junk/spl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e1a8b4106223a52a8e99193cdc2a4b1e03dc5a72
spl/splunk/rules_to_add_to_github.md

2.7 KiB
Raw Blame History

FRPC Connection attempt

`indextime` sourcetype=zeek* (id.orig_p IN (6000,7000) AND id.resp_p=*) OR (id.resp_p IN (6000,7000) AND id.orig_p=*)
| eval hash_sha256= lower(hash_sha256),
hunting_trigger="Detects FRPC communication using designated ports.",
mitre_category="Command and Control",
mitre_technique="Application Layer Protocol",
mitre_technique_id="T0000",
mitre_subtechnique="",
mitre_subtechnique_id="",
apt="Volt Typhoon",
mitre_link="",
creator="Cpl Iverson",
last_tested="2025-04-15",
upload_date="2025-04-15",
last_modify_date="2025-04-15",
mitre_version="v16.1",
priority="high"
| `process_create_whitelist`
| eval indextime = _indextime
| convert ctime(indextime)
| table _time indextime id.orig_p id.orig_h id.resp_p id.resp_h mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority
| collect `jarvis_index`

title: Detect Connection Between Port 7000 and Port 6000
id: c1234567-89ab-cdef-0123-456789abcdef
description: Detects network connections from port 7000 to port 6000
author: Matthew Iverson
logsource:
  product: network
  service: firewall
detection:
  selection:
    src_port: 7000
    dest_port: 6000
  condition: selection
fields:
  - src_ip
  - dest_ip
  - src_port
  - dest_port
level: medium

ICMPDoor

`indextime` sourcetype=zeek*
| where icmp_type=0 OR icmp_type=8
| eval hash_sha256= lower(hash_sha256),
hunting_trigger="Detects FRPC communication using designated ports.",
mitre_category="Command and Control",
mitre_technique="Application Layer Protocol",
mitre_technique_id="T0000",
mitre_subtechnique="",
mitre_subtechnique_id="",
apt="Volt Typhoon",
mitre_link="https://attack.mitre.org/techniques/T1071/",
creator="Cpl Iverson",
last_tested="",
upload_date="2025-04-15",
last_modify_date="2025-04-15",
mitre_version="v16.1",
priority="high"
| `process_create_whitelist`
| eval indextime = _indextime
| convert ctime(indextime)
| table _time indextime event_description src_ip dest_ip icmp_type icmp_code mitre_category mitre_technique mitre_technique_id hunting_trigger mitre_subtechnique mitre_subtechnique_id apt mitre_link creator last_tested upload_date last_modify_date mitre_version priority
| collect `jarvis_index`

title: Detect ICMP Traffic Related to ICMPDoor Backdoor
id: 1234abcd-5678-efgh-9101-11213141ijkl
description: Detects use of ICMP packets for backdoor communication
author: YourName
logsource:
  product: network
  service: firewall
detection:
  selection:
    protocol: icmp
    dest_ip: <COMPROMISED_SERVER_IP>
    icmp_type:
      - 0
      - 8
  condition: selection
fields:
  - src_ip
  - dest_ip
  - icmp_type
  - icmp_code
level: high