security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge PR #5429 from @swachchhanda000 - Katz stealer malware

Browse Source 
new: DNS Query To Katz Stealer Domains
new: Katz Stealer DLL Loaded
new: DNS Query To Katz Stealer Domains - Network
new: Katz Stealer Suspicious User-Agent
new: Suspicious File Access to Browser Credential Storage
new: Registry Export of Third-Party Credentials
update: Enumeration for 3rd Party Creds From CLI - Updated the condition to update FP

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
This commit is contained in:
Swachchhanda Shrawan Poudel
2025-05-26 14:18:24 +05:45
committed by GitHub
parent 5f894dfa0b
commit 585bd7d487
7 changed files with 388 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules-emerging-threats/2025/Malware/Katz-Stealer/dns_query_win_katz_stealer_domain.yml
+32
View File
@@ -0,0 +1,32 @@
title: DNS Query To Katz Stealer Domains
id: 9c3d6e32-f4c8-4d73-8b8f-95c3b383a13c
related:
- id: 6b0c762f-0e1b-435f-a829-5943b08fe36a
type: similar
status: experimental
description: |
Detects DNS queries to domains associated with Katz Stealer malware.
Katz Stealer is a malware variant that is known to be used for stealing sensitive information from compromised systems.
In Enterprise environments, DNS queries to these domains may indicate potential malicious activity or compromise.
references:
- Internal Research
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-05-22
tags:
- attack.command-and-control
- attack.t1071.004
- detection.emerging-threats
logsource:
product: windows
category: dns_query
detection:
selection:
QueryName|contains:
- 'katz-panel.com'
- 'katz-stealer.com'
- 'katzstealer.com'
- 'twist2katz.com'
condition: selection
falsepositives:
- Unlikely
level: high
rules-emerging-threats/2025/Malware/Katz-Stealer/image_load_win_katz_stealer_payloads.yml
+27
View File
@@ -0,0 +1,27 @@
title: Katz Stealer DLL Loaded
id: e6c7ab7c-c79d-4b84-b913-b2ec3f8e8a98
status: experimental
description: |
Detects loading of DLLs associated with Katz Stealer malware 2025 variants.
Katz Stealer is a malware variant that is known to be used for stealing sensitive information from compromised systems.
The process that loads these DLLs are very likely to be malicious.
references:
- Internal Research
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-05-22
tags:
- attack.execution
- attack.t1129
- detection.emerging-threats
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith:
- '\katz_ontop.dll'
- '\AppData\Local\Temp\received_dll.dll'
condition: selection
falsepositives:
- Unlikely
level: high
rules-emerging-threats/2025/Malware/Katz-Stealer/net_dns_katz_stealer_domain.yml
+31
View File
@@ -0,0 +1,31 @@
title: DNS Query To Katz Stealer Domains - Network
id: 6b0c762f-0e1b-435f-a829-5943b08fe36a
related:
- id: 9c3d6e32-f4c8-4d73-8b8f-95c3b383a13c
type: similar
status: experimental
description: |
Detects DNS queries to domains associated with Katz Stealer malware.
Katz Stealer is a malware variant that is known to be used for stealing sensitive information from compromised systems.
In Enterprise environments, DNS queries to these domains may indicate potential malicious activity or compromise.
references:
- Internal research
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-05-22
tags:
- attack.command-and-control
- attack.t1071.004
- detection.emerging-threats
logsource:
category: dns
detection:
selection:
query|contains:
- 'katz-panel.com'
- 'katz-stealer.com'
- 'katzstealer.com'
- 'twist2katz.com'
condition: selection
falsepositives:
- Unlikely
level: high
rules-emerging-threats/2025/Malware/Katz-Stealer/zeek_http_katz_stealer_susp_useragent.yml
+23
View File
@@ -0,0 +1,23 @@
title: Katz Stealer Suspicious User-Agent
id: 834c6d2f-5e98-4b2a-b453-0c4f234afedd
status: experimental
description: |
Detects network connections with a suspicious user-agent string containing "katz-ontop", which may indicate Katz Stealer activity.
