Data Destruction

Try in Splunk Security Cloud

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the data destruction, including deleting files, overwriting files, wiping disk and unrecoverable file encryption. This analytic story may cover several known activities related to malware implants used in geo-political war to wipe disks or files to interrupt the network-wide operation of a targeted organization. Analytics can detect the behavior of “DoubleZero Destructor”, “CaddyWiper”, “AcidRain”, “AwfulShred”, “Hermetic Wiper”, “Swift Slicer”, “Whisper Gate” and many more.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Email, Endpoint
• Last Updated: 2023-04-06
• Author: Teoderick Contreras, Splunk
• ID: 4ae5c0d1-cebd-47d1-bfce-71bf096e38aa

Narrative

Adversaries may partially or completely overwrite the contents of a storage device rendering the data irrecoverable through the storage interface or using 3rd party drivers to directly access disk content like Master Boot Record to wipe it. Some of these attacks were seen in geo-political war to impair the operation of targeted organizations or to interrupt network-wide services.

Detections

Name	Technique	Type
Active Setup Registry Autostart	Active Setup, Boot or Logon Autostart Execution	TTP
Add or Set Windows Defender Exclusion	Disable or Modify Tools, Impair Defenses	TTP
AdsiSearcher Account Discovery	Domain Account, Account Discovery	TTP
Any Powershell DownloadFile	Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer	TTP
Any Powershell DownloadString	Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer	TTP
Attempt To Stop Security Service	Disable or Modify Tools, Impair Defenses	TTP
Attempted Credential Dump From Registry via Reg exe	Security Account Manager, OS Credential Dumping	TTP
CMD Carry Out String Command Parameter	Windows Command Shell, Command and Scripting Interpreter	Hunting
CMD Carry Out String Command Parameter	Windows Command Shell, Command and Scripting Interpreter	Hunting
Change Default File Association	Change Default File Association, Event Triggered Execution	TTP
Child Processes of Spoolsv exe	Exploitation for Privilege Escalation	TTP
Detect Empire with PowerShell Script Block Logging	Command and Scripting Interpreter, PowerShell	TTP
Detect Mimikatz With PowerShell Script Block Logging	OS Credential Dumping, PowerShell	TTP
Dump LSASS via comsvcs DLL	LSASS Memory, OS Credential Dumping	TTP
ETW Registry Disabled	Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses	TTP
Email Attachments With Lots Of Spaces		Anomaly
Excessive File Deletion In WinDefender Folder	Data Destruction	TTP
Executable File Written in Administrative SMB Share	Remote Services, SMB/Windows Admin Shares	TTP
Executables Or Script Creation In Suspicious Path	Masquerading	Anomaly
Impacket Lateral Movement Commandline Parameters	Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service	TTP
Impacket Lateral Movement WMIExec Commandline Parameters	Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service	TTP
Impacket Lateral Movement smbexec CommandLine Parameters	Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service	TTP
Kerberoasting spn request with RC4 encryption	Steal or Forge Kerberos Tickets, Kerberoasting	TTP
Linux Adding Crontab Using List Parameter	Cron, Scheduled Task/Job	Hunting
Linux DD File Overwrite	Data Destruction	TTP
Linux Data Destruction Command	Data Destruction	TTP
Linux Deleting Critical Directory Using RM Command	Data Destruction	TTP
Linux Deletion Of Cron Jobs	Data Destruction, File Deletion, Indicator Removal	Anomaly
Linux Deletion Of Init Daemon Script	Data Destruction, File Deletion, Indicator Removal	TTP
Linux Deletion Of Services	Data Destruction, File Deletion, Indicator Removal	TTP
