From 585bd7d487fa7cdeb535d4eb22abb2a4da5d599e Mon Sep 17 00:00:00 2001 From: Swachchhanda Shrawan Poudel <87493836+swachchhanda000@users.noreply.github.com> Date: Mon, 26 May 2025 14:18:24 +0545 Subject: [PATCH] Merge PR #5429 from @swachchhanda000 - Katz stealer malware new: DNS Query To Katz Stealer Domains new: Katz Stealer DLL Loaded new: DNS Query To Katz Stealer Domains - Network new: Katz Stealer Suspicious User-Agent new: Suspicious File Access to Browser Credential Storage new: Registry Export of Third-Party Credentials update: Enumeration for 3rd Party Creds From CLI - Updated the condition to update FP --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> --- .../dns_query_win_katz_stealer_domain.yml | 32 +++ .../image_load_win_katz_stealer_payloads.yml | 27 +++ .../net_dns_katz_stealer_domain.yml | 31 +++ .../zeek_http_katz_stealer_susp_useragent.yml | 23 ++ ...susp_process_access_browser_cred_files.yml | 202 ++++++++++++++++++ ...gistry_enumeration_for_credentials_cli.yml | 35 +-- ...in_registry_export_of_thirdparty_creds.yml | 51 +++++ 7 files changed, 388 insertions(+), 13 deletions(-) create mode 100644 rules-emerging-threats/2025/Malware/Katz-Stealer/dns_query_win_katz_stealer_domain.yml create mode 100644 rules-emerging-threats/2025/Malware/Katz-Stealer/image_load_win_katz_stealer_payloads.yml create mode 100644 rules-emerging-threats/2025/Malware/Katz-Stealer/net_dns_katz_stealer_domain.yml create mode 100644 rules-emerging-threats/2025/Malware/Katz-Stealer/zeek_http_katz_stealer_susp_useragent.yml create mode 100644 rules/windows/file/file_access/file_access_win_susp_process_access_browser_cred_files.yml create mode 100644 rules/windows/process_creation/proc_creation_win_registry_export_of_thirdparty_creds.yml diff --git a/rules-emerging-threats/2025/Malware/Katz-Stealer/dns_query_win_katz_stealer_domain.yml b/rules-emerging-threats/2025/Malware/Katz-Stealer/dns_query_win_katz_stealer_domain.yml new file mode 100644 index 000000000..74dba5291 --- /dev/null +++ b/rules-emerging-threats/2025/Malware/Katz-Stealer/dns_query_win_katz_stealer_domain.yml @@ -0,0 +1,32 @@ +title: DNS Query To Katz Stealer Domains +id: 9c3d6e32-f4c8-4d73-8b8f-95c3b383a13c +related: + - id: 6b0c762f-0e1b-435f-a829-5943b08fe36a + type: similar +status: experimental +description: | + Detects DNS queries to domains associated with Katz Stealer malware. + Katz Stealer is a malware variant that is known to be used for stealing sensitive information from compromised systems. + In Enterprise environments, DNS queries to these domains may indicate potential malicious activity or compromise. +references: + - Internal Research +author: Swachchhanda Shrawan Poudel (Nextron Systems) +date: 2025-05-22 +tags: + - attack.command-and-control + - attack.t1071.004 + - detection.emerging-threats +logsource: + product: windows + category: dns_query +detection: + selection: + QueryName|contains: + - 'katz-panel.com' + - 'katz-stealer.com' + - 'katzstealer.com' + - 'twist2katz.com' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules-emerging-threats/2025/Malware/Katz-Stealer/image_load_win_katz_stealer_payloads.yml b/rules-emerging-threats/2025/Malware/Katz-Stealer/image_load_win_katz_stealer_payloads.yml new file mode 100644 index 000000000..539116d74 --- /dev/null +++ b/rules-emerging-threats/2025/Malware/Katz-Stealer/image_load_win_katz_stealer_payloads.yml @@ -0,0 +1,27 @@ +title: Katz Stealer DLL Loaded +id: e6c7ab7c-c79d-4b84-b913-b2ec3f8e8a98 +status: experimental +description: | + Detects loading of DLLs associated with Katz Stealer malware 2025 variants. + Katz Stealer is a malware variant that is known to be used for stealing sensitive information from compromised systems. + The process that loads these DLLs are very likely to be malicious. +references: + - Internal Research +author: Swachchhanda Shrawan Poudel (Nextron Systems) +date: 2025-05-22 +tags: + - attack.execution + - attack.t1129 + - detection.emerging-threats +logsource: + category: