=4663 + object_file_path="*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\*" + NOT process_path IN ( + "*:\\Windows\\explorer.exe", + "*\\AppData\\Local\\Google\\Chrome Beta\\Application\\chrome.exe", + "*\\AppData\\Local\\Google\\Chrome Dev\\Application\\chrome.exe", + "*\\AppData\\Local\\Google\\Chrome SxS\\Application\\chrome.exe", + "*\\AppData\\Local\\Google\\Chrome Unstable\\Application\\chrome.exe", + "*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe" + ) + | stats count min(_time) as firstTime + max(_time) as lastTime + + by object_file_name object_file_path + process_name process_path + process_id EventCode dest + + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_credentials_from_password_stores_chrome_extension_access_filter` +how_to_implement: |- + To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. + For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." +known_false_positives: |- + The chrome uninstaller will access these set of files and folders. Filter as needed. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer drilldown_searches: @@ -42,6 +70,7 @@ analytic_story: - MoonPeak - 0bj3ctivity Stealer - BlankGrabber Stealer + - Phantom Stealer asset_type: Endpoint mitre_attack_id: - T1012 diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml index b0b967890f..20b4759d21 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml @@ -1,17 +1,47 @@ name: Windows Credentials from Password Stores Chrome LocalState Access id: 3b1d09a8-a26f-473e-a510-6c6613573657 -version: 22 +version: 23 creation_date: '2023-05-02' -modification_date: '2026-06-08' +modification_date: '2026-06-25' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic detects non-Chrome processes accessing the Chrome "Local State" file, which contains critical settings and information. It leverages Windows Security Event logs, specifically event code 4663, to identify this behavior. This activity is significant because threat actors can exploit this file to extract the encrypted master key used for decrypting saved passwords in Chrome. If confirmed malicious, this could lead to unauthorized access to sensitive information, posing a severe security risk. Monitoring this anomaly helps identify potential threats and safeguard browser-stored data. +description: |- + The following analytic detects non-Chrome processes accessing the Chrome "Local State" file, which contains critical settings and information. It leverages Windows Security Event logs, specifically event code 4663, to identify this behavior. + This activity is significant because threat actors can exploit this file to extract the encrypted master key used for decrypting saved passwords in Chrome. + If confirmed malicious, this could lead to unauthorized access to sensitive information, posing a severe security risk. + Monitoring this anomaly helps identify potential threats and safeguard browser-stored data. data_source: - Windows Event Log Security 4663 -search: '`wineventlog_security` EventCode=4663 object_file_path="*\\AppData\\Local\\Google\\Chrome\\User Data\\Local State" NOT (process_name IN ("*\\chrome.exe","*:\\Windows\\explorer.exe")) | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_chrome_localstate_access_filter`' -how_to_implement: To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." -known_false_positives: Uninstall chrome application may access this file and folder path to removed chrome installation in target host. Filter is needed. +search: | + `wineventlog_security` + EventCode=4663 + object_file_path="*\\AppData\\Local\\Google\\Chrome\\User Data\\Local State" + NOT process_path IN ( + "*:\\Windows\\explorer.exe", + "*\\AppData\\Local\\Google\\Chrome Beta\\Application\\chrome.exe", + "*\\AppData\\Local\\Google\\Chrome Dev\\Application\\chrome.exe", + "*\\AppData\\Local\\Google\\Chrome SxS\\Application\\chrome.exe", + "*\\AppData\\Local\\Google\\Chrome Unstable\\Application\\chrome.exe", + "*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe", + "*\\platform_experience_helper.exe*", + "*:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe*" + ) + | stats count min(_time) as firstTime + max(_time) as lastTime + + by object_file_name object_file_path + process_name process_path + process_id EventCode dest + + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_credentials_from_password_stores_chrome_localstate_access_filter` +how_to_implement: |- + To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. + For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." +known_false_positives: |- + The chrome uninstaller will access these set of files and folders. Filter as needed. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer drilldown_searches: @@ -54,6 +84,7 @@ analytic_story: - BlankGrabber Stealer - VIP Keylogger - Salat Stealer + - Phantom Stealer asset_type: Endpoint mitre_attack_id: - T1012 diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml index 45f9303784..44a44a2432 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml @@ -1,17 +1,47 @@ name: Windows Credentials from Password Stores Chrome Login Data Access id: 0d32ba37-80fc-4429-809c-0ba15801aeaf -version: 22 +version: 23 creation_date: '2023-05-02' -modification_date: '2026-06-08' +modification_date: '2026-06-25' author: Teoderick Contreras, Splunk status: production type: Anomaly -description: The following analytic identifies non-Chrome processes accessing the Chrome user data file "login data." This file is an SQLite database containing sensitive information, including saved passwords. The detection leverages Windows Security Event logs, specifically event code 4663, to monitor access attempts. This activity is significant as it may indicate attempts by threat actors to extract and decrypt stored passwords, posing a risk to user credentials. If confirmed malicious, attackers could gain unauthorized access to sensitive accounts and escalate their privileges within the environment. +description: |- + The following analytic identifies non-Chrome processes accessing the Chrome user data file "login data." + This file is an SQLite database containing sensitive information, including saved passwords. + The detection leverages Windows Security Event logs, specifically event code 4663, to monitor access attempts. + This activity is significant as it may indicate attempts by threat actors to extract and decrypt stored passwords, posing a risk to user credentials. + If confirmed malicious, attackers could gain unauthorized access to sensitive accounts and escalate their privileges within the environment. data_source: - Windows Event Log Security 4663 -search: '`wineventlog_security` EventCode=4663 object_file_path="*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data" AND NOT (process_path IN ("*:\\Windows\\explorer.exe", "*:\\Windows\\System32\\dllhost.exe", "*\\chrome.exe")) | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_chrome_login_data_access_filter`' -how_to_implement: To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." -known_false_positives: Uninstall application may access this registry to remove the entry of the target application. filter is needed. +search: | + `wineventlog_security` + EventCode=4663 + object_file_path="*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data" + NOT process_path IN ( + "*:\\Windows\\explorer.exe", + "*:\\Windows\\System32\\dllhost.exe", + "*\\AppData\\Local\\Google\\Chrome Beta\\Application\\\chrome.exe", + "*\\AppData\\Local\\Google\\Chrome Dev\\Application\\\chrome.exe", + "*\\AppData\\Local\\Google\\Chrome SxS\\Application\\\chrome.exe", + "*\\AppData\\Local\\Google\\Chrome Unstable\\Application\\\chrome.exe", + "*\\AppData\\Local\\Google\\Chrome\\Application\\\chrome.exe" + ) + | stats count min(_time) as firstTime + max(_time) as lastTime + + by object_file_name object_file_path + process_name process_path + process_id EventCode dest + + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_credentials_from_password_stores_chrome_login_data_access_filter` +how_to_implement: |- + To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. + For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." +known_false_positives: |- + The chrome uninstaller will access these set of files and folders. Filter as needed. references: - https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer drilldown_searches: @@ -54,6 +84,7 @@ analytic_story: - BlankGrabber