Skip to content

Commit

Permalink
Merge pull request #3209 from splunk/pxa_stealer
Browse files Browse the repository at this point in the history
pxa_stealer
  • Loading branch information
patel-bhavin authored Nov 20, 2024
2 parents 2906695 + ca683cd commit 9f9f527
Show file tree
Hide file tree
Showing 12 changed files with 39 additions and 11 deletions.
3 changes: 2 additions & 1 deletion detections/endpoint/any_powershell_downloadfile.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: Any Powershell DownloadFile
id: 1a93b7ea-7af7-11eb-adb5-acde48001122
version: 6
version: 7
date: '2024-09-30'
author: Michael Haag, Splunk
status: production
Expand Down Expand Up @@ -36,6 +36,7 @@ tags:
- Log4Shell CVE-2021-44228
- Phemedrone Stealer
- Braodo Stealer
- PXA Stealer
asset_type: Endpoint
confidence: 70
cve:
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: Detect Outlook exe writing a zip file
id: a51bfe1a-94f0-4822-b1e4-16ae10145893
version: 6
version: 7
date: '2024-10-17'
author: Bhavin Patel, Splunk
status: experimental
Expand All @@ -17,6 +17,7 @@ tags:
- Spearphishing Attachments
- Amadey
- Remcos
- PXA Stealer
asset_type: Endpoint
confidence: 50
impact: 50
Expand Down
3 changes: 2 additions & 1 deletion detections/endpoint/powershell_processing_stream_of_data.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: Powershell Processing Stream Of Data
id: 0d718b52-c9f1-11eb-bc61-acde48001122
version: 4
version: 5
date: '2024-09-30'
author: Teoderick Contreras, Splunk
status: production
Expand Down Expand Up @@ -37,6 +37,7 @@ tags:
- IcedID
- MoonPeak
- Braodo Stealer
- PXA Stealer
asset_type: Endpoint
confidence: 80
impact: 50
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: Suspicious Process DNS Query Known Abuse Web Services
id: 3cf0dc36-484d-11ec-a6bc-acde48001122
version: 5
version: 6
date: '2024-09-30'
author: Teoderick Contreras, Splunk
status: production
Expand Down Expand Up @@ -30,6 +30,7 @@ tags:
- Remcos
- Phemedrone Stealer
- Snake Keylogger
- PXA Stealer
asset_type: Endpoint
confidence: 80
impact: 80
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: Suspicious Process With Discord DNS Query
id: 4d4332ae-792c-11ec-89c1-acde48001122
version: 4
version: 5
date: '2024-09-30'
author: Teoderick Contreras, Mauricio Velazco, Splunk
status: production
Expand Down Expand Up @@ -28,6 +28,7 @@ tags:
analytic_story:
- Data Destruction
- WhisperGate
- PXA Stealer
asset_type: Endpoint
confidence: 80
impact: 80
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: Windows Credential Access From Browser Password Store
id: 72013a8e-5cea-408a-9d51-5585386b4d69
version: 3
version: 4
date: '2024-09-30'
author: Teoderick Contreras, Bhavin Patel Splunk
data_source:
Expand Down Expand Up @@ -28,6 +28,7 @@ tags:
- Snake Keylogger
- MoonPeak
- Braodo Stealer
- PXA Stealer
asset_type: Endpoint
confidence: 50
impact: 50
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: Windows Credentials from Password Stores Chrome LocalState Access
id: 3b1d09a8-a26f-473e-a510-6c6613573657
version: 3
version: 4
date: '2024-09-30'
author: Teoderick Contreras, Splunk
status: production
Expand Down Expand Up @@ -38,6 +38,7 @@ tags:
- Snake Keylogger
- MoonPeak
- Braodo Stealer
- PXA Stealer
asset_type: Endpoint
confidence: 50
impact: 50
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: Windows Credentials from Password Stores Chrome Login Data Access
id: 0d32ba37-80fc-4429-809c-0ba15801aeaf
version: 3
version: 4
date: '2024-09-30'
author: Teoderick Contreras, Splunk
status: production
Expand Down Expand Up @@ -38,6 +38,7 @@ tags:
- Snake Keylogger
- MoonPeak
- Braodo Stealer
- PXA Stealer
asset_type: Endpoint
confidence: 70
impact: 70
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: Windows Disable or Modify Tools Via Taskkill
id: a43ae66f-c410-4b3d-8741-9ce1ad17ddb0
version: 4
version: 5
date: '2024-09-30'
author: Teoderick Contreras, Splunk
status: production
Expand All @@ -27,6 +27,7 @@ drilldown_searches:
tags:
analytic_story:
- NjRAT
- PXA Stealer
asset_type: Endpoint
confidence: 60
impact: 60
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: Windows Gather Victim Network Info Through Ip Check Web Services
id: 70f7c952-0758-46d6-9148-d8969c4481d1
version: 5
version: 6
date: '2024-10-17'
author: Teoderick Contreras, Splunk
status: production
Expand All @@ -20,6 +20,7 @@ tags:
- Phemedrone Stealer
- Snake Keylogger
- Handala Wiper
- PXA Stealer
asset_type: Endpoint
confidence: 50
impact: 50
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
name: Windows Non Discord App Access Discord LevelDB
id: 1166360c-d495-45ac-87a6-8948aac1fa07
version: 3
version: 4
date: '2024-09-30'
author: Teoderick Contreras, Splunk
data_source:
Expand All @@ -25,6 +25,7 @@ drilldown_searches:
tags:
analytic_story:
- Snake Keylogger
- PXA Stealer
asset_type: Endpoint
confidence: 30
impact: 30
Expand Down
17 changes: 17 additions & 0 deletions stories/pxa_stealer.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
name: PXA Stealer
id: 66f64651-e4e0-4d3b-8d7d-41d8e598e4e1
version: 1
date: '2024-11-18'
author: Teoderick Contreras, Splunk
description: This following analytic story contains detections related to the PXA Stealer, a malicious software tool designed to covertly extract sensitive information from infected systems. This data-stealing malware targets credentials, personal data, browsing information, and financial information by exploiting system vulnerabilities or tricking users into downloading it via phishing campaigns or malicious links. PXA Stealer often operates stealthily, bypassing security measures and transmitting stolen data to cybercriminals. Its capabilities make it a significant threat to individuals and organizations, emphasizing the need for robust cybersecurity defenses and awareness.
narrative: The PXA Stealer initiates its attack in disguise, often concealed within phishing emails or dubious downloads. Once executed, it infiltrates the system undetected, harvesting credentials, financial information, and personal files. Its cunning lies in its ability to evade antivirus software and blend into normal processes. However, its subtle movements leave traces. Unusual system slowdowns, unauthorized login attempts, or increased network activity can indicate its presence. To detect and prevent it, maintain updated antivirus software, enable multi-factor authentication, and avoid clicking on suspicious links or attachments. Vigilance and proactive monitoring are key defenses against this silent intruder.
references:
- https://blog.talosintelligence.com/new-pxa-stealer/
tags:
category:
- Malware
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Advanced Threat Detection

0 comments on commit 9f9f527

Please sign in to comment.