image_load + product: windows +detection: + selection: + ImageLoaded|endswith: + - '\katz_ontop.dll' + - '\AppData\Local\Temp\received_dll.dll' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules-emerging-threats/2025/Malware/Katz-Stealer/net_dns_katz_stealer_domain.yml b/rules-emerging-threats/2025/Malware/Katz-Stealer/net_dns_katz_stealer_domain.yml new file mode 100644 index 000000000..1c335b020 --- /dev/null +++ b/rules-emerging-threats/2025/Malware/Katz-Stealer/net_dns_katz_stealer_domain.yml @@ -0,0 +1,31 @@ +title: DNS Query To Katz Stealer Domains - Network +id: 6b0c762f-0e1b-435f-a829-5943b08fe36a +related: + - id: 9c3d6e32-f4c8-4d73-8b8f-95c3b383a13c + type: similar +status: experimental +description: | + Detects DNS queries to domains associated with Katz Stealer malware. + Katz Stealer is a malware variant that is known to be used for stealing sensitive information from compromised systems. + In Enterprise environments, DNS queries to these domains may indicate potential malicious activity or compromise. +references: + - Internal research +author: Swachchhanda Shrawan Poudel (Nextron Systems) +date: 2025-05-22 +tags: + - attack.command-and-control + - attack.t1071.004 + - detection.emerging-threats +logsource: + category: dns +detection: + selection: + query|contains: + - 'katz-panel.com' + - 'katz-stealer.com' + - 'katzstealer.com' + - 'twist2katz.com' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules-emerging-threats/2025/Malware/Katz-Stealer/zeek_http_katz_stealer_susp_useragent.yml b/rules-emerging-threats/2025/Malware/Katz-Stealer/zeek_http_katz_stealer_susp_useragent.yml new file mode 100644 index 000000000..c086ac7bf --- /dev/null +++ b/rules-emerging-threats/2025/Malware/Katz-Stealer/zeek_http_katz_stealer_susp_useragent.yml @@ -0,0 +1,23 @@ +title: Katz Stealer Suspicious User-Agent +id: 834c6d2f-5e98-4b2a-b453-0c4f234afedd +status: experimental +description: | + Detects network connections with a suspicious user-agent string containing "katz-ontop", which may indicate Katz Stealer activity. +references: + - Internal Research +author: Swachchhanda Shrawan Poudel (Nextron Systems) +date: 2025-05-22 +tags: + - attack.command-and-control + - attack.t1071.001 + - detection.emerging-threats +logsource: + product: zeek + service: http +detection: + selection: + user_agent|contains: 'katz-ontop' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/file/file_access/file_access_win_susp_process_access_browser_cred_files.yml b/rules/windows/file/file_access/file_access_win_susp_process_access_browser_cred_files.yml new file mode 100644 index 000000000..fc33d6b65 --- /dev/null +++ b/rules/windows/file/file_access/file_access_win_susp_process_access_browser_cred_files.yml @@ -0,0 +1,202 @@ +title: Suspicious File Access to Browser Credential Storage +id: a1dfd976-4852-41d4-9507-dc6590a3ccd0 +status: experimental +description: | + Detects file access to browser credential storage paths by non-browser processes, which may indicate credential access attempts. + Adversaries may attempt to access browser credential storage to extract sensitive information such as usernames and passwords or cookies. + This behavior is often commonly observed in credential stealing malware. +references: + - https://github.com/splunk/security_content/blob/7283ba3723551f46b69dfeb23a63b358afb2cb0e/lookups/browser_app_list.csv?plain=1 + - https://fourcore.io/blogs/threat-hunting-browser-credential-stealing +author: frack113, X__Junior (Nextron Systems), Swachchhanda Shrawan Poudel (Nextron Systems), Parth-FourCore +date: 2025-05-22 +tags: + - attack.credential-access + - attack.t1555.003 + - attack.discovery + - attack.t1217 +logsource: + category: file_access + product: windows +detection: + selection_browser_paths: + FileName|contains: + - '\Sputnik\Sputnik' + - '\MapleStudio\ChromePlus' + - '\QIP