Try in Splunk Security Cloud
Description
Leverage searches that allow you to detect and investigate unusual activities that might relate to the Redline Stealer trojan, including looking for file writes associated with its payload, screencapture, registry modification, persistence and data collection..
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint, Updates
- Last Updated: 2023-04-24
- Author: Teoderick Contreras, Splunk
- ID: 12e31e8b-671b-4d6e-b362-a682812a71eb
Narrative
RedLine Stealer is a malware available on underground forum and subscription basis that are compiled or written in C#. This malware is capable of harvesting sensitive information from browsers such as saved credentials, auto file data, browser cookies and credit card information. It also gathers system information of the targeted or compromised host like username, location IP, RAM size available, hardware configuration and software installed. The current version of this malware contains features to steal wallet and crypto currency information.
Detections
Name |
Technique |
Type |
CMD Carry Out String Command Parameter |
Windows Command Shell, Command and Scripting Interpreter |
Hunting |
Disable Windows Behavior Monitoring |
Disable or Modify Tools, Impair Defenses |
TTP |
Disabling Defender Services |
Disable or Modify Tools, Impair Defenses |
TTP |
Executables Or Script Creation In Suspicious Path |
Masquerading |
Anomaly |
Non Chrome Process Accessing Chrome Default Dir |
Credentials from Password Stores, Credentials from Web Browsers |
Anomaly |
Non Firefox Process Access Firefox Profile Dir |
Credentials from Password Stores, Credentials from Web Browsers |
Anomaly |
Registry Keys Used For Persistence |
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution |
TTP |
Scheduled Task Deleted Or Created via CMD |
Scheduled Task, Scheduled Task/Job |
TTP |
Schtasks scheduling job on remote system |
Scheduled Task, Scheduled Task/Job |
TTP |
Suspicious Process File Path |
Create or Modify System Process |
TTP |
Windows Boot or Logon Autostart Execution In Startup Folder |
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution |
Anomaly |
Windows Credentials from Password Stores Chrome Extension Access |
Query Registry |
Anomaly |
Windows Credentials from Password Stores Chrome LocalState Access |
Query Registry |
Anomaly |
Windows Credentials from Password Stores Chrome Login Data Access |
Query Registry |
Anomaly |
Windows DisableAntiSpyware Registry |
Disable or Modify Tools, Impair Defenses |
TTP |
Windows Event For Service Disabled |
Disable or Modify Tools, Impair Defenses |
Hunting |
Windows Modify Registry Auto Minor Updates |
Modify Registry |
Hunting |
Windows Modify Registry Auto Update Notif |
Modify Registry |
Anomaly |
Windows Modify Registry Disable WinDefender Notifications |
Modify Registry |
TTP |
Windows Modify Registry Do Not Connect To Win Update |
Modify Registry |
Anomaly |
Windows Modify Registry No Auto Reboot With Logon User |
Modify Registry |
Anomaly |
Windows Modify Registry No Auto Update |
Modify Registry |
Anomaly |
Windows Modify Registry Tamper Protection |
Modify Registry |
TTP |
Windows Modify Registry USeWuServer |
Modify Registry |
Hunting |
Windows Modify Registry UpdateServiceUrlAlternate |
Modify Registry |
Anomaly |
Windows Modify Registry WuServer |
Modify Registry |
Hunting |
Windows Modify Registry wuStatusServer |
Modify Registry |
Hunting |
Windows Query Registry Browser List Application |
Query Registry |
Anomaly |
Windows Query Registry UnInstall Program List |
Query Registry |
Anomaly |
Windows Scheduled Task with Highest Privileges |
Scheduled Task/Job, Scheduled Task |
TTP |
Windows Service Stop Win Updates |
Service Stop |
Anomaly |
Reference
source | version: 1