From 32570182d76570a47bf161ff717896bc1488896e Mon Sep 17 00:00:00 2001
From: mthaxton <mthaxton@cisco.com>
Date: Fri, 17 May 2024 15:09:51 -0500
Subject: [PATCH] add packs entry

---
 packs/win_malware.conf | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/packs/win_malware.conf b/packs/win_malware.conf
index ff306b5..35f9224 100644
--- a/packs/win_malware.conf
+++ b/packs/win_malware.conf
@@ -631,6 +631,15 @@
                 "windows"
             ]
         },
+        "aramgeddon_vbs_backdoor": {
+            "query": "SELECT f.filename, f.path, f.directory, st.name, st.action FROM file f JOIN scheduled_tasks st ON st.action LIKE concat('%', concat(f.filename, '%')) WHERE lower(f.directory) LIKE '%%\appdata\roaming\%' AND f.path LIKE '%.%%' AND lower(st.action) LIKE '%e:vbscript%' AND (SELECT COUNT(*) FROM file WHERE lower(directory) LIKE '%%\appdata\roaming\%' AND path LIKE '%.%%') >= 2;",
+            "interval": 86400,
+            "snapshot": true,
+            "description": "A backdoor associated with the Armageddon threat actor was installed on the system. Armageddon is a group notable for performing attacks on behalf of the Russian Federal Security Service (FSB). This backdoor is written in Visual Basic and serves to establish persistence on the system and then download & execute additional files on the system.",
+            "platform": [
+                "windows"
+            ]
+        },
         "ransomware_funicorn_filepath": {
             "query": "SELECT f.path, f.directory, f.filename, h.sha256, f.uid, f.gid, f.mode, f.size, DATETIME(f.atime, 'unixepoch', 'UTC') AS last_access_time, DATETIME(f.mtime, 'unixepoch', 'UTC') AS last_modified, DATETIME(f.ctime, 'unixepoch', 'UTC') AS last_status_change_time, DATETIME(f.btime, 'unixepoch', 'UTC') AS creation_time, f.type FROM file f LEFT JOIN hash h ON f.path=h.path WHERE (f.directory LIKE 'C:\\Users\\%%' AND f.filename LIKE regex_match(f.filename, '\\S+\\.fuckunicornhtrhrtjrjy$', 0)); ",
             "interval": 86400,