splunk · nasbench · Mar 16, 2026 · Mar 9, 2026 · Mar 9, 2026 · Mar 9, 2026
@@ -83,6 +83,7 @@ rba:
 tags:
     analytic_story:
         - Cisco Network Visibility Module Analytics
+        - BlankGrabber Stealer
     asset_type: Endpoint
     mitre_attack_id:
         - T1218.005

@@ -94,6 +94,7 @@ tags:
     analytic_story:
         - APT37 Rustonotto and FadeStealer
         - Cisco Network Visibility Module Analytics
+        - BlankGrabber Stealer
     asset_type: Endpoint
     mitre_attack_id:
         - T1197

@@ -111,6 +111,7 @@ rba:
 tags:
     analytic_story:
         - Cisco Network Visibility Module Analytics
+        - BlankGrabber Stealer
     asset_type: Endpoint
     mitre_attack_id:
         - T1105

@@ -88,6 +88,7 @@ tags:
     analytic_story:
         - Cisco Network Visibility Module Analytics
         - Castle RAT
+        - BlankGrabber Stealer
     asset_type: Endpoint
     mitre_attack_id:
         - T1590.005

@@ -66,6 +66,7 @@ tags:
         - Suspicious MSHTA Activity
         - XWorm
         - APT37 Rustonotto and FadeStealer
+        - BlankGrabber Stealer
     asset_type: Endpoint
     mitre_attack_id:
         - T1218.005

@@ -38,6 +38,7 @@ tags:
         - CISA AA23-347A
         - IcedID
         - Windows Registry Abuse
+        - BlankGrabber Stealer
     asset_type: Endpoint
     mitre_attack_id:
         - T1562.001

@@ -44,6 +44,7 @@ tags:
         - Scattered Lapsus$ Hunters
         - NetSupport RMM Tool Abuse
         - Storm-0501 Ransomware
+        - BlankGrabber Stealer
     asset_type: Endpoint
     mitre_attack_id:
         - T1562.001

@@ -52,6 +52,7 @@ tags:
         - CISA AA22-264A
         - XMRig
         - Crypto Stealer
+        - BlankGrabber Stealer
     asset_type: Endpoint
     mitre_attack_id:
         - T1562.001

@@ -58,6 +58,7 @@ tags:
         - ValleyRAT
         - Compromised Windows Host
         - Windows Defense Evasion Tactics
+        - BlankGrabber Stealer
     asset_type: Endpoint
     mitre_attack_id:
         - T1112

@@ -58,6 +58,7 @@ tags:
         - DarkCrystal RAT
         - 0bj3ctivity Stealer
         - APT37 Rustonotto and FadeStealer
+        - BlankGrabber Stealer
         - MuddyWater
     asset_type: Endpoint
     mitre_attack_id:

@@ -48,6 +48,7 @@ tags:
         - Snake Keylogger
         - China-Nexus Threat Activity
         - Lokibot
+        - BlankGrabber Stealer
     asset_type: Endpoint
     mitre_attack_id:
         - T1555.003

@@ -50,6 +50,7 @@ tags:
         - China-Nexus Threat Activity
         - 0bj3ctivity Stealer
         - Lokibot
+        - BlankGrabber Stealer
     asset_type: Endpoint
     mitre_attack_id:
         - T1555.003

@@ -55,6 +55,7 @@ tags:
         - Water Gamayun
         - 0bj3ctivity Stealer
         - Hellcat Ransomware
+        - BlankGrabber Stealer
     asset_type: Endpoint
     mitre_attack_id:
         - T1102.002

@@ -112,6 +112,7 @@ tags:
         - Ransomware
         - Revil Ransomware
         - CISA AA24-241A
+        - BlankGrabber Stealer
     asset_type: Endpoint
     mitre_attack_id:
         - T1562.001

