junk/spl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add splunk/rules_to_add_to_github.md

Browse Source
This commit is contained in:
junk
2025-04-15 15:18:01 -04:00
parent 264ca53a5d
commit a7c138fcf8
1 changed files with 96 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

96
splunk/rules_to_add_to_github.md Normal file
View File

@ -0,0 +1,96 @@
FRPC Connection attempt
```
`indextime` sourcetype=zeek* (id.orig_p IN (6000,7000) AND id.resp_p=*) OR (id.resp_p IN (6000,7000) AND id.orig_p=*)
| eval hash_sha256= lower(hash_sha256),
hunting_trigger="Detects FRPC communication using designated ports.",
mitre_category="Command and Control",
mitre_technique="Application Layer Protocol",
mitre_technique_id="T0000",
mitre_subtechnique="",
mitre_subtechnique_id="",
apt="Volt Typhoon",
mitre_link="https://attack.mitre.org/techniques/T1071/",
creator="Cpl Iverson",
last_tested="2025-04-15",
upload_date="2025-04-15",
last_modify_date="2025-04-15",
mitre_version="v16.1",
priority="high"
| `process_create_whitelist`
| eval indextime = _indextime
| convert ctime(indextime)
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority
| collect `jarvis_index`
```
```
title: Detect Connection Between Port 7000 and Port 6000
id: c1234567-89ab-cdef-0123-456789abcdef
description: Detects network connections from port 7000 to port 6000
author: Matthew Iverson
logsource:
product: network
service: firewall
detection:
selection:
src_port: 7000
dest_port: 6000
condition: selection
fields:
- src_ip
- dest_ip
- src_port
- dest_port
level: medium
```
ICMPDoor
```
`indextime` sourcetype=zeek* (id.orig_p IN (6000,7000) AND id.resp_p=*) OR (id.resp_p IN (6000,7000) AND id.orig_p=*)
| eval hash_sha256= lower(hash_sha256),
hunting_trigger="Detects FRPC communication using designated ports.",
mitre_category="Command and Control",
mitre_technique="Application Layer Protocol",
mitre_technique_id="T0000",
mitre_subtechnique="",
mitre_subtechnique_id="",
apt="Volt Typhoon",
mitre_link="https://attack.mitre.org/techniques/T1071/",
creator="Cpl Iverson",
last_tested="2025-04-15",
upload_date="2025-04-15",
last_modify_date="2025-04-15",
mitre_version="v16.1",
priority="high"
| `process_create_whitelist`
| eval indextime = _indextime
| convert ctime(indextime)
| table _time indextime event_description hash_sha256 host_fqdn user_name original_file_name process_path process_guid process_parent_path process_id process_parent_id process_command_line process_parent_command_line process_parent_guid mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority
| collect `jarvis_index`
```
```
title: Detect ICMP Traffic Related to ICMPDoor Backdoor
id: 1234abcd-5678-efgh-9101-11213141ijkl
description: Detects use of ICMP packets for backdoor communication
author: YourName
logsource:
product: network
service: firewall
detection:
selection:
protocol: icmp
dest_ip: <COMPROMISED_SERVER_IP>
icmp_type:
- 0
- 8
condition: selection
fields:
- src_ip
- dest_ip
- icmp_type
- icmp_code
level: high
```