splunk · tccontre · Jun 25, 2026 · Jun 25, 2026 · Jun 25, 2026 · Jun 25, 2026
@@ -1,8 +1,8 @@
 name: Executables Or Script Creation In Suspicious Path
 id: a7e3f0f0-ae42-11eb-b245-acde48001122
-version: 28
+version: 29
 creation_date: '2021-05-07'
-modification_date: '2026-05-13'
+modification_date: '2026-06-25'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -138,6 +138,7 @@ analytic_story:
     - Void Manticore
     - Axios Supply Chain Post Compromise
     - VIP Keylogger
+    - Phantom Stealer
 asset_type: Endpoint
 mitre_attack_id:
     - T1036

@@ -1,8 +1,8 @@
 name: Executables Or Script Creation In Temp Path
 id: e0422b71-2c05-4f32-8754-01fb415f49c9
-version: 25
+version: 26
 creation_date: '2021-05-07'
-modification_date: '2026-06-11'
+modification_date: '2026-06-25'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -132,6 +132,7 @@ analytic_story:
     - VIP Keylogger
     - RoguePlanet
     - Salat Stealer
+    - Phantom Stealer
 asset_type: Endpoint
 mitre_attack_id:
     - T1036

@@ -1,8 +1,8 @@
 name: Headless Browser Usage
 id: 869ba261-c272-47d7-affe-5c0aa85c93d6
-version: 10
+version: 11
 creation_date: '2023-09-11'
-modification_date: '2026-05-13'
+modification_date: '2026-06-25'
 author: Michael Haag, Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -48,6 +48,7 @@ threat_objects:
 analytic_story:
     - Browser Hijacking
     - Forest Blizzard
+    - Phantom Stealer
 asset_type: Endpoint
 mitre_attack_id:
     - T1497

@@ -1,8 +1,8 @@
 name: Non Chrome Process Accessing Chrome Default Dir
 id: 81263de4-160a-11ec-944f-acde48001122
-version: 19
+version: 20
 creation_date: '2021-09-15'
-modification_date: '2026-06-08'
+modification_date: '2026-06-25'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -50,6 +50,7 @@ analytic_story:
     - BlankGrabber Stealer
     - VIP Keylogger
     - Salat Stealer
+    - Phantom Stealer
 asset_type: Endpoint
 mitre_attack_id:
     - T1555.003

@@ -1,8 +1,8 @@
 name: Non Firefox Process Access Firefox Profile Dir
 id: e6fc13b0-1609-11ec-b533-acde48001122
-version: 19
+version: 20
 creation_date: '2021-09-15'
-modification_date: '2026-06-08'
+modification_date: '2026-06-25'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -52,6 +52,7 @@ analytic_story:
     - BlankGrabber Stealer
     - VIP Keylogger
     - Salat Stealer
+    - Phantom Stealer
 asset_type: Endpoint
 mitre_attack_id:
     - T1555.003

@@ -1,8 +1,8 @@
 name: PowerShell 4104 Hunting
 id: d6f2b006-0041-11ec-8885-acde48001122
-version: 26
+version: 27
 creation_date: '2021-08-19'
-modification_date: '2026-06-08'
+modification_date: '2026-06-25'
 author: Michael Haag, Splunk
 status: production
 type: Hunting
@@ -85,6 +85,7 @@ analytic_story:
     - MuddyWater
     - Axios Supply Chain Post Compromise
     - Salat Stealer
+    - Phantom Stealer
 asset_type: Endpoint
 mitre_attack_id:
     - T1059.001

@@ -1,8 +1,8 @@
 name: Powershell Fileless Script Contains Base64 Encoded Content
 id: 8acbc04c-c882-11eb-b060-acde48001122
-version: 21
+version: 22
 creation_date: '2021-06-09'
-modification_date: '2026-06-08'
+modification_date: '2026-06-25'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -53,6 +53,7 @@ analytic_story:
     - Axios Supply Chain Post Compromise
     - VIP Keylogger
     - Salat Stealer
+    - Phantom Stealer
 asset_type: Endpoint
 mitre_attack_id:
     - T1027