references:
- Internal Research
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-05-22
tags:
- attack.command-and-control
- attack.t1071.001
- detection.emerging-threats
logsource:
product: zeek
service: http
detection:
selection:
user_agent|contains: 'katz-ontop'
condition: selection
falsepositives:
- Unlikely
level: high
rules/windows/file/file_access/file_access_win_susp_process_access_browser_cred_files.yml
+202
View File
@@ -0,0 +1,202 @@
title: Suspicious File Access to Browser Credential Storage
id: a1dfd976-4852-41d4-9507-dc6590a3ccd0
status: experimental
description: |
Detects file access to browser credential storage paths by non-browser processes, which may indicate credential access attempts.
Adversaries may attempt to access browser credential storage to extract sensitive information such as usernames and passwords or cookies.
This behavior is often commonly observed in credential stealing malware.
references:
- https://github.com/splunk/security_content/blob/7283ba3723551f46b69dfeb23a63b358afb2cb0e/lookups/browser_app_list.csv?plain=1
- https://fourcore.io/blogs/threat-hunting-browser-credential-stealing
author: frack113, X__Junior (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems), Parth-FourCore
date: 2025-05-22
tags:
- attack.credential-access
- attack.t1555.003
- attack.discovery
- attack.t1217
logsource:
category: file_access
product: windows
detection:
selection_browser_paths:
FileName|contains:
- '\Sputnik\Sputnik'
- '\MapleStudio\ChromePlus'
- '\QIP Surf'
- '\BlackHawk'
- '\7Star\7Star'
- '\CatalinaGroup\Citrio'
- '\Google\Chrome'
- '\Coowon\Coowon'
- '\CocCoc\Browser'
- '\uCozMedia\Uran'
- '\Tencent\QQBrowser'
- '\Orbitum'
- '\Slimjet'
- '\Iridium'
- '\Vivaldi'
- '\Chromium'
- '\GhostBrowser'
- '\CentBrowser'
- '\Xvast'
- '\Chedot'
- '\SuperBird'
- '\360Browser\Browser'
- '\360Chrome\Chrome'
- '\Comodo\Dragon'
- '\BraveSoftware\Brave-Browser'
- '\Torch'
- '\UCBrowser\'
- '\Blisk'
- '\Epic Privacy Browser'
- '\Nichrome'
- '\Amigo'
- '\Kometa'
- '\Xpom'
- '\Microsoft\Edge'
- '\Liebao7Default\EncryptedStorage'
- '\AVAST Software\Browser'
- '\Kinza'
- '\Mozilla\SeaMonkey\'
- '\Comodo\IceDragon\'
- '\8pecxstudios\Cyberfox\'
- '\FlashPeak\SlimBrowser\'
- '\Moonchild Productions\Pale Moon\'
selection_browser_subpaths:
FileName|contains:
- '\Profiles\'
- '\User Data'
selection_cred_files:
- FileName|contains:
- '\Login Data'
- '\Cookies'
- '\EncryptedStorage'
