add packs entry

packs/win_malware.conf

@@ -631,6 +631,15 @@
                 "windows"
             ]
         },
+        "aramgeddon_vbs_backdoor": {
+            "query": "SELECT f.filename, f.path, f.directory, st.name, st.action FROM file f JOIN scheduled_tasks st ON st.action LIKE concat('%', concat(f.filename, '%')) WHERE lower(f.directory) LIKE '%%\appdata\roaming\%' AND f.path LIKE '%.%%' AND lower(st.action) LIKE '%e:vbscript%' AND (SELECT COUNT(*) FROM file WHERE lower(directory) LIKE '%%\appdata\roaming\%' AND path LIKE '%.%%') >= 2;",
+            "interval": 86400,
+            "snapshot": true,
+            "description": "A backdoor associated with the Armageddon threat actor was installed on the system. Armageddon is a group notable for performing attacks on behalf of the Russian Federal Security Service (FSB). This backdoor is written in Visual Basic and serves to establish persistence on the system and then download & execute additional files on the system.",
+            "platform": [
+                "windows"
+            ]
+        },
         "ransomware_funicorn_filepath": {
             "query": "SELECT f.path, f.directory, f.filename, h.sha256, f.uid, f.gid, f.mode, f.size, DATETIME(f.atime, 'unixepoch', 'UTC') AS last_access_time, DATETIME(f.mtime, 'unixepoch', 'UTC') AS last_modified, DATETIME(f.ctime, 'unixepoch', 'UTC') AS last_status_change_time, DATETIME(f.btime, 'unixepoch', 'UTC') AS creation_time, f.type FROM file f LEFT JOIN hash h ON f.path=h.path WHERE (f.directory LIKE 'C:\\Users\\%%' AND f.filename LIKE regex_match(f.filename, '\\S+\\.fuckunicornhtrhrtjrjy$', 0)); ",
             "interval": 86400,