From a7c138fcf8f1a98e9c37f59034ba6d872668b51a Mon Sep 17 00:00:00 2001
From: junk <junk@noreply.localhost>
Date: Tue, 15 Apr 2025 15:18:01 -0400
Subject: [PATCH] Add splunk/rules_to_add_to_github.md

---
 splunk/rules_to_add_to_github.md | 96 ++++++++++++++++++++++++++++++++
 1 file changed, 96 insertions(+)
 create mode 100644 splunk/rules_to_add_to_github.md

diff --git a/splunk/rules_to_add_to_github.md b/splunk/rules_to_add_to_github.md
new file mode 100644
index 0000000..de73c0d
--- /dev/null
+++ b/splunk/rules_to_add_to_github.md
@@ -0,0 +1,96 @@
+FRPC Connection attempt
+
+```
+`indextime` sourcetype=zeek* (id.orig_p IN (6000,7000) AND id.resp_p=*) OR (id.resp_p IN (6000,7000) AND id.orig_p=*)
+| eval hash_sha256= lower(hash_sha256),
+hunting_trigger="Detects FRPC communication using designated ports.",
+mitre_category="Command and Control",
+mitre_technique="Application Layer Protocol",
+mitre_technique_id="T0000",
+mitre_subtechnique="",
+mitre_subtechnique_id="",
+apt="Volt Typhoon",
+mitre_link="https://attack.mitre.org/techniques/T1071/",
+creator="Cpl Iverson",
+last_tested="2025-04-15",
+upload_date="2025-04-15",
+last_modify_date="2025-04-15",
+mitre_version="v16.1",
+priority="high"
+| `process_create_whitelist`
+| eval indextime = _indextime
+| convert ctime(indextime)
+| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority
+| collect `jarvis_index`
+```
+
+```
+title: Detect Connection Between Port 7000 and Port 6000
+id: c1234567-89ab-cdef-0123-456789abcdef
+description: Detects network connections from port 7000 to port 6000
+author: Matthew Iverson
+logsource:
+  product: network
+  service: firewall
+detection:
+  selection:
+    src_port: 7000
+    dest_port: 6000
+  condition: selection
+fields:
+  - src_ip
+  - dest_ip
+  - src_port
+  - dest_port
+level: medium
+```
+
+ICMPDoor
+
+```
+`indextime` sourcetype=zeek* (id.orig_p IN (6000,7000) AND id.resp_p=*) OR (id.resp_p IN (6000,7000) AND id.orig_p=*)
+| eval hash_sha256= lower(hash_sha256),
+hunting_trigger="Detects FRPC communication using designated ports.",
+mitre_category="Command and Control",
+mitre_technique="Application Layer Protocol",
+mitre_technique_id="T0000",
+mitre_subtechnique="",
+mitre_subtechnique_id="",
+apt="Volt Typhoon",
+mitre_link="https://attack.mitre.org/techniques/T1071/",
+creator="Cpl Iverson",
+last_tested="2025-04-15",
+upload_date="2025-04-15",
+last_modify_date="2025-04-15",
+mitre_version="v16.1",
+priority="high"
+| `process_create_whitelist`
+| eval indextime = _indextime
+| convert ctime(indextime)
+| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority
+| collect `jarvis_index`
+```
+
+```
+title: Detect ICMP Traffic Related to ICMPDoor Backdoor
+id: 1234abcd-5678-efgh-9101-11213141ijkl
+description: Detects use of ICMP packets for backdoor communication
+author: YourName
+logsource:
+  product: network
+  service: firewall
+detection:
+  selection:
+    protocol: icmp
+    dest_ip: <COMPROMISED_SERVER_IP>
+    icmp_type:
+      - 0
+      - 8
+  condition: selection
+fields:
+  - src_ip
+  - dest_ip
+  - icmp_type
+  - icmp_code
+level: high
+```
\ No newline at end of file