junk/earth_alux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
earth_alux/spl.md
junk be44cbf334 added several rules
2025-04-17 11:45:05 -04:00

229 lines
8.2 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

https://gbhackers.com/earth-alux-hackers-use-vargiet-malware/
https://www.trendmicro.com/en_us/research/25/c/the-espionage-toolkit-of-earth-alux.html
Track Suspicious Process and Library Activities
```
index=* sourcetype=wineventlog EventCode=4688 OR EventCode=7045
| eval CommandLineLower=lower(CommandLine)
| where like(CommandLineLower, "%java%") AND like(CommandLineLower, "%com.opensymphony.webwork%")
| stats count by Account_Name, CommandLine, Parent_Process_Name, Hostname
```
Monitor for Suspicious Java Execution and Payloads
```
index=* sourcetype=syslog OR sourcetype=process_monitor
| eval process_lower=lower(process)
| search process_lower="java" AND (process_lower="jakarta.servlet.ServletRequestListener" OR process_lower="javax.servlet.ServletRequestListener")
| stats count by user, process, parent_process, host
```
Processes decoding Base64-encoded payloads dynamically in memory
```
index=* sourcetype=process_monitor
| eval CommandLineLower=lower(CommandLine)
| search CommandLineLower="base64" OR CommandLineLower="aes" OR CommandLineLower="md5"
| stats count by user, process, parent_process, host
```
Detecting Second-Stage Backdoors
```
index=* sourcetype=wineventlog OR sourcetype=sysmon
| eval CommandLineLower=lower(CommandLine)
| search (CommandLineLower="cobeacon" OR CommandLineLower="vargeit")
| eval SuspiciousActivity=if(match(CommandLineLower, ".*(c2|beacon|http).*"), "Yes", "No")
| where SuspiciousActivity="Yes"
| stats count by Hostname, User, Parent_Process_Name, CommandLine, Image
| rename CommandLine as "Command Line", Parent_Process_Name as "Parent Process", Image as "Executable", User as "Executing User"
| sort -count
```
Splunk Rule for DLL Sideloading Detection
```
index=* sourcetype=wineventlog EventCode=4688
| eval suspicious_dll=if(match(CommandLine, "(?i)\.dll") AND NOT match(CommandLine, "(?i)(System32|SysWOW64)\\.*\.dll"), 1, 0)
| where suspicious_dll=1
| stats count by Parent_Image, Process_Name, CommandLine, Parent_Process_Name, User
| rename Parent_Image as "Parent Process", Process_Name as "Executed Process", CommandLine as "Command Line", Parent_Process_Name as "Parent Process Name", User as "Executing User"
| sort -count
```
COBEACON loader MASQLOADER
```
index=* sourcetype=wineventlog OR sourcetype=sysmon
| eval EventPath=coalesce(Process_Name, File_Name)
| search EventPath IN ("msmpsrv.exe", "msedge.dll", "ms.log")
| transaction Process_Name maxspan=1s
| where Process_Name="msmpsrv.exe" AND mvfind(File_Name, "msedge.dll") AND mvfind(File_Name, "ms.log")
| stats count by Hostname, EventPath, User, Parent_Process_Name
| rename EventPath as "File Transition Path", Parent_Process_Name as "Parent Process", User as "Executing User"
| sort -count
```
Detecting VARGEIT Behaviors
```
index=* sourcetype=wineventlog OR sourcetype=sysmon
| eval CommandLineLower=lower(CommandLine)
| search (CommandLineLower="mspaint" OR CommandLineLower="conhost")
OR (CommandLineLower="c2" OR CommandLineLower="firewall" OR CommandLineLower="shellcode")
| stats count by Hostname, User, Parent_Process_Name, CommandLine, Image, File_Path
| rename CommandLine as "Command Line", Parent_Process_Name as "Parent Process", Image as "Executable", File_Path as "File Path", User as "Executing User"
| sort -count
```
Detecting RSBINJECT Activity
```
index=* sourcetype=wineventlog OR sourcetype=sysmon
| eval CommandLineLower=lower(CommandLine)
| search (CommandLineLower="rsbinject" OR CommandLineLower="cobeacon")
| where match(CommandLineLower, "(--load|-l|--test|-t|--flag|-f)") OR like(CommandLineLower, "%shellcode%")
| stats count by Hostname, User, Parent_Process_Name, CommandLine, Image
| rename CommandLine as "Command Line", Parent_Process_Name as "Parent Process", Image as "Executable", User as "Executing User"
| sort -count
```
Detect RAILLOAD
```
index=* sourcetype=wineventlog OR sourcetype=sysmon
| eval CommandLineLower=lower(CommandLine)
| search (CommandLineLower="vargeit" OR CommandLineLower="railload")