Surf' + - '\BlackHawk' + - '\7Star\7Star' + - '\CatalinaGroup\Citrio' + - '\Google\Chrome' + - '\Coowon\Coowon' + - '\CocCoc\Browser' + - '\uCozMedia\Uran' + - '\Tencent\QQBrowser' + - '\Orbitum' + - '\Slimjet' + - '\Iridium' + - '\Vivaldi' + - '\Chromium' + - '\GhostBrowser' + - '\CentBrowser' + - '\Xvast' + - '\Chedot' + - '\SuperBird' + - '\360Browser\Browser' + - '\360Chrome\Chrome' + - '\Comodo\Dragon' + - '\BraveSoftware\Brave-Browser' + - '\Torch' + - '\UCBrowser\' + - '\Blisk' + - '\Epic Privacy Browser' + - '\Nichrome' + - '\Amigo' + - '\Kometa' + - '\Xpom' + - '\Microsoft\Edge' + - '\Liebao7Default\EncryptedStorage' + - '\AVAST Software\Browser' + - '\Kinza' + - '\Mozilla\SeaMonkey\' + - '\Comodo\IceDragon\' + - '\8pecxstudios\Cyberfox\' + - '\FlashPeak\SlimBrowser\' + - '\Moonchild Productions\Pale Moon\' + selection_browser_subpaths: + FileName|contains: + - '\Profiles\' + - '\User Data' + selection_cred_files: + - FileName|contains: + - '\Login Data' + - '\Cookies' + - '\EncryptedStorage' + - '\WebCache\' + - FileName|endswith: + - 'cert9.db' + - 'cookies.sqlite' + - 'formhistory.sqlite' + - 'key3.db' + - 'key4.db' + - 'Login Data.sqlite' + - 'logins.json' + - 'places.sqlite' + filter_main_img: + Image|endswith: + - '\Sputnik.exe' + - '\ChromePlus.exe' + - '\QIP Surf.exe' + - '\BlackHawk.exe' + - '\7Star.exe' + - '\Sleipnir5.exe' + - '\Citrio.exe' + - '\Chrome SxS.exe' + - '\Chrome.exe' + - '\Coowon.exe' + - '\CocCocBrowser.exe' + - '\Uran.exe' + - '\QQBrowser.exe' + - '\Orbitum.exe' + - '\Slimjet.exe' + - '\Iridium.exe' + - '\Vivaldi.exe' + - '\Chromium.exe' + - '\GhostBrowser.exe' + - '\CentBrowser.exe' + - '\Xvast.exe' + - '\Chedot.exe' + - '\SuperBird.exe' + - '\360Browser.exe' + - '\360Chrome.exe' + - '\dragon.exe' + - '\brave.exe' + - '\torch.exe' + - '\UCBrowser.exe' + - '\BliskBrowser.exe' + - '\Epic Privacy Browser.exe' + - '\nichrome.exe' + - '\AmigoBrowser.exe' + - '\KometaBrowser.exe' + - '\XpomBrowser.exe' + - '\msedge.exe' + - '\LiebaoBrowser.exe' + - '\AvastBrowser.exe' + - '\Kinza.exe' + - '\seamonkey.exe' + - '\icedragon.exe' + - '\cyberfox.exe' + - '\SlimBrowser.exe' + - '\palemoon.exe' + filter_main_path: + Image|contains: + - '\Sputnik\' + - '\MapleStudio\' + - '\QIP Surf\' + - '\BlackHawk\' + - '\7Star\' + - '\Fenrir Inc\' + - '\CatalinaGroup\' + - '\Google\' + - '\Coowon\' + - '\CocCoc\' + - '\uCozMedia\' + - '\Tencent\' + - '\Orbitum\' + - '\Slimjet\' + - '\Iridium\' + - '\Vivaldi\' + - '\Chromium\' + - '\GhostBrowser\' + - '\CentBrowser\' + - '\Xvast\' + - '\Chedot\' + - '\SuperBird\' + - '\360Browser\' + - '\360Chrome\' + - '\Comodo\' + - '\BraveSoftware\' + - '\Torch\' + - '\UCBrowser\' + - '\Blisk\' + - '\Epic Privacy Browser\' + - '\Nichrome\' + - '\Amigo\' + - '\Kometa\' + - '\Xpom\' + - '\Microsoft\' + - '\Liebao7\' + - '\AVAST Software\' + - '\Kinza\' + - '\Mozilla\' + - '\8pecxstudios\' + - '\FlashPeak\' + - '\Moonchild Productions\' + filter_main_system: + Image: System + ParentImage: Idle + filter_main_generic: + Image|startswith: + - 'C:\Program Files\' + - 'C:\Program Files (x86)\' + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' + filter_optional_defender: + Image|contains: '\Microsoft\Windows Defender\' + Image|endswith: + - '\MpCopyAccelerator.exe' + - '\MsMpEng.exe' + filter_optional_thor: + Image|endswith: + - '\thor.exe' + - '\thor64.exe' + filter_optional_msiexec: + ParentImage: 'C:\Windows\System32\msiexec.exe' + filter_optional_other: + Image|endswith: '\everything.exe' + condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_* +falsepositives: + - Antivirus, Anti-Spyware, Anti-Malware Software + - Legitimate software accessing browser data for synchronization or backup purposes. + - Legitimate software installed on partitions other than "C:\" +level: low diff --git a/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml b/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml index 0ac71d47e..6e76f1946 100644 --- a/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml @@ -3,6 +3,8 @@ id: 87a476dc-0079-4583-a985-dee7a20a03de related: - id: e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1 