junk/earth_alux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
cfcf39c9b16a171a99357399215d5f37cc799bc6
earth_alux/spl.md
junk cfcf39c9b1 Add spl.md
2025-04-16 16:19:11 -04:00

131 lines
5.5 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

https://gbhackers.com/earth-alux-hackers-use-vargiet-malware/
https://www.trendmicro.com/en_us/research/25/c/the-espionage-toolkit-of-earth-alux.html
Track Suspicious Process and Library Activities
```
index=* sourcetype=wineventlog EventCode=4688 OR EventCode=7045
| eval CommandLineLower=lower(CommandLine)
| where like(CommandLineLower, "%java%") AND like(CommandLineLower, "%com.opensymphony.webwork%")
| stats count by Account_Name, CommandLine, Parent_Process_Name, Hostname
```
Monitor for Suspicious Java Execution and Payloads
```
index=* sourcetype=syslog OR sourcetype=process_monitor
| eval process_lower=lower(process)
| search process_lower="java" AND (process_lower="jakarta.servlet.ServletRequestListener" OR process_lower="javax.servlet.ServletRequestListener")
| stats count by user, process, parent_process, host
```
Processes decoding Base64-encoded payloads dynamically in memory
```
index=* sourcetype=process_monitor
| eval CommandLineLower=lower(CommandLine)
| search CommandLineLower="base64" OR CommandLineLower="aes" OR CommandLineLower="md5"
| stats count by user, process, parent_process, host
```
Detecting Second-Stage Backdoors
```
index=* sourcetype=wineventlog OR sourcetype=sysmon
| eval CommandLineLower=lower(CommandLine)
| search (CommandLineLower="cobeacon" OR CommandLineLower="vargeit")
| eval SuspiciousActivity=if(match(CommandLineLower, ".*(c2|beacon|http).*"), "Yes", "No")
| where SuspiciousActivity="Yes"
| stats count by Hostname, User, Parent_Process_Name, CommandLine, Image
| rename CommandLine as "Command Line", Parent_Process_Name as "Parent Process", Image as "Executable", User as "Executing User"
| sort -count
```
Splunk Rule for DLL Sideloading Detection
```
index=* sourcetype=wineventlog EventCode=4688
| eval suspicious_dll=if(match(CommandLine, "(?i)\.dll") AND NOT match(CommandLine, "(?i)(System32|SysWOW64)\\.*\.dll"), 1, 0)
| where suspicious_dll=1
| stats count by Parent_Image, Process_Name, CommandLine, Parent_Process_Name, User
| rename Parent_Image as "Parent Process", Process_Name as "Executed Process", CommandLine as "Command Line", Parent_Process_Name as "Parent Process Name", User as "Executing User"
| sort -count
```
COBEACON loader MASQLOADER
```
index=* sourcetype=wineventlog OR sourcetype=sysmon
| eval EventPath=coalesce(Process_Name, File_Name)
| search EventPath IN ("msmpsrv.exe", "msedge.dll", "ms.log")
| transaction Process_Name maxspan=1s
| where Process_Name="msmpsrv.exe" AND mvfind(File_Name, "msedge.dll") AND mvfind(File_Name, "ms.log")
| stats count by Hostname, EventPath, User, Parent_Process_Name
| rename EventPath as "File Transition Path", Parent_Process_Name as "Parent Process", User as "Executing User"
| sort -count
```
Detecting VARGEIT Behaviors
```
index=* sourcetype=wineventlog OR sourcetype=sysmon
| eval CommandLineLower=lower(CommandLine)
| search (CommandLineLower="mspaint" OR CommandLineLower="conhost")
OR (CommandLineLower="c2" OR CommandLineLower="firewall" OR CommandLineLower="shellcode")
| stats count by Hostname, User, Parent_Process_Name, CommandLine, Image, File_Path
| rename CommandLine as "Command Line", Parent_Process_Name as "Parent Process", Image as "Executable", File_Path as "File Path", User as "Executing User"
| sort -count
```
Detecting RSBINJECT Activity
```
index=* sourcetype=wineventlog OR sourcetype=sysmon
| eval CommandLineLower=lower(CommandLine)
| search (CommandLineLower="rsbinject" OR CommandLineLower="cobeacon")
| where match(CommandLineLower, "(--load|-l|--test|-t|--flag|-f)") OR like(CommandLineLower, "%shellcode%")
| stats count by Hostname, User, Parent_Process_Name, CommandLine, Image
| rename CommandLine as "Command Line", Parent_Process_Name as "Parent Process", Image as "Executable", User as "Executing User"
| sort -count
```
Detect RAILLOAD
```
index=* sourcetype=wineventlog OR sourcetype=sysmon
| eval CommandLineLower=lower(CommandLine)
| search (CommandLineLower="vargeit" OR CommandLineLower="railload")
| where like(CommandLineLower, "%dll%") OR match(CommandLineLower, "(encrypted|config|payload|registry)")
| stats count by Hostname, User, Parent_Process_Name, CommandLine, Image, Registry_Key_Path
| rename CommandLine as "Command Line", Parent_Process_Name as "Parent Process", Image as "Executable", User as "Executing User", Registry_Key_Path as "Registry Access"
| sort -count
```
Detect RAILSETTER
```
index=* sourcetype=wineventlog OR sourcetype=sysmon
| eval CommandLineLower=lower(CommandLine)
| search (CommandLineLower="railload" OR CommandLineLower="railsetter")
| search (CommandLineLower="schtasks" OR CommandLineLower="timestomp" OR CommandLineLower="base64" OR CommandLineLower="copy")
| stats count by Hostname, User, Parent_Process_Name, CommandLine, Image, File_Path
| rename CommandLine as "Command Line", Parent_Process_Name as "Parent Process", Image as "Executable", File_Path as "File Path", User as "Executing User"
| sort -count
```
mspaint Exfiltration
```
index=* sourcetype=wineventlog OR sourcetype=sysmon
| eval CommandLineLower=lower(CommandLine)
| search Image="C:\\Windows\\System32\\mspaint.exe"
| where match(CommandLineLower, "[a-zA-Z0-9]{16,}") /* Detects suspicious long strings like Base64 or unique identifiers */
OR match(CommandLineLower, "(us-east-1|eu-west-1|ap-southeast-1)") /* Example regions */
OR match(CommandLineLower, "(bucketname|accesskey|secretkey|dataexfil)")
| stats count by Hostname, User, CommandLine, Parent_Process_Name, Image
| rename CommandLine as "Command Line", Parent_Process_Name as "Parent Process", Image as "Executable", User as "Executing User"
| sort -count
```
Reference in New Issue View Git Blame Copy Permalink