Analytics Story: RedLine Stealer

Date: 2023-04-24 ID: 12e31e8b-671b-4d6e-b362-a682812a71eb Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the Redline Stealer trojan, including looking for file writes associated with its payload, screencapture, registry modification, persistence and data collection..

Why it matters

RedLine Stealer is a malware available on underground forum and subscription basis that are compiled or written in C#. This malware is capable of harvesting sensitive information from browsers such as saved credentials, auto file data, browser cookies and credit card information. It also gathers system information of the targeted or compromised host like username, location IP, RAM size available, hardware configuration and software installed. The current version of this malware contains features to steal wallet and crypto currency information.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
CMD Carry Out String Command Parameter Windows Command Shell, Command and Scripting Interpreter Hunting
Disable Windows Behavior Monitoring Disable or Modify Tools, Impair Defenses TTP
Disabling Defender Services Disable or Modify Tools, Impair Defenses TTP
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Non Chrome Process Accessing Chrome Default Dir Credentials from Password Stores, Credentials from Web Browsers Anomaly
Non Firefox Process Access Firefox Profile Dir Credentials from Password Stores, Credentials from Web Browsers Anomaly
Registry Keys Used For Persistence Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution TTP
Scheduled Task Deleted Or Created via CMD Scheduled Task, Scheduled Task/Job TTP
Schtasks scheduling job on remote system Scheduled Task, Scheduled Task/Job TTP
Suspicious Process File Path Create or Modify System Process TTP
Windows Boot or Logon Autostart Execution In Startup Folder Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution Anomaly
Windows Credentials from Password Stores Chrome Extension Access Query Registry Anomaly
Windows Credentials from Password Stores Chrome LocalState Access Query Registry Anomaly
Windows Credentials from Password Stores Chrome Login Data Access Query Registry Anomaly
Windows DisableAntiSpyware Registry Disable or Modify Tools, Impair Defenses TTP
Windows Event For Service Disabled Disable or Modify Tools, Impair Defenses Hunting
Windows Modify Registry Auto Minor Updates Modify Registry Hunting
Windows Modify Registry Auto Update Notif Modify Registry Anomaly
Windows Modify Registry Disable WinDefender Notifications Modify Registry TTP
Windows Modify Registry Do Not Connect To Win Update Modify Registry Anomaly
Windows Modify Registry No Auto Reboot With Logon User Modify Registry Anomaly
Windows Modify Registry No Auto Update Modify Registry Anomaly
Windows Modify Registry Tamper Protection Modify Registry TTP
Windows Modify Registry UpdateServiceUrlAlternate Modify Registry Anomaly
Windows Modify Registry USeWuServer Modify Registry Hunting
Windows Modify Registry WuServer Modify Registry Hunting
Windows Modify Registry wuStatusServer Modify Registry Hunting
Windows Query Registry Browser List Application Query Registry Anomaly
Windows Query Registry UnInstall Program List Query Registry Anomaly
Windows Scheduled Task with Highest Privileges Scheduled Task/Job, Scheduled Task TTP
Windows Service Stop Win Updates Service Stop Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4663 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log System 7040 Windows icon Windows xmlwineventlog XmlWinEventLog:System

References

Source: GitHub | Version: 1