- '\WebCache\'
- FileName|endswith:
- 'cert9.db'
- 'cookies.sqlite'
- 'formhistory.sqlite'
- 'key3.db'
- 'key4.db'
- 'Login Data.sqlite'
- 'logins.json'
- 'places.sqlite'
filter_main_img:
Image|endswith:
- '\Sputnik.exe'
- '\ChromePlus.exe'
- '\QIP Surf.exe'
- '\BlackHawk.exe'
- '\7Star.exe'
- '\Sleipnir5.exe'
- '\Citrio.exe'
- '\Chrome SxS.exe'
- '\Chrome.exe'
- '\Coowon.exe'
- '\CocCocBrowser.exe'
- '\Uran.exe'
- '\QQBrowser.exe'
- '\Orbitum.exe'
- '\Slimjet.exe'
- '\Iridium.exe'
- '\Vivaldi.exe'
- '\Chromium.exe'
- '\GhostBrowser.exe'
- '\CentBrowser.exe'
- '\Xvast.exe'
- '\Chedot.exe'
- '\SuperBird.exe'
- '\360Browser.exe'
- '\360Chrome.exe'
- '\dragon.exe'
- '\brave.exe'
- '\torch.exe'
- '\UCBrowser.exe'
- '\BliskBrowser.exe'
- '\Epic Privacy Browser.exe'
- '\nichrome.exe'
- '\AmigoBrowser.exe'
- '\KometaBrowser.exe'
- '\XpomBrowser.exe'
- '\msedge.exe'
- '\LiebaoBrowser.exe'
- '\AvastBrowser.exe'
- '\Kinza.exe'
- '\seamonkey.exe'
- '\icedragon.exe'
- '\cyberfox.exe'
- '\SlimBrowser.exe'
- '\palemoon.exe'
filter_main_path:
Image|contains:
- '\Sputnik\'
- '\MapleStudio\'
- '\QIP Surf\'
- '\BlackHawk\'
- '\7Star\'
- '\Fenrir Inc\'
- '\CatalinaGroup\'
- '\Google\'
- '\Coowon\'
- '\CocCoc\'
- '\uCozMedia\'
- '\Tencent\'
- '\Orbitum\'
- '\Slimjet\'
- '\Iridium\'
- '\Vivaldi\'
- '\Chromium\'
- '\GhostBrowser\'
- '\CentBrowser\'
- '\Xvast\'
- '\Chedot\'
- '\SuperBird\'
- '\360Browser\'
- '\360Chrome\'
- '\Comodo\'
- '\BraveSoftware\'
- '\Torch\'
- '\UCBrowser\'
- '\Blisk\'
- '\Epic Privacy Browser\'
- '\Nichrome\'
- '\Amigo\'
- '\Kometa\'
- '\Xpom\'
- '\Microsoft\'
- '\Liebao7\'
- '\AVAST Software\'
- '\Kinza\'
- '\Mozilla\'
- '\8pecxstudios\'
- '\FlashPeak\'
- '\Moonchild Productions\'
filter_main_system:
Image: System
ParentImage: Idle
filter_main_generic:
Image|startswith:
- 'C:\Program Files\'
- 'C:\Program Files (x86)\'
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
filter_optional_defender:
Image|contains: '\Microsoft\Windows Defender\'
Image|endswith:
- '\MpCopyAccelerator.exe'
- '\MsMpEng.exe'
filter_optional_thor:
Image|endswith:
- '\thor.exe'
- '\thor64.exe'
filter_optional_msiexec:
ParentImage: 'C:\Windows\System32\msiexec.exe'
filter_optional_other:
Image|endswith: '\everything.exe'
condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
- Antivirus, Anti-Spyware, Anti-Malware Software
- Legitimate software accessing browser data for synchronization or backup purposes.