@@ -1,8 +1,8 @@
 name: PowerShell PInvoke Process Injection API Chain
 id: 3f1a2b4c-d5e6-7890-abcd-ef1234567890
-version: 2
+version: 3
 creation_date: '2026-04-29'
-modification_date: '2026-05-13'
+modification_date: '2026-06-25'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -103,6 +103,7 @@ intermediate_findings:
           message: A PowerShell script Script block ID [$ScriptBlockId$] contains a possible P-Invoke process injection API chain via either inline Add-Type class declaration or direct static method invocation on [$dest$]
 analytic_story:
     - VIP Keylogger
+    - Phantom Stealer
 asset_type: Endpoint
 mitre_attack_id:
     - T1055.001

@@ -1,8 +1,8 @@
 name: Registry Keys Used For Persistence
 id: f5f6af30-7aa7-4295-bfe9-07fe87c01a4b
-version: 33
+version: 34
 creation_date: '2020-04-29'
-modification_date: '2026-06-08'
+modification_date: '2026-06-25'
 author: Jose Hernandez, David Dorsey, Teoderick Contreras, Rod Soto, Splunk
 status: production
 type: TTP
@@ -82,6 +82,7 @@ analytic_story:
     - Gh0st RAT
     - Axios Supply Chain Post Compromise
     - Salat Stealer
+    - Phantom Stealer
 asset_type: Endpoint
 mitre_attack_id:
     - T1547.001

@@ -1,8 +1,8 @@
 name: Windows Boot or Logon Autostart Execution In Startup Folder
 id: 99d157cb-923f-4a00-aee9-1f385412146f
-version: 15
+version: 16
 creation_date: '2023-01-16'
-modification_date: '2026-05-13'
+modification_date: '2026-06-25'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -49,6 +49,7 @@ analytic_story:
     - APT37 Rustonotto and FadeStealer
     - PromptFlux
     - BlankGrabber Stealer
+    - Phantom Stealer
 asset_type: Endpoint
 mitre_attack_id:
     - T1547.001

@@ -1,15 +1,15 @@
 name: Windows Browser Process Launched with Unusual Flags
 id: 841e2abc-0442-4e7f-b445-b22680632a08
-version: 4
+version: 5
 creation_date: '2023-09-19'
-modification_date: '2026-05-13'
+modification_date: '2026-06-25'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
 description: The following analytic detects the use of unusual browser flags, specifically --mute-audio and --do-not-elevate, which deviate from standard browser launch behavior. These flags may indicate automated scripts, testing environments, or attempts to modify browser functionality for silent operation or restricted privilege execution. Detection focuses on non-standard launch parameters, unexpected process behavior, or deviations from baseline configurations. Monitoring such flag usage helps identify potentially suspicious activity, misconfigurations, or policy violations, enabling security teams to investigate anomalies, ensure system compliance, and differentiate legitimate administrative or testing uses from unusual or unauthorized operations.
 data_source:
     - Sysmon EventID 1
-search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where NOT (Processes.parent_process_name IN ("chrome.exe", "msedge.exe", "brave.exe", "firefox.exe", "explorer.exe")) AND NOT (Processes.parent_process_path IN("C:\\Program Files*", "C:\\Windows\\System32\\*", "C:\\Windows\\SysWow64\\*",)) AND Processes.process_name IN ("chrome.exe", "msedge.exe", "brave.exe", "firefox.exe") AND Processes.process IN ("*--mute-audio*","*--no-de-elevate*", "*--do-not-de-elevate*") by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_browser_process_launched_with_unusual_flags_filter`'
+search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where NOT (Processes.parent_process_name IN ("chrome.exe", "msedge.exe", "brave.exe", "firefox.exe", "explorer.exe")) AND NOT (Processes.parent_process_path IN("C:\\Program Files*", "C:\\Windows\\System32\\*", "C:\\Windows\\SysWow64\\*",)) AND Processes.process_name IN ("chrome.exe", "msedge.exe", "brave.exe", "firefox.exe") AND Processes.process IN ("*--mute-audio*","*--no-de-elevate*", "*--do-not-de-elevate*", "*--disable-audio*") by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_browser_process_launched_with_unusual_flags_filter`'
 how_to_implement: The detection is based on data that originates from Endpoint Detection and Response (EDR) agents. These agents are designed to provide security-related telemetry from the endpoints where the agent is installed. To implement this search, you must ingest logs that contain the process GUID, process name, and parent process. Additionally, you must ingest complete command-line executions. These logs must be processed using the appropriate Splunk Technology Add-ons that are specific to the EDR product. The logs must also be mapped to the `Processes` node of the `Endpoint` data model. Use the Splunk Common Information Model (CIM) to normalize the field names and speed up the data modeling process.
 known_false_positives: It is possible false positives will be present based on third party applications. Filtering may be needed.
 references:
@@ -35,6 +35,7 @@ threat_objects:
       type: parent_process_name
 analytic_story:
     - Castle RAT
+    - Phantom Stealer
 asset_type: Endpoint
 mitre_attack_id:
     - T1185