Stealer - VIP Keylogger - Salat Stealer + - Phantom Stealer asset_type: Endpoint mitre_attack_id: - T1012 diff --git a/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml b/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml index c338ebff7e..b204fb0018 100644 --- a/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml +++ b/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml @@ -1,8 +1,8 @@ name: Windows Disable or Modify Tools Via Taskkill id: a43ae66f-c410-4b3d-8741-9ce1ad17ddb0 -version: 14 +version: 15 creation_date: '2023-09-19' -modification_date: '2026-05-13' +modification_date: '2026-06-25' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -52,6 +52,7 @@ analytic_story: - NjRAT - Crypto Stealer - BlankGrabber Stealer + - Phantom Stealer asset_type: Endpoint mitre_attack_id: - T1685 diff --git a/detections/endpoint/windows_disable_or_stop_browser_process.yml b/detections/endpoint/windows_disable_or_stop_browser_process.yml index e0fc266cb0..51490b8924 100644 --- a/detections/endpoint/windows_disable_or_stop_browser_process.yml +++ b/detections/endpoint/windows_disable_or_stop_browser_process.yml @@ -1,8 +1,8 @@ name: Windows Disable or Stop Browser Process id: 220d34b7-b6c7-45fe-8dbb-c35cdd9fe6d5 -version: 13 +version: 14 creation_date: '2024-10-18' -modification_date: '2026-06-08' +modification_date: '2026-06-25' author: Teoderick Contreras, Splunk status: production type: TTP @@ -56,6 +56,7 @@ analytic_story: - Castle RAT - BlankGrabber Stealer - Salat Stealer + - Phantom Stealer asset_type: Endpoint mitre_attack_id: - T1685 diff --git a/detections/endpoint/windows_file_transfer_protocol_in_non_common_process_path.yml b/detections/endpoint/windows_file_transfer_protocol_in_non_common_process_path.yml index a88686036f..7ab7b05ab6 100644 --- a/detections/endpoint/windows_file_transfer_protocol_in_non_common_process_path.yml +++ b/detections/endpoint/windows_file_transfer_protocol_in_non_common_process_path.yml @@ -1,8 +1,8 @@ name: Windows File Transfer Protocol In Non-Common Process Path id: 0f43758f-1fe9-470a-a9e4-780acc4d5407 -version: 11 +version: 12 creation_date: '2022-09-21' -modification_date: '2026-05-13' +modification_date: '2026-06-25' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -55,6 +55,7 @@ analytic_story: - AgentTesla - Snake Keylogger - Hellcat Ransomware + - Phantom Stealer asset_type: Endpoint mitre_attack_id: - T1071.003 diff --git a/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml b/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml index 7fd2a33564..929fe80e68 100644 --- a/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml +++ b/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml @@ -1,8 +1,8 @@ name: Windows Non Discord App Access Discord LevelDB id: 1166360c-d495-45ac-87a6-8948aac1fa07 -version: 10 +version: 11 creation_date: '2024-02-22' -modification_date: '2026-05-13' +modification_date: '2026-06-25' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -34,6 +34,7 @@ analytic_story: - Snake Keylogger - PXA Stealer - BlankGrabber Stealer + - Phantom Stealer asset_type: Endpoint mitre_attack_id: - T1012 diff --git a/detections/endpoint/windows_powershell_cryptography_namespace.yml b/detections/endpoint/windows_powershell_cryptography_namespace.yml index 7b76dd6ac0..e517ba8e77 100644 --- a/detections/endpoint/windows_powershell_cryptography_namespace.yml +++ b/detections/endpoint/windows_powershell_cryptography_namespace.yml @@ -1,8 +1,8 @@ name: Windows Powershell Cryptography Namespace id: f8b482f4-6d62-49fa-a905-dfa15698317b -version: 15 +version: 16 creation_date: '2023-01-26' -modification_date: '2026-05-13' +modification_date: '2026-06-25' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -48,6 +48,7 @@ analytic_story: - AsyncRAT - XWorm - VIP Keylogger + - Phantom Stealer asset_type: Endpoint mitre_attack_id: - T1059.001 diff --git a/detections/endpoint/windows_process_injection_remote_thread.yml b/detections/endpoint/windows_process_injection_remote_thread.yml index 3b1356bf0e..1037ac3062 100644 --- a/detections/endpoint/windows_process_injection_remote_thread.yml +++ b/detections/endpoint/windows_process_injection_remote_thread.yml @@ -1,8 +1,8 @@ name: Windows