From cfcf39c9b16a171a99357399215d5f37cc799bc6 Mon Sep 17 00:00:00 2001 From: junk Date: Wed, 16 Apr 2025 16:19:11 -0400 Subject: [PATCH] Add spl.md --- spl.md | 131 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 131 insertions(+) create mode 100644 spl.md diff --git a/spl.md b/spl.md new file mode 100644 index 0000000..8369bef --- /dev/null +++ b/spl.md @@ -0,0 +1,131 @@ +https://gbhackers.com/earth-alux-hackers-use-vargiet-malware/ +https://www.trendmicro.com/en_us/research/25/c/the-espionage-toolkit-of-earth-alux.html + + + +Track Suspicious Process and Library Activities + +``` +index=* sourcetype=wineventlog EventCode=4688 OR EventCode=7045 +| eval CommandLineLower=lower(CommandLine) +| where like(CommandLineLower, "%java%") AND like(CommandLineLower, "%com.opensymphony.webwork%") +| stats count by Account_Name, CommandLine, Parent_Process_Name, Hostname +``` + +Monitor for Suspicious Java Execution and Payloads + +``` +index=* sourcetype=syslog OR sourcetype=process_monitor +| eval process_lower=lower(process) +| search process_lower="java" AND (process_lower="jakarta.servlet.ServletRequestListener" OR process_lower="javax.servlet.ServletRequestListener") +| stats count by user, process, parent_process, host +``` + +Processes decoding Base64-encoded payloads dynamically in memory + +``` +index=* sourcetype=process_monitor +| eval CommandLineLower=lower(CommandLine) +| search CommandLineLower="base64" OR CommandLineLower="aes" OR CommandLineLower="md5" +| stats count by user, process, parent_process, host +``` + +Detecting Second-Stage Backdoors + +``` +index=* sourcetype=wineventlog OR sourcetype=sysmon +| eval CommandLineLower=lower(CommandLine) +| search (CommandLineLower="cobeacon" OR CommandLineLower="vargeit") +| eval SuspiciousActivity=if(match(CommandLineLower, ".*(c2|beacon|http).*"), "Yes", "No") +| where SuspiciousActivity="Yes" +| stats count by Hostname, User, Parent_Process_Name, CommandLine, Image +| rename CommandLine as "Command Line", Parent_Process_Name as "Parent Process", Image as "Executable", User as "Executing User" +| sort -count +``` + +Splunk Rule for DLL Sideloading Detection + +``` +index=* sourcetype=wineventlog EventCode=4688 +| eval suspicious_dll=if(match(CommandLine, "(?i)\.dll") AND NOT match(CommandLine, "(?i)(System32|SysWOW64)\\.*\.dll"), 1, 0) +| where suspicious_dll=1 +| stats count by Parent_Image, Process_Name, CommandLine, Parent_Process_Name, User +| rename Parent_Image as "Parent Process", Process_Name as "Executed Process", CommandLine as "Command Line", Parent_Process_Name as "Parent Process Name", User as "Executing User" +| sort -count +``` + +COBEACON loader – MASQLOADER + +``` +index=* sourcetype=wineventlog OR sourcetype=sysmon +| eval EventPath=coalesce(Process_Name, File_Name) +| search EventPath IN ("msmpsrv.exe", "msedge.dll", "ms.log") +| transaction Process_Name maxspan=1s +| where Process_Name="msmpsrv.exe" AND mvfind(File_Name, "msedge.dll") AND mvfind(File_Name, "ms.log") +| stats count by Hostname, EventPath, User, Parent_Process_Name +| rename EventPath as "File Transition Path", Parent_Process_Name as "Parent Process", User as "Executing User" +| sort -count +``` + +Detecting VARGEIT Behaviors + +``` +index=* sourcetype=wineventlog OR sourcetype=sysmon +| eval CommandLineLower=lower(CommandLine) +| search (CommandLineLower="mspaint" OR CommandLineLower="conhost") + OR (CommandLineLower="c2" OR CommandLineLower="firewall" OR CommandLineLower="shellcode") +| stats count by Hostname, User, Parent_Process_Name, CommandLine, Image, File_Path +| rename CommandLine as "Command Line", Parent_Process_Name as "Parent Process", Image as "Executable", File_Path as "File Path", User as "Executing User" +| sort -count +``` + + +Detecting RSBINJECT Activity + +``` +index=* sourcetype=wineventlog OR sourcetype=sysmon +| eval CommandLineLower=lower(CommandLine) +| search (CommandLineLower="rsbinject" OR CommandLineLower="cobeacon") +| where match(CommandLineLower, "(--load|-l|--test|-t|--flag|-f)") OR like(CommandLineLower, "%shellcode%") +| stats count by Hostname, User, Parent_Process_Name, CommandLine, Image +| rename CommandLine as "Command Line", Parent_Process_Name as "Parent Process", Image as "Executable", User as "Executing User" +| sort -count +``` + +Detect RAILLOAD + +``` +index=* sourcetype=wineventlog OR sourcetype=sysmon +| eval CommandLineLower=lower(CommandLine) +| search (CommandLineLower="vargeit" OR CommandLineLower="railload") +| where like(CommandLineLower, "%dll%") OR match(CommandLineLower, "(encrypted|config|payload|registry)") +| stats count by Hostname, User, Parent_Process_Name, CommandLine, Image, Registry_Key_Path +| rename CommandLine as "Command Line", Parent_Process_Name as "Parent Process", Image as "Executable", User as "Executing User", Registry_Key_Path as "Registry Access" +| sort -count +``` + +Detect RAILSETTER + +``` +index=* sourcetype=wineventlog OR sourcetype=sysmon +| eval CommandLineLower=lower(CommandLine) +| search (CommandLineLower="railload" OR CommandLineLower="railsetter") +| search (CommandLineLower="schtasks" OR CommandLineLower="timestomp" OR CommandLineLower="base64" OR CommandLineLower="copy") +| stats count by Hostname, User, Parent_Process_Name, CommandLine, Image, File_Path +| rename CommandLine as "Command Line", Parent_Process_Name as "Parent Process", Image as "Executable", File_Path as "File Path", User as "Executing User" +| sort -count +``` + +mspaint Exfiltration + +``` +index=* sourcetype=wineventlog OR sourcetype=sysmon +| eval CommandLineLower=lower(CommandLine) +| search Image="C:\\Windows\\System32\\mspaint.exe" +| where match(CommandLineLower, "[a-zA-Z0-9]{16,}") /* Detects suspicious long strings like Base64 or unique identifiers */ + OR match(CommandLineLower, "(us-east-1|eu-west-1|ap-southeast-1)") /* Example regions */ + OR match(CommandLineLower, "(bucketname|accesskey|secretkey|dataexfil)") +| stats count by Hostname, User, CommandLine, Parent_Process_Name, Image +| rename CommandLine as "Command Line", Parent_Process_Name as "Parent Process", Image as "Executable", User as "Executing User" +| sort -count +``` \ No newline at end of file