@@ -1,8 +1,8 @@
 name: Windows Chromium Browser No Security Sandbox Process
 id: 314cb263-7eeb-4d45-b693-bb21699c73d2
-version: 5
+version: 6
 creation_date: '2025-05-28'
-modification_date: '2026-05-13'
+modification_date: '2026-06-25'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -16,7 +16,7 @@ search: |
     | tstats `security_content_summariesonly` min(_time) as firstTime max(_time)
     as lastTime from datamodel=Endpoint.Processes where
     Processes.process_name IN ("Chrome.exe","Brave.exe", "Opera.exe", "Vivaldi.exe", "msedge.exe")
-    Processes.process = "*--no-sandbox*"
+    Processes.process IN ("*--no-sandbox*", "*--allow-no-sandbox-job*")
     by Processes.action Processes.dest Processes.original_file_name Processes.parent_process
     Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id
     Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec
@@ -55,6 +55,7 @@ threat_objects:
       type: parent_process_name
 analytic_story:
     - Malicious Inno Setup Loader
+    - Phantom Stealer
 asset_type: Endpoint
 mitre_attack_id:
     - T1497

@@ -1,8 +1,8 @@
 name: Windows Chromium Browser with Custom User Data Directory
 id: 4f546cf4-15aa-4368-80f7-940e92bc551e
-version: 7
+version: 8
 creation_date: '2025-05-28'
-modification_date: '2026-05-13'
+modification_date: '2026-06-25'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
@@ -58,6 +58,7 @@ analytic_story:
     - StealC Stealer
     - Malicious Inno Setup Loader
     - Lokibot
+    - Phantom Stealer
 asset_type: Endpoint
 mitre_attack_id:
     - T1497

@@ -1,8 +1,8 @@
 name: Windows Credential Access From Browser Password Store
 id: 72013a8e-5cea-408a-9d51-5585386b4d69
-version: 22
+version: 23
 creation_date: '2024-03-20'
-modification_date: '2026-06-08'
+modification_date: '2026-06-25'
 author: Teoderick Contreras, Bhavin Patel Splunk
 status: production
 type: Anomaly
@@ -49,6 +49,7 @@ analytic_story:
     - BlankGrabber Stealer
     - VIP Keylogger
     - Salat Stealer
+    - Phantom Stealer
 asset_type: Endpoint
 mitre_attack_id:
     - T1012

