junk/earth_alux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

added several rules

Browse Source
This commit is contained in:
junk
2025-04-17 11:45:05 -04:00
parent cfcf39c9b1
commit be44cbf334
1 changed files with 98 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

98
spl.md
View File

@ -128,4 +128,102 @@ index=* sourcetype=wineventlog OR sourcetype=sysmon
| stats count by Hostname, User, CommandLine, Parent_Process_Name, Image | stats count by Hostname, User, CommandLine, Parent_Process_Name, Image
| rename CommandLine as "Command Line", Parent_Process_Name as "Parent Process", Image as "Executable", User as "Executing User" | rename CommandLine as "Command Line", Parent_Process_Name as "Parent Process", Image as "Executable", User as "Executing User"
| sort -count | sort -count
```
#20250417 dj
mspaint Strange Process Spawn
```
index=win_sysmon EventCode=10 ParentUser="NT AUTHORITY\\SYSTEM" process_name=*
| stats count by _time, ParentUser, ParentImage, process_name, EventCode
| where ParentImage!="C:\\Windows\\explorer.exe" AND ParentImage!="C:\\Windows\\System32\\cmd.exe"
| rename process_name as ProcessName
| table _time, ParentUser, ParentImage, ProcessName, EventCode
```
#20250417 wip yaml
```
title: Detect VARGEIT Malware Execution
id: f1234567-89ab-cdef-0123-456789abcdef
description: Detects potential execution patterns of the VARGEIT backdoor, including DLL sideloading, process injection into mspaint.exe, and network activity linked to Earth Alux operations.
author: YourName
references:
- https://www.trendmicro.com/en_us/research/25/c/the-espionage-toolkit-of-earth-alux.html
logsource:
product: windows
service: sysmon
detection:
selection:
Image|endswith:
- "\mspaint.exe" # VARGEIT injects payloads into mspaint.exe
ParentImage|endswith:
- "\rundll32.exe" # DLL sideloading through rundll32
condition: selection
fields:
- Image
- ParentImage
- CommandLine
- User
level: high
```
**sigma rule for sus graph api usage by non-outlook process**
```
title: Suspicious ICMP Activity from mspaint.exe
id: abcdef12-3456-7890-abcd-ef1234567890
status: experimental
description: |
Detects Sysmon network events (EventID 3) where the process image is mspaint.exe
and the protocol used is ICMP, which is unusual for the MS Paint process.
author: Your Name
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 3
Image|endswith: "\mspaint.exe"
Protocol: ICMP
condition: selection
falsepositives:
- Rare legitimate diagnostic tools or scanning software
level: high
```
**sigma sus icmp activity from mspaint**
```
title: Suspicious ICMP Activity from mspaint.exe
id: abcdef12-3456-7890-abcd-ef1234567890
status: experimental
description: |
Detects Sysmon network events (EventID 3) where the process image is mspaint.exe
and the protocol used is ICMP, which is unusual for the MS Paint process.
author: Your Name
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 3
Image|endswith: "\mspaint.exe"
Protocol: ICMP
condition: selection
falsepositives:
- Rare legitimate diagnostic tools or scanning software
level: high
```
#suricata wip
```
alert http any any -> any any (
msg:"Earth Alux - Potential Godzilla web shell indicator observed in HTTP payload";
flow:to_server,established;
content:"Godzilla";
nocase;
http_client_body;
classtype:trojan-activity;
sid:1000002;
rev:1;
)
``` ```