- Legitimate software installed on partitions other than "C:\"
level: low
rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml
+22 -13
View File
@@ -3,6 +3,8 @@ id: 87a476dc-0079-4583-a985-dee7a20a03de
related:
- id: e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1
type: derived
- id: cc1abf27-78a3-4ac5-a51c-f3070b1d8e40
type: similar
status: test
description: Detects processes that query known 3rd party registry keys that holds credentials via commandline
references:
@@ -12,6 +14,7 @@ references:
- https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-06-20
modified: 2025-05-22
tags:
- attack.credential-access
- attack.t1552.002
@@ -21,24 +24,30 @@ logsource:
detection:
selection:
CommandLine|contains: # Add more paths as they are discovered
- '\Software\SimonTatham\PuTTY\Sessions'
- '\Software\\SimonTatham\PuTTY\SshHostKeys\'
- '\Software\Mobatek\MobaXterm\'
- '\Software\WOW6432Node\Radmin\v3.0\Server\Parameters\Radmin'
- '\Software\Aerofox\FoxmailPreview'
- '\Software\Aerofox\Foxmail\V3.1'
- '\Software\IncrediMail\Identities'
- '\Software\Qualcomm\Eudora\CommandLine'
- '\Software\RimArts\B2\Settings'
- '\Software\OpenVPN-GUI\configs'
- '\Software\Martin Prikryl\WinSCP 2\Sessions'
- '\Software\FTPWare\COREFTP\Sites'
- '\Software\Aerofox\FoxmailPreview'
- '\Software\DownloadManager\Passwords'
- '\Software\FTPWare\COREFTP\Sites'
- '\Software\IncrediMail\Identities'
- '\Software\Martin Prikryl\WinSCP 2\Sessions'
- '\Software\Mobatek\MobaXterm\'
- '\Software\OpenSSH\Agent\Keys'
- '\Software\TightVNC\Server'
- '\Software\OpenVPN-GUI\configs'
- '\Software\ORL\WinVNC3\Password'
- '\Software\Qualcomm\Eudora\CommandLine'
- '\Software\RealVNC\WinVNC4'
condition: selection
- '\Software\RimArts\B2\Settings'
- '\Software\SimonTatham\PuTTY\Sessions'
- '\Software\SimonTatham\PuTTY\SshHostKeys\'
- '\Software\Sota\FFFTP'
- '\Software\TightVNC\Server'
- '\Software\WOW6432Node\Radmin\v3.0\Server\Parameters\Radmin'
filter_main_other_rule: # matched by cc1abf27-78a3-4ac5-a51c-f3070b1d8e40
Image|endswith: 'reg.exe'
CommandLine|contains:
- 'export'
- 'save'
condition: selection and not 1 of filter_main_*
falsepositives:
- Unknown
level: medium
rules/windows/process_creation/proc_creation_win_registry_export_of_thirdparty_creds.yml
+51
View File
@@ -0,0 +1,51 @@
title: Registry Export of Third-Party Credentials
id: cc1abf27-78a3-4ac5-a51c-f3070b1d8e40
related:
- id: 87a476dc-0079-4583-a985-dee7a20a03de
type: similar
status: experimental
description: |
Detects the use of reg.exe to export registry paths associated with third-party credentials.
Credential stealers have been known to use this technique to extract sensitive information from the registry.
references:
- https://www.virustotal.com/gui/file/fdc86a5b3d7df37a72c3272836f743747c47bfbc538f05af9ecf78547fa2e789/behavior
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-05-22
tags:
- attack.credential-access
- attack.t1552.002
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\reg.exe'
- OriginalFileName: 'reg.exe'
selection_cli_save:
CommandLine|contains:
- 'save'
- 'export'
selection_cli_path:
CommandLine|contains:
- '\Software\Aerofox\Foxmail\V3.1'
- '\Software\Aerofox\FoxmailPreview'
- '\Software\DownloadManager\Passwords'
- '\Software\FTPWare\COREFTP\Sites'
- '\Software\IncrediMail\Identities'
- '\Software\Martin Prikryl\WinSCP 2\Sessions'
- '\Software\Mobatek\MobaXterm'
- '\Software\OpenSSH\Agent\Keys'
- '\Software\OpenVPN-GUI\configs'
- '\Software\ORL\WinVNC3\Password'
- '\Software\Qualcomm\Eudora\CommandLine'
- '\Software\RealVNC\WinVNC4'
- '\Software\RimArts\B2\Settings'
- '\Software\SimonTatham\PuTTY\Sessions'
- '\Software\SimonTatham\PuTTY\SshHostKeys'
- '\Software\Sota\FFFTP'
- '\Software\TightVNC\Server'
- '\Software\WOW6432Node\Radmin\v3.0\Server\Parameters\Radmin'
condition: all of selection_*
falsepositives:
- Unknown
level: high