Process Injection Remote Thread id: 8a618ade-ca8f-4d04-b972-2d526ba59924 -version: 13 +version: 14 creation_date: '2022-10-28' -modification_date: '2026-05-13' +modification_date: '2026-06-25' author: Teoderick Contreras, Splunk status: production type: TTP @@ -73,6 +73,7 @@ analytic_story: - Warzone RAT - Earth Alux - Water Gamayun + - Phantom Stealer asset_type: Endpoint mitre_attack_id: - T1055.002 diff --git a/detections/endpoint/windows_process_injection_with_public_source_path.yml b/detections/endpoint/windows_process_injection_with_public_source_path.yml index 68c34c4da5..d1d12e1b8e 100644 --- a/detections/endpoint/windows_process_injection_with_public_source_path.yml +++ b/detections/endpoint/windows_process_injection_with_public_source_path.yml @@ -1,8 +1,8 @@ name: Windows Process Injection With Public Source Path id: 492f09cf-5d60-4d87-99dd-0bc325532dda -version: 10 +version: 11 creation_date: '2022-09-05' -modification_date: '2026-05-13' +modification_date: '2026-06-25' author: Teoderick Contreras, Splunk status: production type: Hunting @@ -17,6 +17,7 @@ references: analytic_story: - Brute Ratel C4 - Earth Alux + - Phantom Stealer asset_type: Endpoint mitre_attack_id: - T1055.002 diff --git a/detections/endpoint/windows_suspicious_process_file_path.yml b/detections/endpoint/windows_suspicious_process_file_path.yml index 410963926e..76832167a1 100644 --- a/detections/endpoint/windows_suspicious_process_file_path.yml +++ b/detections/endpoint/windows_suspicious_process_file_path.yml @@ -1,8 +1,8 @@ name: Windows Suspicious Process File Path id: ecddae4e-3d4b-41e2-b3df-e46a88b38521 -version: 25 +version: 26 creation_date: '2021-05-07' -modification_date: '2026-06-11' +modification_date: '2026-06-25' author: Teoderick Contreras, Splunk status: production type: TTP @@ -95,6 +95,7 @@ analytic_story: - Axios Supply Chain Post Compromise - VIP Keylogger - RoguePlanet + - Phantom Stealer asset_type: Endpoint mitre_attack_id: - T1543 diff --git a/detections/endpoint/windows_system_network_connections_discovery_netsh.yml b/detections/endpoint/windows_system_network_connections_discovery_netsh.yml index 172faeee33..ea161433fb 100644 --- a/detections/endpoint/windows_system_network_connections_discovery_netsh.yml +++ b/detections/endpoint/windows_system_network_connections_discovery_netsh.yml @@ -1,8 +1,8 @@ name: Windows System Network Connections Discovery Netsh id: abfb7cc5-c275-4a97-9029-62cd8d4ffeca -version: 11 +version: 12 creation_date: '2022-12-06' -modification_date: '2026-05-13' +modification_date: '2026-06-25' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -12,21 +12,31 @@ data_source: - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 search: |- - | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes - WHERE `process_netsh`AND Processes.process = "* show *" Processes.process IN ("*state*", "*config*", "*wlan*", "*profile*") - BY Processes.action Processes.dest Processes.original_file_name - Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid - Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path - Processes.process Processes.process_exec Processes.process_guid - Processes.process_hash Processes.process_id Processes.process_integrity_level - Processes.process_name Processes.process_path Processes.user - Processes.user_id Processes.vendor_product + | tstats `security_content_summariesonly` + count min(_time) as firstTime + max(_time) as lastTime + + FROM datamodel=Endpoint.Processes WHERE + + `process_netsh` + Processes.process="* show *" + Processes.process IN ("*state*", "*config*", "*wlan*", "*profile*") + + BY Processes.action Processes.dest Processes.original_file_name + Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid + Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path + Processes.process Processes.process_exec Processes.process_guid + Processes.process_hash Processes.process_id Processes.process_integrity_level + Processes.process_name Processes.process_path Processes.user + Processes.user_id Processes.vendor_product + | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_system_network_connections_discovery_netsh_filter` how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process. -known_false_positives: network administrator can use this tool for auditing process. +known_false_positives: |- + Network administrators, power users, and third party tools can and will use this utility for various purposes. Apply the necessary filters by user, parent process, and command line. references: - https://attack.mitre.org/techniques/T1049/ - https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS @@ -52,6 +62,7 @@ analytic_story: - Snake Keylogger - BlankGrabber Stealer - VIP Keylogger + - Phantom Stealer asset_type: Endpoint mitre_attack_id: - T1049 diff --git a/detections/endpoint/windows_unsecured_outlook_credentials_access_in_registry.yml b/detections/endpoint/windows_unsecured_outlook_credentials_access_in_registry.yml index 8fea2f947b..ccdf81a36d 100644 --- a/detections/endpoint/windows_unsecured_outlook_credentials_access_in_registry.yml +++ b/detections/endpoint/windows_unsecured_outlook_credentials_access_in_registry.yml @@ -1,8 +1,8 @@ name: Windows Unsecured Outlook Credentials Access In Registry id: 36334123-077d-47a2-b70c-6c7b3cc85049 -version: 13 +version: 14 creation_date: '2024-02-22' -modification_date: '2026-05-13' +modification_date: '2026-06-25' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -37,6 +37,7 @@ analytic_story: - 0bj3ctivity Stealer - Lokibot - VIP Keylogger + - Phantom Stealer asset_type: Endpoint mitre_attack_id: - T1552 diff --git a/detections/endpoint/windows_unusual_filezilla_xml_config_access.yml b/detections/endpoint/windows_unusual_filezilla_xml_config_access.yml index 6127a76db5..66f662ff8d 100644 --- a/detections/endpoint/windows_unusual_filezilla_xml_config_access.yml +++ b/detections/endpoint/windows_unusual_filezilla_xml_config_access.yml @@ -1,8 +1,8 @@ name: Windows Unusual FileZilla XML Config Access id: 47dc0426-cbe4-4253-8b86-1a983c3f9951 -version: 4 +version: 5 creation_date: '2025-07-16' -modification_date: '2026-05-13' +modification_date: '2026-06-25' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -34,6 +34,7 @@ threat_objects: type: process_name analytic_story: - Quasar RAT + - Phantom Stealer asset_type: Endpoint mitre_attack_id: - T1552.001 diff --git a/detections/endpoint/windows_unusual_process_load_mozilla_nss_mozglue_module.yml b/detections/endpoint/windows_unusual_process_load_mozilla_nss_mozglue_module.yml index 298474eb30..dc687b606f 100644 --- a/detections/endpoint/windows_unusual_process_load_mozilla_nss_mozglue_module.yml +++ b/detections/endpoint/windows_unusual_process_load_mozilla_nss_mozglue_module.yml @@ -1,8 +1,8 @@ name: Windows Unusual Process Load Mozilla NSS-Mozglue Module id: 1a7e7650-b81d-492e-99d4-d5ab633afbdd -version: 8 +version: 9 creation_date: '2021-05-13' -modification_date: '2026-05-13' +modification_date: '2026-06-25' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -38,6 +38,7 @@ analytic_story: - 0bj3ctivity Stealer - Lokibot - VIP Keylogger + - Phantom Stealer asset_type: Endpoint mitre_attack_id: - T1218.003 diff --git a/detections/endpoint/windows_winscp_configuration_security_access.yml b/detections/endpoint/windows_winscp_configuration_security_access.yml new file mode 100644 index 0000000000..14e78754bc --- /dev/null +++ b/detections/endpoint/windows_winscp_configuration_security_access.yml @@ -0,0 +1,71 @@ +name: Windows WinSCP Configuration Security Access +id: 90013cc4-585b-4437-a95f-099933974f3e +version: 1 +creation_date: '2026-06-24' +modification_date: '2026-06-24' +author: Teoderick Contreras, Splunk +status: production +type: Anomaly +description: |- + This analytic detects unauthorized access to the WinSCP security configuration folder by processes other than WinSCP itself. + WinSCP stores sensitive SSH and FTP session credentials, including passwords and private key references, under the user profile path Martin Prikryl\WinSCP 2\Configuration\Security. Information-stealing malware such as Phantom Stealer targets this directory to harvest stored credentials for exfiltration. + The detection uses Windows Security Event 4663 (Object Access) to identify any non-WinSCP process reading or accessing files within this path, which is abnormal during routine system operation. + Analysts should investigate the accessing process, its