From be44cbf334f85c99b1fb96c6dbeed32708bc5f84 Mon Sep 17 00:00:00 2001
From: junk <junk@noreply.localhost>
Date: Thu, 17 Apr 2025 11:45:05 -0400
Subject: [PATCH] added several rules

---
 spl.md | 98 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 98 insertions(+)

diff --git a/spl.md b/spl.md
index 8369bef..f10a92e 100644
--- a/spl.md
+++ b/spl.md
@@ -128,4 +128,102 @@ index=* sourcetype=wineventlog OR sourcetype=sysmon
 | stats count by Hostname, User, CommandLine, Parent_Process_Name, Image
 | rename CommandLine as "Command Line", Parent_Process_Name as "Parent Process", Image as "Executable", User as "Executing User"
 | sort -count
+```
+
+#20250417 dj
+mspaint Strange Process Spawn
+```
+index=win_sysmon EventCode=10 ParentUser="NT AUTHORITY\\SYSTEM" process_name=*
+| stats count by _time, ParentUser, ParentImage, process_name, EventCode 
+| where ParentImage!="C:\\Windows\\explorer.exe" AND ParentImage!="C:\\Windows\\System32\\cmd.exe" 
+| rename process_name as ProcessName 
+| table _time, ParentUser, ParentImage, ProcessName, EventCode
+```
+
+#20250417 wip yaml
+
+```
+title: Detect VARGEIT Malware Execution
+id: f1234567-89ab-cdef-0123-456789abcdef
+description: Detects potential execution patterns of the VARGEIT backdoor, including DLL sideloading, process injection into mspaint.exe, and network activity linked to Earth Alux operations.
+author: YourName
+references:
+  - https://www.trendmicro.com/en_us/research/25/c/the-espionage-toolkit-of-earth-alux.html
+logsource:
+  product: windows
+  service: sysmon
+detection:
+  selection:
+    Image|endswith:
+      - "\mspaint.exe"    # VARGEIT injects payloads into mspaint.exe
+    ParentImage|endswith:
+      - "\rundll32.exe"   # DLL sideloading through rundll32
+  condition: selection
+fields:
+  - Image
+  - ParentImage
+  - CommandLine
+  - User
+level: high
+```
+
+**sigma rule for sus graph api usage by non-outlook process**
+```
+title: Suspicious ICMP Activity from mspaint.exe
+id: abcdef12-3456-7890-abcd-ef1234567890
+status: experimental
+description: |
+  Detects Sysmon network events (EventID 3) where the process image is mspaint.exe
+  and the protocol used is ICMP, which is unusual for the MS Paint process.
+author: Your Name
+logsource:
+  product: windows
+  service: sysmon
+detection:
+  selection:
+    EventID: 3
+    Image|endswith: "\mspaint.exe"
+    Protocol: ICMP
+  condition: selection
+falsepositives:
+  - Rare legitimate diagnostic tools or scanning software
+level: high
+```
+
+
+**sigma sus icmp activity from mspaint**
+```
+title: Suspicious ICMP Activity from mspaint.exe
+id: abcdef12-3456-7890-abcd-ef1234567890
+status: experimental
+description: |
+  Detects Sysmon network events (EventID 3) where the process image is mspaint.exe
+  and the protocol used is ICMP, which is unusual for the MS Paint process.
+author: Your Name
+logsource:
+  product: windows
+  service: sysmon
+detection:
+  selection:
+    EventID: 3
+    Image|endswith: "\mspaint.exe"
+    Protocol: ICMP
+  condition: selection
+falsepositives:
+  - Rare legitimate diagnostic tools or scanning software
+level: high
+```
+
+#suricata wip
+```
+alert http any any -> any any (
+    msg:"Earth Alux - Potential Godzilla web shell indicator observed in HTTP payload";
+    flow:to_server,established;
+    content:"Godzilla";
+    nocase;
+    http_client_body;
+    classtype:trojan-activity;
+    sid:1000002;
+    rev:1;
+)
 ```
\ No newline at end of file