added several rules

2025-04-17 11:45:05 -04:00
parent cfcf39c9b1
commit be44cbf334
1 changed files with 98 additions and 0 deletions
--- a/spl.md
+++ b/spl.md
@ -128,4 +128,102 @@ index=* sourcetype=wineventlog OR sourcetype=sysmon
 | stats count by Hostname, User, CommandLine, Parent_Process_Name, Image
 | rename CommandLine as "Command Line", Parent_Process_Name as "Parent Process", Image as "Executable", User as "Executing User"
 | sort -count
+```
+
+#20250417 dj
+mspaint Strange Process Spawn
+```
+index=win_sysmon EventCode=10 ParentUser="NT AUTHORITY\\SYSTEM" process_name=*
+| stats count by _time, ParentUser, ParentImage, process_name, EventCode 
+| where ParentImage!="C:\\Windows\\explorer.exe" AND ParentImage!="C:\\Windows\\System32\\cmd.exe" 
+| rename process_name as ProcessName 
+| table _time, ParentUser, ParentImage, ProcessName, EventCode
+```
+
+#20250417 wip yaml
+
+```
+title: Detect VARGEIT Malware Execution
+id: f1234567-89ab-cdef-0123-456789abcdef
+description: Detects potential execution patterns of the VARGEIT backdoor, including DLL sideloading, process injection into mspaint.exe, and network activity linked to Earth Alux operations.
+author: YourName
+references:
+  - https://www.trendmicro.com/en_us/research/25/c/the-espionage-toolkit-of-earth-alux.html
+logsource:
+  product: windows
+  service: sysmon
+detection:
+  selection:
+    Image|endswith:
+      - "\mspaint.exe"    # VARGEIT injects payloads into mspaint.exe
+    ParentImage|endswith:
+      - "\rundll32.exe"   # DLL sideloading through rundll32
+  condition: selection
+fields:
+  - Image
+  - ParentImage
+  - CommandLine
+  - User
+level: high
+```
+
+**sigma rule for sus graph api usage by non-outlook process**
+```
+title: Suspicious ICMP Activity from mspaint.exe
+id: abcdef12-3456-7890-abcd-ef1234567890
+status: experimental
+description: |
+  Detects Sysmon network events (EventID 3) where the process image is mspaint.exe
+  and the protocol used is ICMP, which is unusual for the MS Paint process.
+author: Your Name
+logsource:
+  product: windows
+  service: sysmon
+detection:
+  selection:
+    EventID: 3
+    Image|endswith: "\mspaint.exe"
+    Protocol: ICMP
+  condition: selection
+falsepositives:
+  - Rare legitimate diagnostic tools or scanning software
+level: high
+```
+
+
+**sigma sus icmp activity from mspaint**
+```
+title: Suspicious ICMP Activity from mspaint.exe
+id: abcdef12-3456-7890-abcd-ef1234567890
+status: experimental
+description: |
+  Detects Sysmon network events (EventID 3) where the process image is mspaint.exe
+  and the protocol used is ICMP, which is unusual for the MS Paint process.
+author: Your Name
+logsource:
+  product: windows
+  service: sysmon
+detection:
+  selection:
+    EventID: 3
+    Image|endswith: "\mspaint.exe"
+    Protocol: ICMP
+  condition: selection
+falsepositives:
+  - Rare legitimate diagnostic tools or scanning software
+level: high
+```
+
+#suricata wip
+```
+alert http any any -> any any (
+    msg:"Earth Alux - Potential Godzilla web shell indicator observed in HTTP payload";
+    flow:to_server,established;
+    content:"Godzilla";
+    nocase;
+    http_client_body;
+    classtype:trojan-activity;
+    sid:1000002;
+    rev:1;
+)
 ```