@@ -55,6 +55,7 @@ tags:
         - WhisperGate
         - Warzone RAT
         - NetSupport RMM Tool Abuse
+        - BlankGrabber Stealer
     asset_type: Endpoint
     mitre_attack_id:
         - T1562.001

@@ -93,6 +93,7 @@ tags:
         - Amadey
         - Gozi Malware
         - APT37 Rustonotto and FadeStealer
+        - BlankGrabber Stealer
     asset_type: Endpoint
     mitre_attack_id:
         - T1566.002

@@ -63,6 +63,7 @@ tags:
         - Qakbot
         - Industroyer2
         - Scattered Spider
+        - BlankGrabber Stealer
     asset_type: Endpoint
     mitre_attack_id:
         - T1592

@@ -45,6 +45,7 @@ tags:
         - Interlock Ransomware
         - LAMEHUG
         - NetSupport RMM Tool Abuse
+        - BlankGrabber Stealer
         - Lotus Blossom Chrysalis Backdoor
     asset_type: Windows
     mitre_attack_id:

@@ -47,6 +47,7 @@ tags:
         - Interlock Ransomware
         - APT37 Rustonotto and FadeStealer
         - PromptFlux
+        - BlankGrabber Stealer
     asset_type: Endpoint
     mitre_attack_id:
         - T1547.001

@@ -49,6 +49,7 @@ tags:
     analytic_story:
         - Windows Post-Exploitation
         - Prestige Ransomware
+        - BlankGrabber Stealer
     asset_type: Endpoint
     mitre_attack_id:
         - T1115

@@ -54,6 +54,7 @@ tags:
         - Water Gamayun
         - Tuoni
         - SolarWinds WHD RCE Post Exploitation
+        - BlankGrabber Stealer
     asset_type: Endpoint
     mitre_attack_id:
         - T1059.007

@@ -47,6 +47,7 @@ rba:
 tags:
     analytic_story:
         - Castle RAT
+        - BlankGrabber Stealer
     asset_type: Endpoint
     mitre_attack_id:
         - T1548.002

@@ -47,6 +47,7 @@ tags:
         - Scattered Spider
         - 0bj3ctivity Stealer
         - Scattered Lapsus$ Hunters
+        - BlankGrabber Stealer
     asset_type: Endpoint
     mitre_attack_id:
         - T1012

@@ -34,6 +34,7 @@ tags:
     analytic_story:
         - Braodo Stealer
         - Scattered Lapsus$ Hunters
+        - BlankGrabber Stealer
     asset_type: Endpoint
     mitre_attack_id:
         - T1555.003

@@ -42,6 +42,7 @@ tags:
         - Braodo Stealer
         - MoonPeak
         - 0bj3ctivity Stealer
+        - BlankGrabber Stealer
     asset_type: Endpoint
     mitre_attack_id:
         - T1012

@@ -52,6 +52,7 @@ tags:
         - 0bj3ctivity Stealer
         - Lokibot
         - Scattered Lapsus$ Hunters
+        - BlankGrabber Stealer
     asset_type: Endpoint
     mitre_attack_id:
         - T1012

@@ -52,6 +52,7 @@ tags:
         - 0bj3ctivity Stealer
         - Lokibot
         - Scattered Lapsus$ Hunters
+        - BlankGrabber Stealer
     asset_type: Endpoint
     mitre_attack_id:
         - T1012

@@ -51,6 +51,7 @@ tags:
         - PXA Stealer
         - NjRAT
         - Crypto Stealer
+        - BlankGrabber Stealer
     asset_type: Endpoint
     mitre_attack_id:
         - T1562.001

@@ -52,6 +52,7 @@ tags:
         - Scattered Lapsus$ Hunters
         - Hellcat Ransomware
         - Castle RAT
+        - BlankGrabber Stealer
     asset_type: Endpoint
     mitre_attack_id:
         - T1562.001

@@ -106,6 +106,7 @@ rba:
 tags:
     analytic_story:
         - Windows Discovery Techniques
+        - BlankGrabber Stealer
     asset_type: Endpoint
     mitre_attack_id:
         - T1654

