Tag
high
advisory
Suspicious PowerShell Script Using Cryptography Namespace
2 rules 1 TTPThe analytic detects suspicious PowerShell script execution involving the cryptography namespace (excluding SHA and MD5) via EventCode 4104, often associated with malware that decrypts or decodes additional malicious payloads leading to further code execution, privilege escalation, or persistence.
Splunk Enterprise +2
powershell
cryptography
malware
asyncrat
xworm
vip keylogger
2r
1t
high
threat
Braodo Stealer Screen Capture in TEMP Directory
2 rules 1 TTPThis analytic detects the creation of screen capture files in the TEMP directory, specifically targeting activity associated with the Braodo stealer malware, which captures screenshots of the victim's desktop as part of its data theft activities.
Splunk Enterprise +2
Braodo Stealer
stealc-stealer
crypto-stealer
braodo-stealer
apt37
hellcat-ransomware
vip-keylogger
screen-capture
malware
2r
1t