Try in Splunk Security Cloud

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the AwfulShred malware including wiping files, process kill, system reboot via system request, shred, and service stops.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2023-01-24
  • Author: Teoderick Contreras, Splunk
  • ID: e36935ce-f48c-4fb2-8109-7e80c1cdc9e2

Narrative

AwfulShred is a malicious linux shell script designed to corrupt or wipe the linux targeted system. It uses shred command to overwrite files and to increase data damage. This obfuscated malicious script can also disable and corrupts apache, HTTP and SSH services, deactivate swap files, clear bash history and finally reboot the system.

Detections

Name Technique Type
Linux Data Destruction Command Data Destruction TTP
Linux Deleting Critical Directory Using RM Command Data Destruction TTP
Linux Deletion Of Services Data Destruction, File Deletion, Indicator Removal TTP
Linux Disable Services Service Stop TTP
Linux Hardware Addition SwapOff Hardware Additions Anomaly
Linux Impair Defenses Process Kill Disable or Modify Tools, Impair Defenses Hunting
Linux Indicator Removal Clear Cache Indicator Removal TTP
Linux Indicator Removal Service File Deletion File Deletion, Indicator Removal Anomaly
Linux Service Restarted Systemd Timers, Scheduled Task/Job Anomaly
Linux Shred Overwrite Command Data Destruction TTP
Linux Stop Services Service Stop TTP
Linux System Reboot Via System Request Key System Shutdown/Reboot TTP
Linux Unix Shell Enable All SysRq Functions Unix Shell, Command and Scripting Interpreter Anomaly

Reference

source | version: 1