@@ -0,0 +1,76 @@
+name: Windows Hosts File Access
+id: b34bcf35-5380-4b00-b208-5531303fb751
+version: 1
+date: '2026-03-03'
+author: Teoderick Contreras, Splunk
+status: production
+type: Anomaly
+description: |
+    This Analytic detects the execution of a process attempting to access the hosts file.
+    The hosts file is a critical file for network configuration and DNS resolution.
+    If an attacker gains access to it, they can redirect traffic to malicious websites, serve fake content or block legitimate security websites.
+data_source:
+    - Windows Event Log Security 4663
+search: |
+    `wineventlog_security`
+    EventCode=4663
+    object_file_path="*:\\Windows\\System32\\drivers\\etc\\hosts"
+    NOT process_path IN (
+        "*:\\Windows\\explorer.exe",
+        "*:\\Windows\\System32\\lsass.exe",
+        "*:\\Windows\\System32\\SearchIndexer.exe",
+        "*:\\Windows\\System32\\services.exe",
+        "*:\\Windows\\System32\\svchost.exe",
+        "*:\\Windows\\SysWow64\\SearchIndexer.exe",
+        "*:\\Windows\\SysWow64\\svchost.exe"
+    )
+    | stats count
+        by _time object_file_path object_file_name dest process_name
+           process_path process_id EventCode
+    | eval process_path = lower(process_path)
+    | lookup browser_process_and_path browser_process_path as process_path OUTPUT is_valid_browser_path
+    | eval is_valid_browser_path=coalesce(is_valid_browser_path,"false")
+    | where is_valid_browser_path = "false"
+    | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`
+    | `windows_hosts_file_access_filter`
+how_to_implement: |
+    To successfully implement this search, you must ingest Windows Security Event logs and track event code 4663. For 4663, enable "Audit Object Access" in Group Policy. Then check the two boxes listed for both "Success" and "Failure." This search may trigger on a browser application that is not included in the browser_app_list lookup file.
+known_false_positives: Administrator may access this registry for product key recovery purposes.
+references:
+    - https://cert.gov.ua/article/6284730
+drilldown_searches:
+    - name: View the detection results for - "$user$" and "$dest$"
+      search: '%original_detection_search% | search  user = "$user$" dest = "$dest$"'
+      earliest_offset: $info_min_time$
+      latest_offset: $info_max_time$
+    - name: View risk events for the last 7 days for - "$user$" and "$dest$"
+      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+      earliest_offset: $info_min_time$
+      latest_offset: $info_max_time$
+rba:
+    message: A [$process_name$] attempting to access the hosts file [$object_file_path$] on [$dest$].
+    risk_objects:
+        - field: dest
+          type: system
+          score: 20
+    threat_objects:
+        - field: process_name
+          type: process_name
+tags:
+    analytic_story:
+        - BlankGrabber Stealer
+    asset_type: Endpoint
+    mitre_attack_id:
+        - T1012
+    product:
+        - Splunk Enterprise
+        - Splunk Enterprise Security
+        - Splunk Cloud
+    security_domain: endpoint
+tests:
+    - name: True Positive Test
+      attack_data:
+        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1012/host_file_accessed/hosts_accessed.log
+          source: XmlWinEventLog:Security
+          sourcetype: XmlWinEventLog
@@ -34,6 +34,7 @@ tags:
     analytic_story:
         - Windows Defense Evasion Tactics
         - Windows Registry Abuse
+        - BlankGrabber Stealer
     asset_type: Endpoint
     mitre_attack_id:
         - T1562.001

@@ -35,6 +35,7 @@ tags:
         - Windows Defense Evasion Tactics
         - Windows Registry Abuse
         - Scattered Lapsus$ Hunters
+        - BlankGrabber Stealer
     asset_type: Endpoint
     mitre_attack_id:
         - T1562.001