type: derived + - id: cc1abf27-78a3-4ac5-a51c-f3070b1d8e40 + type: similar status: test description: Detects processes that query known 3rd party registry keys that holds credentials via commandline references: @@ -12,6 +14,7 @@ references: - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry author: Nasreddine Bencherchali (Nextron Systems) date: 2022-06-20 +modified: 2025-05-22 tags: - attack.credential-access - attack.t1552.002 @@ -21,24 +24,30 @@ logsource: detection: selection: CommandLine|contains: # Add more paths as they are discovered - - '\Software\SimonTatham\PuTTY\Sessions' - - '\Software\\SimonTatham\PuTTY\SshHostKeys\' - - '\Software\Mobatek\MobaXterm\' - - '\Software\WOW6432Node\Radmin\v3.0\Server\Parameters\Radmin' - - '\Software\Aerofox\FoxmailPreview' - '\Software\Aerofox\Foxmail\V3.1' - - '\Software\IncrediMail\Identities' - - '\Software\Qualcomm\Eudora\CommandLine' - - '\Software\RimArts\B2\Settings' - - '\Software\OpenVPN-GUI\configs' - - '\Software\Martin Prikryl\WinSCP 2\Sessions' - - '\Software\FTPWare\COREFTP\Sites' + - '\Software\Aerofox\FoxmailPreview' - '\Software\DownloadManager\Passwords' + - '\Software\FTPWare\COREFTP\Sites' + - '\Software\IncrediMail\Identities' + - '\Software\Martin Prikryl\WinSCP 2\Sessions' + - '\Software\Mobatek\MobaXterm\' - '\Software\OpenSSH\Agent\Keys' - - '\Software\TightVNC\Server' + - '\Software\OpenVPN-GUI\configs' - '\Software\ORL\WinVNC3\Password' + - '\Software\Qualcomm\Eudora\CommandLine' - '\Software\RealVNC\WinVNC4' - condition: selection + - '\Software\RimArts\B2\Settings' + - '\Software\SimonTatham\PuTTY\Sessions' + - '\Software\SimonTatham\PuTTY\SshHostKeys\' + - '\Software\Sota\FFFTP' + - '\Software\TightVNC\Server' + - '\Software\WOW6432Node\Radmin\v3.0\Server\Parameters\Radmin' + filter_main_other_rule: # matched by cc1abf27-78a3-4ac5-a51c-f3070b1d8e40 + Image|endswith: 'reg.exe' + CommandLine|contains: + - 'export' + - 'save' + condition: selection and not 1 of filter_main_* falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_registry_export_of_thirdparty_creds.yml b/rules/windows/process_creation/proc_creation_win_registry_export_of_thirdparty_creds.yml new file mode 100644 index 000000000..980a4d926 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_registry_export_of_thirdparty_creds.yml @@ -0,0 +1,51 @@ +title: Registry Export of Third-Party Credentials +id: cc1abf27-78a3-4ac5-a51c-f3070b1d8e40 +related: + - id: 87a476dc-0079-4583-a985-dee7a20a03de + type: similar +status: experimental +description: | + Detects the use of reg.exe to export registry paths associated with third-party credentials. + Credential stealers have been known to use this technique to extract sensitive information from the registry. +references: + - https://www.virustotal.com/gui/file/fdc86a5b3d7df37a72c3272836f743747c47bfbc538f05af9ecf78547fa2e789/behavior +author: Swachchhanda Shrawan Poudel (Nextron Systems) +date: 2025-05-22 +tags: + - attack.credential-access + - attack.t1552.002 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\reg.exe' + - OriginalFileName: 'reg.exe' + selection_cli_save: + CommandLine|contains: + - 'save' + - 'export' + selection_cli_path: + CommandLine|contains: + - '\Software\Aerofox\Foxmail\V3.1' + - '\Software\Aerofox\FoxmailPreview' + - '\Software\DownloadManager\Passwords' + - '\Software\FTPWare\COREFTP\Sites' + - '\Software\IncrediMail\Identities' + - '\Software\Martin Prikryl\WinSCP 2\Sessions' + - '\Software\Mobatek\MobaXterm' + - '\Software\OpenSSH\Agent\Keys' + - '\Software\OpenVPN-GUI\configs' + - '\Software\ORL\WinVNC3\Password' + - '\Software\Qualcomm\Eudora\CommandLine' + - '\Software\RealVNC\WinVNC4' + - '\Software\RimArts\B2\Settings' + - '\Software\SimonTatham\PuTTY\Sessions' + - '\Software\SimonTatham\PuTTY\SshHostKeys' + - '\Software\Sota\FFFTP' + - '\Software\TightVNC\Server' + - '\Software\WOW6432Node\Radmin\v3.0\Server\Parameters\Radmin' + condition: all of selection_* +falsepositives: + - Unknown +level: high