Analytics Story: RedLine Stealer

Date: 2023-04-24 ID: 12e31e8b-671b-4d6e-b362-a682812a71eb Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the Redline Stealer trojan, including looking for file writes associated with its payload, screencapture, registry modification, persistence and data collection..

Why it matters

RedLine Stealer is a malware available on underground forum and subscription basis that are compiled or written in C#. This malware is capable of harvesting sensitive information from browsers such as saved credentials, auto file data, browser cookies and credit card information. It also gathers system information of the targeted or compromised host like username, location IP, RAM size available, hardware configuration and software installed. The current version of this malware contains features to steal wallet and crypto currency information.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Suspicious Process File Path	Create or Modify System Process	TTP
CMD Carry Out String Command Parameter	Windows Command Shell	Hunting
Disable Windows Behavior Monitoring	Disable or Modify Tools	TTP
Disabling Defender Services	Disable or Modify Tools	TTP
Executables Or Script Creation In Suspicious Path	Masquerading	Anomaly
Non Chrome Process Accessing Chrome Default Dir	Credentials from Web Browsers	Anomaly
Non Firefox Process Access Firefox Profile Dir	Credentials from Web Browsers	Anomaly
Registry Keys Used For Persistence	Registry Run Keys / Startup Folder	TTP
Scheduled Task Deleted Or Created via CMD	Scheduled Task	TTP
Schtasks scheduling job on remote system	Scheduled Task	TTP
Windows Boot or Logon Autostart Execution In Startup Folder	Registry Run Keys / Startup Folder	Anomaly
Windows Credentials from Password Stores Chrome Extension Access	Query Registry	Anomaly
Windows Credentials from Password Stores Chrome LocalState Access	Query Registry	Anomaly
Windows Credentials from Password Stores Chrome Login Data Access	Query Registry	Anomaly
Windows DisableAntiSpyware Registry	Disable or Modify Tools	TTP
Windows Event For Service Disabled	Disable or Modify Tools	Hunting
Windows Modify Registry Auto Minor Updates	Modify Registry	Hunting
Windows Modify Registry Auto Update Notif	Modify Registry	Anomaly
Windows Modify Registry Disable WinDefender Notifications	Modify Registry	TTP
Windows Modify Registry Do Not Connect To Win Update	Modify Registry	Anomaly
Windows Modify Registry No Auto Reboot With Logon User	Modify Registry	Anomaly
Windows Modify Registry No Auto Update	Modify Registry	Anomaly
Windows Modify Registry Tamper Protection	Modify Registry	TTP
Windows Modify Registry UpdateServiceUrlAlternate	Modify Registry	Anomaly
Windows Modify Registry USeWuServer	Modify Registry	Hunting
Windows Modify Registry WuServer	Modify Registry	Hunting
Windows Modify Registry wuStatusServer	Modify Registry	Hunting
Windows Query Registry Browser List Application	Query Registry	Anomaly
Windows Query Registry UnInstall Program List	Query Registry	Anomaly
Windows Scheduled Task with Highest Privileges	Scheduled Task	TTP
Windows Service Stop Win Updates	Service Stop	Anomaly
Windows Suspicious Process File Path	Create or Modify System Process, Match Legitimate Name or Location	TTP

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
CrowdStrike ProcessRollup2	N/A	`crowdstrike:events:sensor`	`crowdstrike`
Sysmon EventID 1	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 11	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 13	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 4663	Windows	`xmlwineventlog`	`XmlWinEventLog:Security`
Windows Event Log Security 4688	Windows	`xmlwineventlog`	`XmlWinEventLog:Security`
Windows Event Log System 7040	Windows	`xmlwineventlog`	`XmlWinEventLog:System`

References

Source: GitHub | Version: 1