Add spl.md

spl.md

@@ -0,0 +1,131 @@
+https://gbhackers.com/earth-alux-hackers-use-vargiet-malware/
+https://www.trendmicro.com/en_us/research/25/c/the-espionage-toolkit-of-earth-alux.html
+
+
+
+Track Suspicious Process and Library Activities
+
+```
+index=* sourcetype=wineventlog EventCode=4688 OR EventCode=7045
+| eval CommandLineLower=lower(CommandLine)
+| where like(CommandLineLower, "%java%") AND like(CommandLineLower, "%com.opensymphony.webwork%")
+| stats count by Account_Name, CommandLine, Parent_Process_Name, Hostname
+```
+
+Monitor for Suspicious Java Execution and Payloads
+
+```
+index=* sourcetype=syslog OR sourcetype=process_monitor
+| eval process_lower=lower(process)
+| search process_lower="java" AND (process_lower="jakarta.servlet.ServletRequestListener" OR process_lower="javax.servlet.ServletRequestListener")
+| stats count by user, process, parent_process, host
+```
+
+Processes decoding Base64-encoded payloads dynamically in memory
+
+```
+index=* sourcetype=process_monitor
+| eval CommandLineLower=lower(CommandLine)
+| search CommandLineLower="base64" OR CommandLineLower="aes" OR CommandLineLower="md5"
+| stats count by user, process, parent_process, host
+```
+
+Detecting Second-Stage Backdoors
+
+```
+index=* sourcetype=wineventlog OR sourcetype=sysmon
+| eval CommandLineLower=lower(CommandLine)
+| search (CommandLineLower="cobeacon" OR CommandLineLower="vargeit")
+| eval SuspiciousActivity=if(match(CommandLineLower, ".*(c2|beacon|http).*"), "Yes", "No")
+| where SuspiciousActivity="Yes"
+| stats count by Hostname, User, Parent_Process_Name, CommandLine, Image
+| rename CommandLine as "Command Line", Parent_Process_Name as "Parent Process", Image as "Executable", User as "Executing User"
+| sort -count
+```
+
+Splunk Rule for DLL Sideloading Detection
+
+```
+index=* sourcetype=wineventlog EventCode=4688
+| eval suspicious_dll=if(match(CommandLine, "(?i)\.dll") AND NOT match(CommandLine, "(?i)(System32|SysWOW64)\\.*\.dll"), 1, 0)
+| where suspicious_dll=1
+| stats count by Parent_Image, Process_Name, CommandLine, Parent_Process_Name, User
+| rename Parent_Image as "Parent Process", Process_Name as "Executed Process", CommandLine as "Command Line", Parent_Process_Name as "Parent Process Name", User as "Executing User"
+| sort -count
+```
+
+COBEACON loader – MASQLOADER
+
+```
+index=* sourcetype=wineventlog OR sourcetype=sysmon
+| eval EventPath=coalesce(Process_Name, File_Name)
+| search EventPath IN ("msmpsrv.exe", "msedge.dll", "ms.log")
+| transaction Process_Name maxspan=1s
+| where Process_Name="msmpsrv.exe" AND mvfind(File_Name, "msedge.dll") AND mvfind(File_Name, "ms.log")
+| stats count by Hostname, EventPath, User, Parent_Process_Name
+| rename EventPath as "File Transition Path", Parent_Process_Name as "Parent Process", User as "Executing User"
+| sort -count
+```
+
+Detecting VARGEIT Behaviors
+
+```
+index=* sourcetype=wineventlog OR sourcetype=sysmon
+| eval CommandLineLower=lower(CommandLine)
+| search (CommandLineLower="mspaint" OR CommandLineLower="conhost") 
+  OR (CommandLineLower="c2" OR CommandLineLower="firewall" OR CommandLineLower="shellcode")
+| stats count by Hostname, User, Parent_Process_Name, CommandLine, Image, File_Path
+| rename CommandLine as "Command Line", Parent_Process_Name as "Parent Process", Image as "Executable", File_Path as "File Path", User as "Executing User"
+| sort -count
+```
+
+
+Detecting RSBINJECT Activity
+
+```
+index=* sourcetype=wineventlog OR sourcetype=sysmon
+| eval CommandLineLower=lower(CommandLine)
+| search (CommandLineLower="rsbinject" OR CommandLineLower="cobeacon")
+| where match(CommandLineLower, "(--load|-l|--test|-t|--flag|-f)") OR like(CommandLineLower, "%shellcode%")
+| stats count by Hostname, User, Parent_Process_Name, CommandLine, Image
+| rename CommandLine as "Command Line", Parent_Process_Name as "Parent Process", Image as "Executable", User as "Executing User"
+| sort -count
+```
+
+Detect RAILLOAD
+
+```
+index=* sourcetype=wineventlog OR sourcetype=sysmon
+| eval CommandLineLower=lower(CommandLine)
+| search (CommandLineLower="vargeit" OR CommandLineLower="railload")
+| where like(CommandLineLower, "%dll%") OR match(CommandLineLower, "(encrypted|config|payload|registry)")
+| stats count by Hostname, User, Parent_Process_Name, CommandLine, Image, Registry_Key_Path
+| rename CommandLine as "Command Line", Parent_Process_Name as "Parent Process", Image as "Executable", User as "Executing User", Registry_Key_Path as "Registry Access"
+| sort -count
+```
+
+Detect RAILSETTER
+
+```
+index=* sourcetype=wineventlog OR sourcetype=sysmon
+| eval CommandLineLower=lower(CommandLine)
+| search (CommandLineLower="railload" OR CommandLineLower="railsetter")
+| search (CommandLineLower="schtasks" OR CommandLineLower="timestomp" OR CommandLineLower="base64" OR CommandLineLower="copy")
+| stats count by Hostname, User, Parent_Process_Name, CommandLine, Image, File_Path
+| rename CommandLine as "Command Line", Parent_Process_Name as "Parent Process", Image as "Executable", File_Path as "File Path", User as "Executing User"
+| sort -count
+```
+
+mspaint Exfiltration
+
+```
+index=* sourcetype=wineventlog OR sourcetype=sysmon
+| eval CommandLineLower=lower(CommandLine)
+| search Image="C:\\Windows\\System32\\mspaint.exe"
+| where match(CommandLineLower, "[a-zA-Z0-9]{16,}")  /* Detects suspicious long strings like Base64 or unique identifiers */
+    OR match(CommandLineLower, "(us-east-1|eu-west-1|ap-southeast-1)") /* Example regions */
+    OR match(CommandLineLower, "(bucketname|accesskey|secretkey|dataexfil)")
+| stats count by Hostname, User, CommandLine, Parent_Process_Name, Image
+| rename CommandLine as "Command Line", Parent_Process_Name as "Parent Process", Image as "Executable", User as "Executing User"
+| sort -count
+```