| where like(CommandLineLower, "%dll%") OR match(CommandLineLower, "(encrypted|config|payload|registry)")
| stats count by Hostname, User, Parent_Process_Name, CommandLine, Image, Registry_Key_Path
| rename CommandLine as "Command Line", Parent_Process_Name as "Parent Process", Image as "Executable", User as "Executing User", Registry_Key_Path as "Registry Access"
| sort -count
```
Detect RAILSETTER
```
index=* sourcetype=wineventlog OR sourcetype=sysmon
| eval CommandLineLower=lower(CommandLine)
| search (CommandLineLower="railload" OR CommandLineLower="railsetter")
| search (CommandLineLower="schtasks" OR CommandLineLower="timestomp" OR CommandLineLower="base64" OR CommandLineLower="copy")
| stats count by Hostname, User, Parent_Process_Name, CommandLine, Image, File_Path
| rename CommandLine as "Command Line", Parent_Process_Name as "Parent Process", Image as "Executable", File_Path as "File Path", User as "Executing User"
| sort -count
```
mspaint Exfiltration
```
index=* sourcetype=wineventlog OR sourcetype=sysmon
| eval CommandLineLower=lower(CommandLine)
| search Image="C:\\Windows\\System32\\mspaint.exe"
| where match(CommandLineLower, "[a-zA-Z0-9]{16,}") /* Detects suspicious long strings like Base64 or unique identifiers */
OR match(CommandLineLower, "(us-east-1|eu-west-1|ap-southeast-1)") /* Example regions */
OR match(CommandLineLower, "(bucketname|accesskey|secretkey|dataexfil)")
| stats count by Hostname, User, CommandLine, Parent_Process_Name, Image
| rename CommandLine as "Command Line", Parent_Process_Name as "Parent Process", Image as "Executable", User as "Executing User"
| sort -count
```
#20250417 dj
mspaint Strange Process Spawn
```
index=win_sysmon EventCode=10 ParentUser="NT AUTHORITY\\SYSTEM" process_name=*
| stats count by _time, ParentUser, ParentImage, process_name, EventCode
| where ParentImage!="C:\\Windows\\explorer.exe" AND ParentImage!="C:\\Windows\\System32\\cmd.exe"
| rename process_name as ProcessName
| table _time, ParentUser, ParentImage, ProcessName, EventCode
```
#20250417 wip yaml
```
title: Detect VARGEIT Malware Execution
id: f1234567-89ab-cdef-0123-456789abcdef
description: Detects potential execution patterns of the VARGEIT backdoor, including DLL sideloading, process injection into mspaint.exe, and network activity linked to Earth Alux operations.
author: YourName
references:
- https://www.trendmicro.com/en_us/research/25/c/the-espionage-toolkit-of-earth-alux.html
logsource:
product: windows
service: sysmon
detection:
selection:
Image|endswith:
- "\mspaint.exe" # VARGEIT injects payloads into mspaint.exe
ParentImage|endswith:
- "\rundll32.exe" # DLL sideloading through rundll32
condition: selection
fields:
- Image
- ParentImage
- CommandLine
- User
level: high
```
**sigma rule for sus graph api usage by non-outlook process**
```
title: Suspicious ICMP Activity from mspaint.exe
id: abcdef12-3456-7890-abcd-ef1234567890
status: experimental
description: |
Detects Sysmon network events (EventID 3) where the process image is mspaint.exe
and the protocol used is ICMP, which is unusual for the MS Paint process.
author: Your Name
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 3
Image|endswith: "\mspaint.exe"
Protocol: ICMP
condition: selection
falsepositives:
- Rare legitimate diagnostic tools or scanning software
level: high
```
**sigma sus icmp activity from mspaint**
```
title: Suspicious ICMP Activity from mspaint.exe
id: abcdef12-3456-7890-abcd-ef1234567890
status: experimental
description: |
Detects Sysmon network events (EventID 3) where the process image is mspaint.exe
and the protocol used is ICMP, which is unusual for the MS Paint process.
author: Your Name
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 3
Image|endswith: "\mspaint.exe"
Protocol: ICMP
condition: selection
falsepositives:
- Rare legitimate diagnostic tools or scanning software
level: high
```
#suricata wip
```
alert http any any -> any any (
msg:"Earth Alux - Potential Godzilla web shell indicator observed in HTTP payload";
flow:to_server,established;
content:"Godzilla";
nocase;
http_client_body;
classtype:trojan-activity;
sid:1000002;
rev:1;
)
```
Reference in New Issue View Git Blame Copy Permalink