diff --git a/detections/endpoint/cmd_carry_out_string_command_parameter.yml b/detections/endpoint/cmd_carry_out_string_command_parameter.yml index cbe3fc93a4..3dcb00400f 100644 --- a/detections/endpoint/cmd_carry_out_string_command_parameter.yml +++ b/detections/endpoint/cmd_carry_out_string_command_parameter.yml @@ -1,7 +1,7 @@ name: CMD Carry Out String Command Parameter id: 54a6ed00-3256-11ec-b031-acde48001122 -version: 15 -date: '2025-08-22' +version: 16 +date: '2025-12-16' author: Teoderick Contreras, Bhavin Patel, Splunk status: production type: Hunting @@ -43,6 +43,7 @@ references: - https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ tags: analytic_story: + - StealC Stealer - PlugX - Warzone RAT - Data Destruction diff --git a/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml b/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml index e0c71a3216..28d5d5db5f 100644 --- a/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml +++ b/detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml @@ -1,7 +1,7 @@ name: Non Chrome Process Accessing Chrome Default Dir id: 81263de4-160a-11ec-944f-acde48001122 -version: 13 -date: '2025-09-30' +version: 14 +date: '2025-12-16' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -51,6 +51,7 @@ rba: threat_objects: [] tags: analytic_story: + - StealC Stealer - CISA AA23-347A - Phemedrone Stealer - DarkGate Malware diff --git a/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml b/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml index 7d28cfcb3d..62198d4eac 100644 --- a/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml +++ b/detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml @@ -1,7 +1,7 @@ name: Non Firefox Process Access Firefox Profile Dir id: e6fc13b0-1609-11ec-b533-acde48001122 -version: 13 -date: '2025-09-30' +version: 14 +date: '2025-12-16' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -50,6 +50,7 @@ rba: threat_objects: [] tags: analytic_story: + - StealC Stealer - DarkGate Malware - CISA AA23-347A - NjRAT diff --git a/detections/endpoint/windows_chromium_browser_with_custom_user_data_directory.yml b/detections/endpoint/windows_chromium_browser_with_custom_user_data_directory.yml index f4187400f8..8e18b9aee1 100644 --- a/detections/endpoint/windows_chromium_browser_with_custom_user_data_directory.yml +++ b/detections/endpoint/windows_chromium_browser_with_custom_user_data_directory.yml @@ -1,7 +1,7 @@ name: Windows Chromium Browser with Custom User Data Directory id: 4f546cf4-15aa-4368-80f7-940e92bc551e -version: 2 -date: '2025-09-30' +version: 3 +date: '2025-12-16' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -62,6 +62,7 @@ rba: type: parent_process_name tags: analytic_story: + - StealC Stealer - Malicious Inno Setup Loader - Lokibot asset_type: Endpoint diff --git a/detections/endpoint/windows_credential_access_from_browser_password_store.yml b/detections/endpoint/windows_credential_access_from_browser_password_store.yml index 16d2dd2077..79d210749c 100644 --- a/detections/endpoint/windows_credential_access_from_browser_password_store.yml +++ b/detections/endpoint/windows_credential_access_from_browser_password_store.yml @@ -1,7 +1,7 @@ name: Windows Credential Access From Browser Password Store id: 72013a8e-5cea-408a-9d51-5585386b4d69 -version: 16 -date: '2025-10-14' +version: 17 +date: '2025-12-16' author: Teoderick Contreras, Bhavin Patel Splunk data_source: - Windows Event Log Security 4663 @@ -61,6 +61,7 @@ rba: threat_objects: [] tags: analytic_story: + - StealC Stealer - Salt Typhoon - Earth Alux - Quasar RAT diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml index 00ea6dfa36..4c3927cfa7 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml @@ -1,7 +1,7 @@ name: Windows Credentials from Password Stores Chrome Extension Access id: 2e65afe0-9a75-4487-bd87-ada9a9f1b9af -version: 8 -date: '2025-08-22' +version: 9 +date: '2025-12-16' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -54,6 +54,7 @@ rba: threat_objects: [] tags: analytic_story: + - StealC Stealer - DarkGate Malware - Amadey - Meduza Stealer diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml index b93b5fdaf5..4b40c06594 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml @@ -1,7 +1,7 @@ name: Windows Credentials from Password Stores Chrome LocalState Access id: 3b1d09a8-a26f-473e-a510-6c6613573657 -version: 16 -date: '2025-10-14' +version: 17 +date: '2025-12-16' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -53,6 +53,7 @@ rba: threat_objects: [] tags: analytic_story: + - StealC Stealer - DarkGate Malware - Malicious Inno Setup Loader - NjRAT diff --git a/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml b/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml index 5f269e3a30..2e9fd571fc 100644 --- a/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml +++ b/detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml @@ -1,7 +1,7 @@ name: Windows Credentials from Password Stores Chrome Login Data Access id: 0d32ba37-80fc-4429-809c-0ba15801aeaf -version: 16 -date: '2025-10-14' +version: 17 +date: '2025-12-16' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -54,6 +54,7 @@ rba: threat_objects: [] tags: analytic_story: + - StealC Stealer - DarkGate Malware - Malicious Inno Setup Loader - NjRAT diff --git a/detections/endpoint/windows_file_download_via_powershell.yml b/detections/endpoint/windows_file_download_via_powershell.yml index 6cfac417fd..861f4551c6 100644 --- a/detections/endpoint/windows_file_download_via_powershell.yml +++ b/detections/endpoint/windows_file_download_via_powershell.yml @@ -1,7 +1,7 @@ name: Windows File Download Via PowerShell id: 58c4e56c-b5b8-46a3-b5fb-6537dca3c6de -version: 5 -date: '2025-12-04' +version: 6 +date: '2025-12-16' author: Michael Haag, Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -108,6 +108,7 @@ tags: - Winter Vivern - XWorm - Tuoni + - StealC Stealer asset_type: Endpoint mitre_attack_id: - T1059.001 diff --git a/detections/endpoint/windows_msiexec_remote_download.yml b/detections/endpoint/windows_msiexec_remote_download.yml index d28f1e20ec..c9bbaa82e8 100644 --- a/detections/endpoint/windows_msiexec_remote_download.yml +++ b/detections/endpoint/windows_msiexec_remote_download.yml @@ -1,7 +1,7 @@ name: Windows MSIExec Remote Download id: 6aa49ff2-3c92-4586-83e0-d83eb693dfda -version: 11 -date: '2025-09-09' +version: 12 +date: '2025-12-16' author: Michael Haag, Splunk status: production type: TTP @@ -83,6 +83,7 @@ tags: - Windows System Binary Proxy Execution MSIExec - Water Gamayun - Cisco Network Visibility Module Analytics + - StealC Stealer asset_type: Endpoint mitre_attack_id: - T1218.007 diff --git a/detections/endpoint/windows_msiexec_spawn_discovery_command.yml b/detections/endpoint/windows_msiexec_spawn_discovery_command.yml index 20ac6ffcbb..f744235e19 100644 --- a/detections/endpoint/windows_msiexec_spawn_discovery_command.yml +++ b/detections/endpoint/windows_msiexec_spawn_discovery_command.yml @@ -1,7 +1,7 @@ name: Windows MSIExec Spawn Discovery Command id: e9d05aa2-32f0-411b-930c-5b8ca5c4fcee -version: 10 -date: '2025-05-02' +version: 11 +date: '2025-12-16' author: Michael Haag, Splunk status: production type: TTP @@ -82,6 +82,7 @@ tags: - Windows System Binary Proxy Execution MSIExec - Medusa Ransomware - Water Gamayun + - StealC Stealer asset_type: Endpoint mitre_attack_id: - T1218.007 diff --git a/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml b/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml index 5afc088ecd..9d95cdeb47 100644 --- a/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml +++ b/detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml @@ -1,7 +1,7 @@ name: Windows Non Discord App Access Discord LevelDB id: 1166360c-d495-45ac-87a6-8948aac1fa07 -version: 6 -date: '2025-05-02' +version: 7 +date: '2025-12-16' author: Teoderick Contreras, Splunk data_source: - Windows Event Log Security 4663 @@ -50,6 +50,7 @@ rba: threat_objects: [] tags: analytic_story: + - StealC Stealer - Snake Keylogger - PXA Stealer asset_type: Endpoint diff --git a/detections/endpoint/windows_process_execution_from_programdata.yml b/detections/endpoint/windows_process_execution_from_programdata.yml index c370acf1f9..c753640e53 100644 --- a/detections/endpoint/windows_process_execution_from_programdata.yml +++ b/detections/endpoint/windows_process_execution_from_programdata.yml @@ -1,7 +1,7 @@ name: Windows Process Execution From ProgramData id: 237016fa-d8e6-47b4-80f9-70c4d42c72c0 -version: '5' -date: '2025-09-18' +version: 6 +date: '2025-12-15' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -67,6 +67,7 @@ rba: type: parent_process_name tags: analytic_story: + - StealC Stealer - SnappyBee - XWorm - Salt Typhoon diff --git a/detections/endpoint/windows_query_registry_uninstall_program_list.yml b/detections/endpoint/windows_query_registry_uninstall_program_list.yml index 2289f76f19..69ebada9b6 100644 --- a/detections/endpoint/windows_query_registry_uninstall_program_list.yml +++ b/detections/endpoint/windows_query_registry_uninstall_program_list.yml @@ -1,7 +1,7 @@ name: Windows Query Registry UnInstall Program List id: 535fd4fc-7151-4062-9d7e-e896bea77bf6 -version: 6 -date: '2025-05-02' +version: 7 +date: '2025-12-16' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -48,6 +48,7 @@ rba: threat_objects: [] tags: analytic_story: + - StealC Stealer - RedLine Stealer - Meduza Stealer asset_type: Endpoint diff --git a/detections/endpoint/windows_screen_capture_in_temp_folder.yml b/detections/endpoint/windows_screen_capture_in_temp_folder.yml index e18dd85c11..e1559c00af 