Branch was auto-updated.

splunk · Nov 20, 2024 · 81d005a · 81d005a
2 parents d2758c4 + 9f9f527
commit 81d005a
Show file tree

Hide file tree

Showing 12 changed files with 39 additions and 11 deletions.
diff --git a/detections/endpoint/any_powershell_downloadfile.yml b/detections/endpoint/any_powershell_downloadfile.yml
@@ -1,6 +1,6 @@
 name: Any Powershell DownloadFile
 id: 1a93b7ea-7af7-11eb-adb5-acde48001122
-version: 6
+version: 7
 date: '2024-09-30'
 author: Michael Haag, Splunk
 status: production
@@ -36,6 +36,7 @@ tags:
   - Log4Shell CVE-2021-44228
   - Phemedrone Stealer
   - Braodo Stealer
+  - PXA Stealer
   asset_type: Endpoint
   confidence: 70
   cve:

diff --git a/detections/endpoint/detect_outlook_exe_writing_a_zip_file.yml b/detections/endpoint/detect_outlook_exe_writing_a_zip_file.yml
@@ -1,6 +1,6 @@
 name: Detect Outlook exe writing a zip file
 id: a51bfe1a-94f0-4822-b1e4-16ae10145893
-version: 6
+version: 7
 date: '2024-10-17'
 author: Bhavin Patel, Splunk
 status: experimental
@@ -17,6 +17,7 @@ tags:
   - Spearphishing Attachments
   - Amadey
   - Remcos
+  - PXA Stealer
   asset_type: Endpoint
   confidence: 50
   impact: 50

diff --git a/detections/endpoint/powershell_processing_stream_of_data.yml b/detections/endpoint/powershell_processing_stream_of_data.yml
@@ -1,6 +1,6 @@
 name: Powershell Processing Stream Of Data
 id: 0d718b52-c9f1-11eb-bc61-acde48001122
-version: 4
+version: 5
 date: '2024-09-30'
 author: Teoderick Contreras, Splunk
 status: production
@@ -37,6 +37,7 @@ tags:
   - IcedID
   - MoonPeak
   - Braodo Stealer
+  - PXA Stealer
   asset_type: Endpoint
   confidence: 80
   impact: 50

diff --git a/detections/endpoint/suspicious_process_dns_query_known_abuse_web_services.yml b/detections/endpoint/suspicious_process_dns_query_known_abuse_web_services.yml
@@ -1,6 +1,6 @@
 name: Suspicious Process DNS Query Known Abuse Web Services
 id: 3cf0dc36-484d-11ec-a6bc-acde48001122
-version: 5
+version: 6
 date: '2024-09-30'
 author: Teoderick Contreras, Splunk
 status: production
@@ -30,6 +30,7 @@ tags:
   - Remcos
   - Phemedrone Stealer
   - Snake Keylogger
+  - PXA Stealer
   asset_type: Endpoint
   confidence: 80
   impact: 80

diff --git a/detections/endpoint/suspicious_process_with_discord_dns_query.yml b/detections/endpoint/suspicious_process_with_discord_dns_query.yml
@@ -1,6 +1,6 @@
 name: Suspicious Process With Discord DNS Query
 id: 4d4332ae-792c-11ec-89c1-acde48001122
-version: 4
+version: 5
 date: '2024-09-30'
 author: Teoderick Contreras, Mauricio Velazco, Splunk
 status: production
@@ -28,6 +28,7 @@ tags:
   analytic_story:
   - Data Destruction
   - WhisperGate
+  - PXA Stealer
   asset_type: Endpoint
   confidence: 80
   impact: 80

diff --git a/detections/endpoint/windows_credential_access_from_browser_password_store.yml b/detections/endpoint/windows_credential_access_from_browser_password_store.yml
@@ -1,6 +1,6 @@
 name: Windows Credential Access From Browser Password Store
 id: 72013a8e-5cea-408a-9d51-5585386b4d69
-version: 3
+version: 4
 date: '2024-09-30'
 author: Teoderick Contreras, Bhavin Patel Splunk
 data_source:
@@ -28,6 +28,7 @@ tags:
   - Snake Keylogger
   - MoonPeak
   - Braodo Stealer
+  - PXA Stealer
   asset_type: Endpoint
   confidence: 50
   impact: 50

diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml
@@ -1,6 +1,6 @@
 name: Windows Credentials from Password Stores Chrome LocalState Access
 id: 3b1d09a8-a26f-473e-a510-6c6613573657
-version: 3
+version: 4
 date: '2024-09-30'
 author: Teoderick Contreras, Splunk
 status: production
@@ -38,6 +38,7 @@ tags:
   - Snake Keylogger
   - MoonPeak
   - Braodo Stealer
+  - PXA Stealer
   asset_type: Endpoint
   confidence: 50
   impact: 50

diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml
@@ -1,6 +1,6 @@
 name: Windows Credentials from Password Stores Chrome Login Data Access
 id: 0d32ba37-80fc-4429-809c-0ba15801aeaf
-version: 3
+version: 4
 date: '2024-09-30'
 author: Teoderick Contreras, Splunk
 status: production
@@ -38,6 +38,7 @@ tags:
   - Snake Keylogger
   - MoonPeak
   - Braodo Stealer
+  - PXA Stealer
   asset_type: Endpoint
   confidence: 70
   impact: 70

diff --git a/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml b/detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml
@@ -1,6 +1,6 @@
 name: Windows Disable or Modify Tools Via Taskkill
 id: a43ae66f-c410-4b3d-8741-9ce1ad17ddb0
-version: 4
+version: 5
 date: '2024-09-30'
 author: Teoderick Contreras, Splunk
 status: production
@@ -27,6 +27,7 @@ drilldown_searches:
 tags:
   analytic_story:
   - NjRAT
+  - PXA Stealer
   asset_type: Endpoint
   confidence: 60
   impact: 60

diff --git a/detections/endpoint/windows_gather_victim_network_info_through_ip_check_web_services.yml b/detections/endpoint/windows_gather_victim_network_info_through_ip_check_web_services.yml
@@ -1,6 +1,6 @@
 name: Windows Gather Victim Network Info Through Ip Check Web Services
 id: 70f7c952-0758-46d6-9148-d8969c4481d1
-version: 5
+version: 6
 date: '2024-10-17'
 author: Teoderick Contreras, Splunk
 status: production
@@ -20,6 +20,7 @@ tags:
   - Phemedrone Stealer
   - Snake Keylogger
   - Handala Wiper
+  - PXA Stealer
   asset_type: Endpoint
   confidence: 50
   impact: 50

diff --git a/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml b/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml
@@ -1,6 +1,6 @@
 name: Windows Non Discord App Access Discord LevelDB
 id: 1166360c-d495-45ac-87a6-8948aac1fa07
-version: 3
+version: 4
 date: '2024-09-30'
 author: Teoderick Contreras, Splunk
 data_source:
@@ -25,6 +25,7 @@ drilldown_searches:
 tags:
   analytic_story:
   - Snake Keylogger
+  - PXA Stealer
   asset_type: Endpoint
   confidence: 30
   impact: 30

diff --git a/stories/pxa_stealer.yml b/stories/pxa_stealer.yml
@@ -0,0 +1,17 @@
+name: PXA Stealer
+id: 66f64651-e4e0-4d3b-8d7d-41d8e598e4e1
+version: 1
+date: '2024-11-18'
+author: Teoderick Contreras, Splunk
+description: This following analytic story contains detections related to the PXA Stealer, a malicious software tool designed to covertly extract sensitive information from infected systems. This data-stealing malware targets credentials, personal data, browsing information, and financial information by exploiting system vulnerabilities or tricking users into downloading it via phishing campaigns or malicious links. PXA Stealer often operates stealthily, bypassing security measures and transmitting stolen data to cybercriminals. Its capabilities make it a significant threat to individuals and organizations, emphasizing the need for robust cybersecurity defenses and awareness.
+narrative: The PXA Stealer initiates its attack in disguise, often concealed within phishing emails or dubious downloads. Once executed, it infiltrates the system undetected, harvesting credentials, financial information, and personal files. Its cunning lies in its ability to evade antivirus software and blend into normal processes. However, its subtle movements leave traces. Unusual system slowdowns, unauthorized login attempts, or increased network activity can indicate its presence. To detect and prevent it, maintain updated antivirus software, enable multi-factor authentication, and avoid clicking on suspicious links or attachments. Vigilance and proactive monitoring are key defenses against this silent intruder.
+references:
+  - https://blog.talosintelligence.com/new-pxa-stealer/
+tags:
+  category:
+  - Malware
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  usecase: Advanced Threat Detection