parent, and any associated network activity to determine whether a credential theft attempt is underway. +data_source: + - Windows Event Log Security 4663 +search: |- + `wineventlog_security` + EventCode=4663 + object_file_path="*\\Martin Prikryl\\WinSCP 2\\Configuration\\Security*" + NOT process_name IN ("winscp.exe") + + | stats count min(_time) as firstTime + max(_time) as lastTime + by object_file_name object_file_path + process_name process_path process_id + EventCode dest + + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `windows_winscp_configuration_security_access_filter` +how_to_implement: |- + To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. + For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." +known_false_positives: |- + False positive may occur during backup or anti-virus scanning process. Filter as needed. +references: + - https://malpedia.caad.fkie.fraunhofer.de/details/win.phantom_stealer + - https://www.proofpoint.com/us/blog/threat-insight/not-safe-work-tracking-and-investigating-stealerium-and-phantom-infostealers +drilldown_searches: + - name: View the detection results for - "$dest$" + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$dest$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: 7d + latest_offset: "0" +intermediate_findings: + entities: + - field: dest + type: system + score: 20 + message: a non winscp process [$process_name$] accessed the winscp configuration file [$object_file_path$] on $dest$. +analytic_story: + - Phantom Stealer +asset_type: Endpoint +mitre_attack_id: + - T1552.001 +product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud +category: endpoint +security_domain: endpoint +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1552.001/winscp_access/winscp_phnatom.log + source: XmlWinEventLog:Security + sourcetype: XmlWinEventLog + test_type: unit diff --git a/detections/network/suspicious_process_with_discord_dns_query.yml b/detections/network/suspicious_process_with_discord_dns_query.yml index 83ea7943f4..152991165b 100644 --- a/detections/network/suspicious_process_with_discord_dns_query.yml +++ b/detections/network/suspicious_process_with_discord_dns_query.yml @@ -1,8 +1,8 @@ name: Suspicious Process With Discord DNS Query id: 4d4332ae-792c-11ec-89c1-acde48001122 -version: 13 +version: 14 creation_date: '2022-01-19' -modification_date: '2026-05-13' +modification_date: '2026-06-25' author: Teoderick Contreras, Mauricio Velazco, Splunk status: production type: Anomaly @@ -40,6 +40,7 @@ analytic_story: - PXA Stealer - Cactus Ransomware - BlankGrabber Stealer + - Phantom Stealer asset_type: Endpoint mitre_attack_id: - T1059.005 diff --git a/detections/network/windows_dns_query_request_by_telegram_bot_api.yml b/detections/network/windows_dns_query_request_by_telegram_bot_api.yml index 98fe67a14a..e4a251deab 100644 --- a/detections/network/windows_dns_query_request_by_telegram_bot_api.yml +++ b/detections/network/windows_dns_query_request_by_telegram_bot_api.yml @@ -1,8 +1,8 @@ name: Windows DNS Query Request by Telegram Bot API id: 86f66f44-94d9-412d-a71d-5d8ed0fef72e -version: 10 +version: 11 creation_date: '2021-08-03' -modification_date: '2026-05-13' +modification_date: '2026-06-25' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -45,6 +45,7 @@ analytic_story: - 0bj3ctivity Stealer - BlankGrabber Stealer - VIP Keylogger + - Phantom Stealer asset_type: Endpoint mitre_attack_id: - T1071.004 diff --git a/lookups/csv/browser_app_list.csv b/lookups/csv/browser_app_list.csv index 55a263c2bd..b41d6f2ef1 100644 --- a/lookups/csv/browser_app_list.csv +++ b/lookups/csv/browser_app_list.csv @@ -49,4 +49,71 @@ browser_process_name,browser_object_path,isAllowed "*opera.exe","*Opera Software\Opera GX Stable\Login Data*", true "*opera.exe","*Opera Software\Opera GX Stable\Local State*", true "*yandex.exe","*Yandex\YandexBrowser\User Data\Default\Ya Passman Data*", true -"*yandex.exe","*Yandex\YandexBrowser\User Data\Local State*", true \ No newline at end of file +"*yandex.exe","*Yandex\YandexBrowser\User Data\Local State*", true +"*Chrome.exe","*Google\Chrome Beta\User Data\Default\Login Data*", true +"*Chrome.exe","*Google\Chrome Dev\User Data\Default\Login Data*", true +"*Chrome.exe","*Google\Chrome Unstable\User Data\Default\Login Data*", true +"*Chrome.exe","*Google\Chrome Canary\User Data\Default\Login Data*", true +"*Chrome.exe","*Google(x86)\Chrome\User Data\Default\Login Data*", true +"*Chrome.exe","*Google(x86)\Chrome Beta\User Data\Default\Login Data*", true +"*Chrome.exe","*Google(x86)\Chrome SxS\User Data\Default\Login Data*", true +"*Chrome.exe","*Google(x86)\Chrome Dev\User Data\Default\Login Data*", true +"*Chrome.exe","*Google(x86)\Chrome Unstable\User Data\Default\Login Data*", true +"*Chrome.exe","*Google(x86)\Chrome Canary\User Data\Default\Login Data*", true +"*atom.exe","*Mail.Ru\Atom\User Data\Default\Login Data*", true +"*Chromodo.exe","*Comodo\User Data\Default\Login Data*", true +"*360chrome.exe","*360ChromeX\Chrome\User Data\Default\Login Data*", true +"*360se.exe","*360se6\User Data\Default\Login Data*", true +"*360se.exe","*360se\User Data\Default\Login Data*", true +"*Maxthon.exe","*Maxthon3\User Data\Default\Login Data*", true +"*Maxthon.exe","*Maxthon\User Data\Default\Login Data*", true +"*Maxthon.exe","*Maxthon5\Users\*\Login Data*", true +"*k-meleon.exe","*K-Melon\User Data\Default\Login Data*", true +"*SLBrowser.exe","*Lenovo\SLBrowser\*\Login Data*", true +"*Go!.exe","*Go!\User Data\Default\Login Data*", true +"*Secure Browser.exe","*Safer Technologies\Secure Browser\User Data\Default\Login Data*", true +"*Chromodo.exe","*Chromodo\User Data\Default\Login Data*", true +"*yandex.exe","*Yandex\YandexBrowserCanary\User Data\Default\Ya Passman Data*", true +"*yandex.exe","*Yandex\YandexBrowserDeveloper\User Data\Default\Ya Passman Data*", true +"*yandex.exe","*Yandex\YandexBrowserBeta\User Data\Default\Ya Passman Data*", true +"*yandex.exe","*Yandex\YandexBrowserTech\User Data\Default\Ya Passman Data*", true +"*yandex.exe","*Yandex\YandexBrowserSxS\User Data\Default\Ya Passman Data*", true +"*opera.exe","*Opera Software\Opera Stable\Login Data*", true +"*opera.exe","*Opera Software\Opera Neon\User Data\Default\Login Data*", true +"*opera.exe","*Opera Software\Opera Crypto Developer\Login Data*", true +"*Elements Browser.exe","*Elements Browser\User Data\Default\Login Data*", true +"*Mustang.exe","*Rafotech\Mustang\User Data\Default\Login Data*", true +"*Suhba.exe","*Suhba\User Data\Default\Login Data*", true +"*TorBro.exe","*TorBro\Profile\*\Login Data*", true +"*RockMelt.exe","*RockMelt\User Data\Default\Login Data*", true +"*Bromium.exe","*Bromium\User Data\Default\Login Data*", true +"*Twinkstar.exe","*Twinkstar\User Data\Default\Login Data*", true +"*iTop Private Browser.exe","*iTop Private Browser\User Data\Default\Login Data*", true +"*CCleaner Browser.exe","*CCleaner Browser\User Data\Default\Login Data*", true +"*AcWebBrowser.exe","*AcWebBrowser\User Data\Default\Login Data*", true +"*CoolNovo.exe","*CoolNovo\User Data\Default\Login Data*", true +"*spark.exe","*Baidu Spark\User Data\Default\Login Data*", true +"*iron.exe","*SRWare Iron\User Data\Default\Login Data*", true +"*Titan Browser.exe","*Titan Browser\User Data\Default\Login Data*", true +"*AVG Browser.exe","*AVG\Browser\User Data\Default\Login Data*", true +"*UR Browser.exe","*UR Browser\User Data\Default\Login Data*", true +"*Flock.exe","*Flock\User Data\Default\Login Data*", true +"*CryptoTab Browser.exe","*CryptoTab Browser\User Data\Default\Login Data*", true +"*Sidekick.exe","*Sidekick\User Data\Default\Login Data*", true +"*SwingBrowser.exe","*SwingBrowser\User Data\Default\Login Data*", true +"*SalamWeb.exe","*SalamWeb\User Data\Default\Login Data*", true +"*NetboxBrowser.exe","*NetboxBrowser\User Data\Default\Login Data*", true +"*GarenaPlus.exe","*GarenaPlus\User Data\Default\Login Data*", true +"*InsomniacBrowser.exe","*InsomniacBrowser\User Data\Default\Login Data*", true +"*Viasat Browser.exe","*ViaSat\Viasat Browser\User Data\Default\Login Data*", true +"*whale.exe","*Naver\Naver Whale\User Data\Default\Login Data*", true +"*falkon.exe","*falkon\profiles\*\logins.json*", true +"*SogouExplorer.exe","*SogouExplorer\Webkit\*\Login Data*", true +"*LiebaoBrowser.exe","*liebao\User Data\Default\Login Data*", true +"*firefox.exe","*Mozilla\Firefox\Profiles\logins.json*", true +"*waterfox.exe","*Waterfox\Profiles\logins.json*", true +"*k-meleon.exe","*K-Meleon\Profiles\logins.json*", true +"*thunderbird.exe","*Thunderbird\Profiles\logins.json*", true +"*BlackHawk.exe","*NETGATE Technologies\BlackHawk\Profiles\logins.json*", true +"*basilisk.exe","*Moonchild Productions\Basilisk\Profiles\logins.json*", true +"*BitTubeBrowser.exe","*BitTube\BitTubeBrowser\Profiles\logins.json*", true \ No newline at end of file diff --git a/lookups/csv/browser_app_list.yml b/lookups/csv/browser_app_list.yml index 44187806c0..8f7f89af69 100644 --- a/lookups/csv/browser_app_list.yml +++ b/lookups/csv/browser_app_list.yml @@ -1,8 +1,8 @@ name: browser_app_list id: a80ccd19-e46f-4a12-9ad7-e653ad646347 -version: 4 +version: 6 creation_date: '2024-03-20' -modification_date: '2026-05-13' +modification_date: '2026-06-16' author: Splunk Threat Research Team lookup_type: csv description: A list of known browser application being targeted for credential extraction. diff --git a/stories/phantom_stealer.yml b/stories/phantom_stealer.yml new file mode 100644 index 0000000000..056531e7fa --- /dev/null +++ b/stories/phantom_stealer.yml @@ -0,0 +1,44 @@ +name: Phantom Stealer +id: 9647c6d9-3245-41b6-b519-894956279304 +version: 1 +creation_date: '2026-06-24' +modification_date: '2026-06-24' +author: Teoderick Contreras, Splunk +status: production +description: |- + Phantom Stealer is an information-stealing malware designed to covertly harvest sensitive data from compromised Windows endpoints. + + It primarily targets browser credential stores, saved passwords, cookies, autofill data, and session tokens from popular browsers such as Chrome, Edge, and Firefox. + + Beyond browsers, Phantom Stealer extends its reach to FTP and SSH clients, including WinSCP, FileZilla, and PuTTY, as well as email clients, cryptocurrency wallets, and VPN configurations. + + The malware commonly arrives via phishing emails, trojanized software, or malicious downloads. + + Once executed, it enumerates the victim system, collects targeted data, archives the harvested output, and exfiltrates it to attacker-controlled infrastructure over encrypted channels. Phantom Stealer leverages access to sensitive application configuration folders — including WinSCP security directories — to extract stored credentials outside of normal application access patterns. + + Detection focuses on unauthorized process access to credential storage paths, abnormal file reads from browser and FTP client profile directories, and suspicious data archiving or outbound connection behavior. +narrative: |- + In observed Phantom Stealer campaigns, the malware is typically delivered through phishing lures or cracked software bundles targeting Windows users. + + Upon initial execution from a user profile or temporary directory, the malware rapidly enumerates installed applications and begins accessing sensitive credential stores. + + Telemetry captured unauthorized reads of WinSCP security configuration folders by non-WinSCP processes, a strong behavioral indicator of credential harvesting targeting SSH and FTP sessions. + + The malware similarly accessed browser profile directories for Chrome and Edge, extracting Login Data, Cookies, and Web Data SQLite databases containing saved credentials and session tokens. + + Following collection, Phantom Stealer compressed the harvested data into an archive and transmitted it via HTTPS POST to its command-and-control server. + + In some cases, persistence was observed through registry run key modifications, ensuring the stealer re-executes after reboot. + + The breadth of targeted applications — spanning browsers, file transfer clients, and crypto wallets — makes Phantom Stealer a high-impact credential theft tool capable of enabling account takeover, financial fraud, and further intrusion into enterprise environments. +references: + - https://github.com/renniepak/PhantomStealer + - https://malpedia.caad.fkie.fraunhofer.de/details/win.phantom_stealer + - https://www.proofpoint.com/us/blog/threat-insight/not-safe-work-tracking-and-investigating-stealerium-and-phantom-infostealers +category: + - Malware +product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud +usecase: Advanced Threat Detection