https://gbhackers.com/earth-alux-hackers-use-vargiet-malware/ https://www.trendmicro.com/en_us/research/25/c/the-espionage-toolkit-of-earth-alux.html Track Suspicious Process and Library Activities ``` index=* sourcetype=wineventlog EventCode=4688 OR EventCode=7045 | eval CommandLineLower=lower(CommandLine) | where like(CommandLineLower, "%java%") AND like(CommandLineLower, "%com.opensymphony.webwork%") | stats count by Account_Name, CommandLine, Parent_Process_Name, Hostname ``` Monitor for Suspicious Java Execution and Payloads ``` index=* sourcetype=syslog OR sourcetype=process_monitor | eval process_lower=lower(process) | search process_lower="java" AND (process_lower="jakarta.servlet.ServletRequestListener" OR process_lower="javax.servlet.ServletRequestListener") | stats count by user, process, parent_process, host ``` Processes decoding Base64-encoded payloads dynamically in memory ``` index=* sourcetype=process_monitor | eval CommandLineLower=lower(CommandLine) | search CommandLineLower="base64" OR CommandLineLower="aes" OR CommandLineLower="md5" | stats count by user, process, parent_process, host ``` Detecting Second-Stage Backdoors ``` index=* sourcetype=wineventlog OR sourcetype=sysmon | eval CommandLineLower=lower(CommandLine) | search (CommandLineLower="cobeacon" OR CommandLineLower="vargeit") | eval SuspiciousActivity=if(match(CommandLineLower, ".*(c2|beacon|http).*"), "Yes", "No") | where SuspiciousActivity="Yes" | stats count by Hostname, User, Parent_Process_Name, CommandLine, Image | rename CommandLine as "Command Line", Parent_Process_Name as "Parent Process", Image as "Executable", User as "Executing User" | sort -count ``` Splunk Rule for DLL Sideloading Detection ``` index=* sourcetype=wineventlog EventCode=4688 | eval suspicious_dll=if(match(CommandLine, "(?i)\.dll") AND NOT match(CommandLine, "(?i)(System32|SysWOW64)\\.*\.dll"), 1, 0) | where suspicious_dll=1 | stats count by Parent_Image, Process_Name, CommandLine, Parent_Process_Name, User | rename Parent_Image as "Parent Process", Process_Name as "Executed Process", CommandLine as "Command Line", Parent_Process_Name as "Parent Process Name", User as "Executing User" | sort -count ``` COBEACON loader – MASQLOADER ``` index=* sourcetype=wineventlog OR sourcetype=sysmon | eval EventPath=coalesce(Process_Name, File_Name) | search EventPath IN ("msmpsrv.exe", "msedge.dll", "ms.log") | transaction Process_Name maxspan=1s | where Process_Name="msmpsrv.exe" AND mvfind(File_Name, "msedge.dll") AND mvfind(File_Name, "ms.log") | stats count by Hostname, EventPath, User, Parent_Process_Name | rename EventPath as "File Transition Path", Parent_Process_Name as "Parent Process", User as "Executing User" | sort -count ``` Detecting VARGEIT Behaviors ``` index=* sourcetype=wineventlog OR sourcetype=sysmon | eval CommandLineLower=lower(CommandLine) | search (CommandLineLower="mspaint" OR CommandLineLower="conhost") OR (CommandLineLower="c2" OR CommandLineLower="firewall" OR CommandLineLower="shellcode") | stats count by Hostname, User, Parent_Process_Name, CommandLine, Image, File_Path | rename CommandLine as "Command Line", Parent_Process_Name as "Parent Process", Image as "Executable", File_Path as "File Path", User as "Executing User" | sort -count ``` Detecting RSBINJECT Activity ``` index=* sourcetype=wineventlog OR sourcetype=sysmon | eval CommandLineLower=lower(CommandLine) | search (CommandLineLower="rsbinject" OR CommandLineLower="cobeacon") | where match(CommandLineLower, "(--load|-l|--test|-t|--flag|-f)") OR like(CommandLineLower, "%shellcode%") | stats count by Hostname, User, Parent_Process_Name, CommandLine, Image | rename CommandLine as "Command Line", Parent_Process_Name as "Parent Process", Image as "Executable", User as "Executing User" | sort -count ``` Detect RAILLOAD ``` index=* sourcetype=wineventlog OR sourcetype=sysmon | eval CommandLineLower=lower(CommandLine) | search (CommandLineLower="vargeit" OR CommandLineLower="railload") | where like(CommandLineLower, "%dll%") OR match(CommandLineLower, "(encrypted|config|payload|registry)") | stats count by Hostname, User, Parent_Process_Name, CommandLine, Image, Registry_Key_Path | rename CommandLine as "Command Line", Parent_Process_Name as "Parent Process", Image as "Executable", User as "Executing User", Registry_Key_Path as "Registry Access" | sort -count ``` Detect RAILSETTER ``` index=* sourcetype=wineventlog OR sourcetype=sysmon | eval CommandLineLower=lower(CommandLine) | search (CommandLineLower="railload" OR CommandLineLower="railsetter") | search (CommandLineLower="schtasks" OR CommandLineLower="timestomp" OR CommandLineLower="base64" OR CommandLineLower="copy") | stats count by Hostname, User, Parent_Process_Name, CommandLine, Image, File_Path | rename CommandLine as "Command Line", Parent_Process_Name as "Parent Process", Image as "Executable", File_Path as "File Path", User as "Executing User" | sort -count ``` mspaint Exfiltration ``` index=* sourcetype=wineventlog OR sourcetype=sysmon | eval CommandLineLower=lower(CommandLine) | search Image="C:\\Windows\\System32\\mspaint.exe" | where match(CommandLineLower, "[a-zA-Z0-9]{16,}") /* Detects suspicious long strings like Base64 or unique identifiers */ OR match(CommandLineLower, "(us-east-1|eu-west-1|ap-southeast-1)") /* Example regions */ OR match(CommandLineLower, "(bucketname|accesskey|secretkey|dataexfil)") | stats count by Hostname, User, CommandLine, Parent_Process_Name, Image | rename CommandLine as "Command Line", Parent_Process_Name as "Parent Process", Image as "Executable", User as "Executing User" | sort -count ```