@@ -1,8 +1,8 @@
 name: Windows Credentials from Password Stores Chrome Copied in TEMP Dir
 id: 4d14c86d-fdee-4393-94da-238d2706902f
-version: 10
+version: 11
 creation_date: '2024-10-18'
-modification_date: '2026-05-13'
+modification_date: '2026-06-25'
 author: Teoderick Contreras, Splunk
 status: production
 type: TTP
@@ -34,6 +34,7 @@ analytic_story:
     - Braodo Stealer
     - Scattered Lapsus$ Hunters
     - BlankGrabber Stealer
+    - Phantom Stealer
 asset_type: Endpoint
 mitre_attack_id:
     - T1555.003

@@ -1,17 +1,45 @@
 name: Windows Credentials from Password Stores Chrome Extension Access
 id: 2e65afe0-9a75-4487-bd87-ada9a9f1b9af
-version: 12
+version: 13
 creation_date: '2023-05-02'
-modification_date: '2026-05-13'
+modification_date: '2026-06-25'
 author: Teoderick Contreras, Splunk
 status: production
 type: Anomaly
-description: The following analytic detects non-Chrome processes attempting to access the Chrome extensions file. It leverages Windows Security Event logs, specifically event code 4663, to identify this behavior. This activity is significant because adversaries may exploit this file to extract sensitive information from the Chrome browser, posing a security risk. If confirmed malicious, this could lead to unauthorized access to stored credentials and other sensitive data, potentially compromising the security of the affected system and broader network.
+description: |-
+    The following analytic detects non-Chrome processes attempting to access the Chrome extensions file.
+    It leverages Windows Security Event logs, specifically event code 4663, to identify this behavior.
+    This activity is significant because adversaries may exploit this file to extract sensitive information from the Chrome browser, posing a security risk.
+    If confirmed malicious, this could lead to unauthorized access to stored credentials and other sensitive data, potentially compromising the security of the affected system and broader network.
 data_source:
     - Windows Event Log Security 4663
-search: '`wineventlog_security` EventCode=4663 object_file_path="*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\*" AND NOT (process_path IN ("*:\\Windows\\explorer.exe", "*\\chrome.exe")) | stats count min(_time) as firstTime max(_time) as lastTime by object_file_name object_file_path process_name process_path  process_id EventCode dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_credentials_from_password_stores_chrome_extension_access_filter`'
-how_to_implement: To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure."
-known_false_positives: Uninstall chrome browser extension application may access this file and folder path to removed chrome installation in the target host. Filter is needed.
+search: |
+    `wineventlog_security`
+    EventCode=4663
+    object_file_path="*\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Local Extension Settings\\*"
+    NOT process_path IN (
+        "*:\\Windows\\explorer.exe",
+        "*\\AppData\\Local\\Google\\Chrome Beta\\Application\\chrome.exe",
+        "*\\AppData\\Local\\Google\\Chrome Dev\\Application\\chrome.exe",
+        "*\\AppData\\Local\\Google\\Chrome SxS\\Application\\chrome.exe",
+        "*\\AppData\\Local\\Google\\Chrome Unstable\\Application\\chrome.exe",
+        "*\\AppData\\Local\\Google\\Chrome\\Application\\chrome.exe"
+    )
+    | stats count min(_time) as firstTime
+                  max(_time) as lastTime
+
+      by object_file_name object_file_path
+         process_name process_path
+         process_id EventCode dest
+
+    | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`
+    | `windows_credentials_from_password_stores_chrome_extension_access_filter`
+how_to_implement: |-
+    To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663.
+    For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure."
+known_false_positives: |-
+    The chrome uninstaller will access these set of files and folders. Filter as needed.
 references:
     - https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
 drilldown_searches:
@@ -42,6 +70,7 @@ analytic_story:
     - MoonPeak
     - 0bj3ctivity Stealer
     - BlankGrabber Stealer
+    - Phantom Stealer
 asset_type: Endpoint
 mitre_attack_id:
     - T1012