junk/earth_alux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
cfcf39c9b16a171a99357399215d5f37cc799bc6
earth_alux/spl.md
junk cfcf39c9b1 Add spl.md
2025-04-16 16:19:11 -04:00

5.5 KiB
Raw Blame History

https://gbhackers.com/earth-alux-hackers-use-vargiet-malware/ https://www.trendmicro.com/en_us/research/25/c/the-espionage-toolkit-of-earth-alux.html

Track Suspicious Process and Library Activities

index=* sourcetype=wineventlog EventCode=4688 OR EventCode=7045
| eval CommandLineLower=lower(CommandLine)
| where like(CommandLineLower, "%java%") AND like(CommandLineLower, "%com.opensymphony.webwork%")
| stats count by Account_Name, CommandLine, Parent_Process_Name, Hostname

Monitor for Suspicious Java Execution and Payloads

index=* sourcetype=syslog OR sourcetype=process_monitor
| eval process_lower=lower(process)
| search process_lower="java" AND (process_lower="jakarta.servlet.ServletRequestListener" OR process_lower="javax.servlet.ServletRequestListener")
| stats count by user, process, parent_process, host

Processes decoding Base64-encoded payloads dynamically in memory

index=* sourcetype=process_monitor
| eval CommandLineLower=lower(CommandLine)
| search CommandLineLower="base64" OR CommandLineLower="aes" OR CommandLineLower="md5"
| stats count by user, process, parent_process, host

Detecting Second-Stage Backdoors

index=* sourcetype=wineventlog OR sourcetype=sysmon
| eval CommandLineLower=lower(CommandLine)
| search (CommandLineLower="cobeacon" OR CommandLineLower="vargeit")
| eval SuspiciousActivity=if(match(CommandLineLower, ".*(c2|beacon|http).*"), "Yes", "No")
| where SuspiciousActivity="Yes"
| stats count by Hostname, User, Parent_Process_Name, CommandLine, Image
| rename CommandLine as "Command Line", Parent_Process_Name as "Parent Process", Image as "Executable", User as "Executing User"
| sort -count

Splunk Rule for DLL Sideloading Detection

index=* sourcetype=wineventlog EventCode=4688
| eval suspicious_dll=if(match(CommandLine, "(?i)\.dll") AND NOT match(CommandLine, "(?i)(System32|SysWOW64)\\.*\.dll"), 1, 0)
| where suspicious_dll=1
| stats count by Parent_Image, Process_Name, CommandLine, Parent_Process_Name, User
| rename Parent_Image as "Parent Process", Process_Name as "Executed Process", CommandLine as "Command Line", Parent_Process_Name as "Parent Process Name", User as "Executing User"
| sort -count

COBEACON loader MASQLOADER

index=* sourcetype=wineventlog OR sourcetype=sysmon
| eval EventPath=coalesce(Process_Name, File_Name)
| search EventPath IN ("msmpsrv.exe", "msedge.dll", "ms.log")
| transaction Process_Name maxspan=1s
| where Process_Name="msmpsrv.exe" AND mvfind(File_Name, "msedge.dll") AND mvfind(File_Name, "ms.log")
| stats count by Hostname, EventPath, User, Parent_Process_Name
| rename EventPath as "File Transition Path", Parent_Process_Name as "Parent Process", User as "Executing User"
| sort -count

Detecting VARGEIT Behaviors

index=* sourcetype=wineventlog OR sourcetype=sysmon
| eval CommandLineLower=lower(CommandLine)
| search (CommandLineLower="mspaint" OR CommandLineLower="conhost") 
  OR (CommandLineLower="c2" OR CommandLineLower="firewall" OR CommandLineLower="shellcode")
| stats count by Hostname, User, Parent_Process_Name, CommandLine, Image, File_Path
| rename CommandLine as "Command Line", Parent_Process_Name as "Parent Process", Image as "Executable", File_Path as "File Path", User as "Executing User"
| sort -count

Detecting RSBINJECT Activity

index=* sourcetype=wineventlog OR sourcetype=sysmon
| eval CommandLineLower=lower(CommandLine)
| search (CommandLineLower="rsbinject" OR CommandLineLower="cobeacon")
| where match(CommandLineLower, "(--load|-l|--test|-t|--flag|-f)") OR like(CommandLineLower, "%shellcode%")
| stats count by Hostname, User, Parent_Process_Name, CommandLine, Image
| rename CommandLine as "Command Line", Parent_Process_Name as "Parent Process", Image as "Executable", User as "Executing User"
| sort -count

Detect RAILLOAD

index=* sourcetype=wineventlog OR sourcetype=sysmon
| eval CommandLineLower=lower(CommandLine)
| search (CommandLineLower="vargeit" OR CommandLineLower="railload")
| where like(CommandLineLower, "%dll%") OR match(CommandLineLower, "(encrypted|config|payload|registry)")
| stats count by Hostname, User, Parent_Process_Name, CommandLine, Image, Registry_Key_Path
| rename CommandLine as "Command Line", Parent_Process_Name as "Parent Process", Image as "Executable", User as "Executing User", Registry_Key_Path as "Registry Access"
| sort -count

Detect RAILSETTER

index=* sourcetype=wineventlog OR sourcetype=sysmon
| eval CommandLineLower=lower(CommandLine)
| search (CommandLineLower="railload" OR CommandLineLower="railsetter")
| search (CommandLineLower="schtasks" OR CommandLineLower="timestomp" OR CommandLineLower="base64" OR CommandLineLower="copy")
| stats count by Hostname, User, Parent_Process_Name, CommandLine, Image, File_Path
| rename CommandLine as "Command Line", Parent_Process_Name as "Parent Process", Image as "Executable", File_Path as "File Path", User as "Executing User"
| sort -count

mspaint Exfiltration

index=* sourcetype=wineventlog OR sourcetype=sysmon
| eval CommandLineLower=lower(CommandLine)
| search Image="C:\\Windows\\System32\\mspaint.exe"
| where match(CommandLineLower, "[a-zA-Z0-9]{16,}")  /* Detects suspicious long strings like Base64 or unique identifiers */
    OR match(CommandLineLower, "(us-east-1|eu-west-1|ap-southeast-1)") /* Example regions */
    OR match(CommandLineLower, "(bucketname|accesskey|secretkey|dataexfil)")
| stats count by Hostname, User, CommandLine, Parent_Process_Name, Image
| rename CommandLine as "Command Line", Parent_Process_Name as "Parent Process", Image as "Executable", User as "Executing User"
| sort -count