100644 --- a/detections/endpoint/windows_screen_capture_in_temp_folder.yml +++ b/detections/endpoint/windows_screen_capture_in_temp_folder.yml @@ -1,7 +1,7 @@ name: Windows Screen Capture in TEMP folder id: 00524d1f-a032-46f5-9108-e7d9f01bfb3c -version: 7 -date: '2025-10-14' +version: 8 +date: '2025-12-16' author: Teoderick Contreras, Splunk data_source: - Sysmon EventID 11 @@ -55,6 +55,7 @@ rba: threat_objects: [] tags: analytic_story: + - StealC Stealer - Crypto Stealer - Braodo Stealer - APT37 Rustonotto and FadeStealer diff --git a/detections/endpoint/windows_suspicious_process_file_path.yml b/detections/endpoint/windows_suspicious_process_file_path.yml index 5896e7591d..1ae1086a12 100644 --- a/detections/endpoint/windows_suspicious_process_file_path.yml +++ b/detections/endpoint/windows_suspicious_process_file_path.yml @@ -1,7 +1,7 @@ name: Windows Suspicious Process File Path id: ecddae4e-3d4b-41e2-b3df-e46a88b38521 -version: 17 -date: '2025-10-31' +version: 18 +date: '2025-12-15' author: Teoderick Contreras, Splunk status: production type: TTP @@ -76,6 +76,7 @@ rba: type: process_name tags: analytic_story: + - StealC Stealer - PlugX - Water Gamayun - Warzone RAT diff --git a/detections/endpoint/windows_unsecured_outlook_credentials_access_in_registry.yml b/detections/endpoint/windows_unsecured_outlook_credentials_access_in_registry.yml index 5d321d9721..d7a6740bcd 100644 --- a/detections/endpoint/windows_unsecured_outlook_credentials_access_in_registry.yml +++ b/detections/endpoint/windows_unsecured_outlook_credentials_access_in_registry.yml @@ -1,7 +1,7 @@ name: Windows Unsecured Outlook Credentials Access In Registry id: 36334123-077d-47a2-b70c-6c7b3cc85049 -version: 8 -date: '2025-09-30' +version: 9 +date: '2025-12-16' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -54,6 +54,7 @@ rba: threat_objects: [] tags: analytic_story: + - StealC Stealer - Snake Keylogger - Meduza Stealer - 0bj3ctivity Stealer diff --git a/detections/endpoint/windows_unusual_process_load_mozilla_nss_mozglue_module.yml b/detections/endpoint/windows_unusual_process_load_mozilla_nss_mozglue_module.yml index 13afd14d81..1795010c85 100644 --- a/detections/endpoint/windows_unusual_process_load_mozilla_nss_mozglue_module.yml +++ b/detections/endpoint/windows_unusual_process_load_mozilla_nss_mozglue_module.yml @@ -1,7 +1,7 @@ name: Windows Unusual Process Load Mozilla NSS-Mozglue Module id: 1a7e7650-b81d-492e-99d4-d5ab633afbdd -version: 3 -date: '2025-09-30' +version: 4 +date: '2025-12-16' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -65,6 +65,7 @@ rba: type: process_name tags: analytic_story: + - StealC Stealer - Quasar RAT - 0bj3ctivity Stealer - Lokibot diff --git a/stories/stealc_stealer.yml b/stories/stealc_stealer.yml new file mode 100644 index 0000000000..5e0f0f7a7e --- /dev/null +++ b/stories/stealc_stealer.yml @@ -0,0 +1,20 @@ +name: StealC Stealer +id: ffe19aee-edd5-4065-871c-bafb681dd7a5 +version: 1 +date: '2025-12-15' +author: Teoderick Contreras, Splunk +status: production +description: StealC is a lightweight information-stealing malware primarily focused on harvesting browser-stored data. It targets popular browsers such as Chrome, Edge, Firefox, and Chromium-based variants to extract saved credentials, cookies, autofill data, browsing history, and session tokens. StealC abuses browser SQLite databases and encryption APIs to decrypt stored passwords, enabling account takeover and further compromise. The malware often runs silently in user context, evading detection through minimal footprint, obfuscation, and rapid data exfiltration to command-and-control servers. Detection typically involves monitoring unauthorized access to browser profile directories, suspicious process behavior interacting with browser credential stores, and outbound network traffic to known StealC infrastructure. +narrative: StealC emerged as a malware-as-a-service information stealer designed to provide cybercriminals with an easy and low-cost way to harvest sensitive user data. First observed in the wild in the early 2020s, specifically in 2023, it gained popularity due to its simplicity, reliability, and focus on browser-stored information. StealC primarily targets credentials, cookies, and session data from widely used browsers, enabling account hijacking and follow-on attacks. Its modular design and frequent updates allow operators to adapt quickly, making StealC a common payload in phishing campaigns, cracked software installers, and malicious downloads distributed across multiple threat ecosystems. +references: +- https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc +tags: + category: + - Data Destruction + - Malware + - Adversary Tactics + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection \ No newline at end of file