junk/spl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
spl/splunk/rules_to_add_to_github.md

5.0 KiB
Raw Permalink Blame History

FRPC Connection attempt

`indextime` sourcetype=zeek* (id.orig_p IN (6000,7000) AND id.resp_p=*) OR (id.resp_p IN (6000,7000) AND id.orig_p=*)
| eval hash_sha256= lower(hash_sha256),
hunting_trigger="Detects FRPC communication using designated ports.",
mitre_category="Command and Control",
mitre_technique="Application Layer Protocol",
mitre_technique_id="T0000",
mitre_subtechnique="",
mitre_subtechnique_id="",
apt="Volt Typhoon",
mitre_link="",
creator="Cpl Iverson",
last_tested="2025-04-15",
upload_date="2025-04-15",
last_modify_date="2025-04-15",
mitre_version="v16.1",
priority="high"
| `process_create_whitelist`
| eval indextime = _indextime
| convert ctime(indextime)
| table _time indextime id.orig_p id.orig_h id.resp_p id.resp_h mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority
| collect `jarvis_index`

title: Detect Connection Between Port 7000 and Port 6000
id: c1234567-89ab-cdef-0123-456789abcdef
description: Detects network connections from port 7000 to port 6000
author: Matthew Iverson
logsource:
  product: network
  service: firewall
detection:
  selection:
    src_port: 7000
    dest_port: 6000
  condition: selection
fields:
  - src_ip
  - dest_ip
  - src_port
  - dest_port
level: medium

ICMPDoor

`indextime` sourcetype=zeek*
| where icmp_type=0 OR icmp_type=8
| eval hash_sha256= lower(hash_sha256),
hunting_trigger="Detects FRPC communication using designated ports.",
mitre_category="Command and Control",
mitre_technique="Application Layer Protocol",
mitre_technique_id="T0000",
mitre_subtechnique="",
mitre_subtechnique_id="",
apt="Volt Typhoon",
mitre_link="https://attack.mitre.org/techniques/T1071/",
creator="Cpl Iverson",
last_tested="",
upload_date="2025-04-15",
last_modify_date="2025-04-15",
mitre_version="v16.1",
priority="high"
| `process_create_whitelist`
| eval indextime = _indextime
| convert ctime(indextime)
| table _time indextime event_description src_ip dest_ip icmp_type icmp_code mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority
| collect `jarvis_index`

title: Detect ICMP Traffic Related to ICMPDoor Backdoor
id: 1234abcd-5678-efgh-9101-11213141ijkl
description: Detects use of ICMP packets for backdoor communication
author: YourName
logsource:
  product: network
  service: firewall
detection:
  selection:
    protocol: icmp
    dest_ip: <COMPROMISED_SERVER_IP>
    icmp_type:
      - 0
      - 8
  condition: selection
fields:
  - src_ip
  - dest_ip
  - icmp_type
  - icmp_code
level: high

IPsec from outside

`indextime` sourcetype=syslog
| where NOT cidrmatch("10.0.0.0/8", src_ip) AND NOT cidrmatch("192.168.0.0/16", src_ip) AND NOT cidrmatch("172.16.0.0/12", src_ip)
| where cidrmatch("137.0.0.0/16", src_ip) OR src_port=500 OR dest_port=500
| stats count by src_ip, dest_ip, src_port, dest_port
| sort - count
| eval hash_sha256=if(isnull(hash_sha256), "N/A", lower(hash_sha256)),
hunting_trigger="Detects suspicious connections to non-private IPs or port 500 usage.",
mitre_category="Discovery",
mitre_technique="Network Service Scanning",
mitre_technique_id="T1046",
mitre_subtechnique="",
mitre_subtechnique_id="",
apt="Volt Typhoon",
mitre_link="https://attack.mitre.org/techniques/T1046/",
creator="Sgt Iverson",
last_tested="",
upload_date="2025-04-15",
last_modify_date="2025-04-15",
mitre_version="v16",
priority="high"
| eval indextime = _indextime
| convert ctime(indextime)
| table _time, indextime, event_description, hash_sha256, src_ip, dest_ip, src_port, dest_port, http_header, mitre_category, mitre_technique, mitre_technique_id, hunting_trigger, mitre_subtechnique, mitre_subtechnique_id, apt, mitre_link, creator, last_tested, upload_date, last_modify_date, mitre_version, priority
| collect `jarvis_index`

title: Detect Suspicious Connections to Non-Private IPs or Port 500 Usage
id: b4a8cfa4-7a21-4f8a-9383-1234abcd5678
description: Detects connections from non-private IPs or IPs in the 137.0.0.0/16 range, with usage of port 500, including data enrichment fields.
author: Sgt Iverson
logsource:
  product: network
  service: syslog
detection:
  selection:
    src_ip:
      - "!10.0.0.0/8"
      - "!192.168.0.0/16"
      - "!172.16.0.0/12"
      - "137.0.0.0/16"
    src_port: 500
    dest_port: 500
  condition: selection
fields:
  - src_ip
  - dest_ip
  - src_port
  - dest_port
  - hash_sha256
  - http_header
enrichment:
  hunting_trigger: "Detects suspicious connections to non-private IPs or port 500 usage."
  mitre_category: "Discovery"
  mitre_technique: "Network Service Scanning"
  mitre_technique_id: "T1046"
  apt: "Volt Typhoon"
  mitre_link: "https://attack.mitre.org/techniques/T1046/"
  creator: "Sgt Iverson"
  upload_date: "2025-04-15"
  last_modify_date: "2025-04-15"
  mitre_version: "v16"
  priority: "high"
level: high