Skip to content

blank_grabber#3943

Open
tccontre wants to merge 14 commits intodevelopfrom
blank_grabber
Open

blank_grabber#3943
tccontre wants to merge 14 commits intodevelopfrom
blank_grabber

Conversation

@tccontre
Copy link
Contributor

@tccontre tccontre commented Mar 9, 2026
edited
Loading

tagged

    modified:   detections/endpoint/cisco_nvm___mshtml_or_mshta_network_execution_without_url_in_cli.yml
    modified:   detections/endpoint/cisco_nvm___suspicious_download_from_file_sharing_website.yml
    modified:   detections/endpoint/cisco_nvm___suspicious_file_download_via_headless_browser.yml
    modified:   detections/endpoint/cisco_nvm___suspicious_network_connection_to_ip_lookup_service_api.yml
    modified:   detections/endpoint/detect_mshta_inline_hta_execution.yml
    modified:   detections/endpoint/disable_defender_submit_samples_consent_feature.yml
    modified:   detections/endpoint/disable_windows_behavior_monitoring.yml
    modified:   detections/endpoint/excessive_usage_of_taskkill.yml
    modified:   detections/endpoint/fodhelper_uac_bypass.yml
    modified:   detections/endpoint/malicious_powershell_process___execution_policy_bypass.yml
    modified:   detections/endpoint/non_chrome_process_accessing_chrome_default_dir.yml
    modified:   detections/endpoint/non_firefox_process_access_firefox_profile_dir.yml
    modified:   detections/endpoint/potential_telegram_api_request_via_commandline.yml
    modified:   detections/endpoint/powershell_disable_security_monitoring.yml
    modified:   detections/endpoint/powershell_windows_defender_exclusion_commands.yml
    modified:   detections/endpoint/process_creating_lnk_file_in_suspicious_location.yml
    modified:   detections/endpoint/recon_using_wmi_class.yml
    modified:   detections/endpoint/system_information_discovery_detection.yml
    modified:   detections/endpoint/windows_boot_or_logon_autostart_execution_in_startup_folder.yml
    modified:   detections/endpoint/windows_clipboard_data_via_get_clipboard.yml
    modified:   detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml
    modified:   detections/endpoint/windows_computerdefaults_spawning_a_process.yml
    modified:   detections/endpoint/windows_credential_access_from_browser_password_store.yml
    modified:   detections/endpoint/windows_credentials_from_password_stores_chrome_copied_in_temp_dir.yml
    modified:   detections/endpoint/windows_credentials_from_password_stores_chrome_extension_access.yml
    modified:   detections/endpoint/windows_credentials_from_password_stores_chrome_localstate_access.yml
    modified:   detections/endpoint/windows_credentials_from_password_stores_chrome_login_data_access.yml
    modified:   detections/endpoint/windows_disable_or_modify_tools_via_taskkill.yml
    modified:   detections/endpoint/windows_disable_or_stop_browser_process.yml
    modified:   detections/endpoint/windows_eventlog_recon_activity_using_log_query_utilities.yml
    modified:   detections/endpoint/windows_impair_defense_disable_controlled_folder_access.yml
    modified:   detections/endpoint/windows_impair_defense_disable_win_defender_network_protection.yml
    modified:   detections/endpoint/windows_non_discord_app_access_discord_leveldb.yml
    modified:   detections/endpoint/windows_system_network_connections_discovery_netsh.yml
    modified:   detections/endpoint/windows_time_based_evasion.yml
    modified:   detections/endpoint/windows_wmic_systeminfo_discovery.yml
    modified:   detections/network/suspicious_process_dns_query_known_abuse_web_services.yml
    modified:   detections/network/suspicious_process_with_discord_dns_query.yml
    modified:   detections/network/windows_abused_web_services.yml
    modified:   detections/network/windows_dns_query_request_by_telegram_bot_api.yml
    modified:   detections/network/windows_gather_victim_network_info_through_ip_check_web_services.yml

modified:

    modified:   detections/endpoint/windows_screen_capture_via_powershell.yml

New Detections

    new file:   detections/endpoint/windows_dns_lookup_to_public_file_sharing_domain.yml
    new file:   detections/endpoint/windows_hosts_file_access.yml
    new file:   detections/endpoint/windows_mpcmdrun_removedefinitions_execution.yml
    new file:   detections/endpoint/windows_product_key_registry_query.yml
    new file:   detections/endpoint/windows_winrar_launched_outside_default_installation_directory.yml
    new file:   detections/endpoint/windows_wmi_reconnaissance_class_query.yml

lookup

    new file:   lookups/browser_process_and_path.csv
    new file:   lookups/browser_process_and_path.yml

story

    new file:   stories/blankgrabber_stealer.yml

telemetry test

    new file:   detections/endpoint/windows_dns_lookup_to_public_file_sharing_domain.yml - n/a
    new file:   detections/endpoint/windows_hosts_file_access.yml - n/a
    new file:   detections/endpoint/windows_mpcmdrun_removedefinitions_execution.yml - 0 hits
    new file:   detections/endpoint/windows_product_key_registry_query.yml - n/a
    new file:   detections/endpoint/windows_winrar_launched_outside_default_installation_directory.yml - 14 hits
    new file:   detections/endpoint/windows_wmi_reconnaissance_class_query.yml - 7 hits

@tccontre tccontre added the WIP DO NOT MERGE Work in Progress label Mar 9, 2026
@nasbench nasbench added this to the v5.24.0 milestone Mar 9, 2026
@tccontre tccontre removed WIP DO NOT MERGE Work in Progress labels Mar 10, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@patel-bhavin patel-bhavin Awaiting requested review from patel-bhavin patel-bhavin is a code owner

@ljstella ljstella Awaiting requested review from ljstella ljstella is a code owner

@nasbench nasbench Awaiting requested review from nasbench nasbench is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

Detections Lookups Stories

Projects

None yet

Milestone

v5.24.0

Development

Successfully merging this pull request may close these issues.

4 participants

@tccontre @nasbench @t-contreras @patel-bhavin