Linux Disable Services	Service Stop	TTP
Linux Hardware Addition SwapOff	Hardware Additions	Anomaly
Linux High Frequency Of File Deletion In Boot Folder	Data Destruction, File Deletion, Indicator Removal	TTP
Linux High Frequency Of File Deletion In Etc Folder	Data Destruction, File Deletion, Indicator Removal	Anomaly
Linux Impair Defenses Process Kill	Disable or Modify Tools, Impair Defenses	Hunting
Linux Indicator Removal Clear Cache	Indicator Removal	TTP
Linux Indicator Removal Service File Deletion	File Deletion, Indicator Removal	Anomaly
Linux Java Spawning Shell	Exploit Public-Facing Application	TTP
Linux Service Restarted	Systemd Timers, Scheduled Task/Job	Anomaly
Linux Shred Overwrite Command	Data Destruction	TTP
Linux Stdout Redirection To Dev Null File	Disable or Modify System Firewall, Impair Defenses	Anomaly
Linux Stop Services	Service Stop	TTP
Linux System Network Discovery	System Network Configuration Discovery	Anomaly
Linux System Reboot Via System Request Key	System Shutdown/Reboot	TTP
Linux Unix Shell Enable All SysRq Functions	Unix Shell, Command and Scripting Interpreter	Anomaly
Logon Script Event Trigger Execution	Boot or Logon Initialization Scripts, Logon Script (Windows)	TTP
MSI Module Loaded by Non-System Binary	DLL Side-Loading, Hijack Execution Flow	Hunting
Malicious PowerShell Process - Encoded Command	Obfuscated Files or Information	Hunting
Malicious PowerShell Process With Obfuscation Techniques	Command and Scripting Interpreter, PowerShell	TTP
Overwriting Accessibility Binaries	Event Triggered Execution, Accessibility Features	TTP
Ping Sleep Batch Command	Virtualization/Sandbox Evasion, Time Based Evasion	Anomaly
Possible Lateral Movement PowerShell Spawn	Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShell, MMC	TTP
PowerShell - Connect To Internet With Hidden Window	PowerShell, Command and Scripting Interpreter	Hunting
PowerShell 4104 Hunting	Command and Scripting Interpreter, PowerShell	Hunting
PowerShell Domain Enumeration	Command and Scripting Interpreter, PowerShell	TTP
PowerShell Loading DotNET into Memory via Reflection	Command and Scripting Interpreter, PowerShell	TTP
Powershell Enable SMB1Protocol Feature	Obfuscated Files or Information, Indicator Removal from Tools	TTP
Powershell Execute COM Object	Component Object Model Hijacking, Event Triggered Execution, PowerShell	TTP
Powershell Fileless Process Injection via GetProcAddress	Command and Scripting Interpreter, Process Injection, PowerShell	TTP
Powershell Fileless Script Contains Base64 Encoded Content	Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell	TTP
Powershell Processing Stream Of Data	Command and Scripting Interpreter, PowerShell	TTP
Powershell Remove Windows Defender Directory	Disable or Modify Tools, Impair Defenses	TTP
Powershell Using memory As Backing Store	PowerShell, Command and Scripting Interpreter	TTP
Powershell Windows Defender Exclusion Commands	Disable or Modify Tools, Impair Defenses	TTP
Print Processor Registry Autostart	Print Processors, Boot or Logon Autostart Execution	TTP
Process Deleting Its Process File Path	Indicator Removal	TTP
Recon AVProduct Through Pwh or WMI	Gather Victim Host Information	TTP
Recon Using WMI Class	Gather Victim Host Information, PowerShell	Anomaly
Registry Keys Used For Privilege Escalation	Image File Execution Options Injection, Event Triggered Execution	TTP
Regsvr32 Silent and Install Param Dll Loading	System Binary Proxy Execution, Regsvr32	Anomaly
Runas Execution in CommandLine	Access Token Manipulation, Token Impersonation/Theft	Hunting
Schtasks Run Task On Demand	Scheduled Task/Job	TTP
Screensaver Event Trigger Execution	Event Triggered Execution, Screensaver	TTP
Set Default PowerShell Execution Policy To Unrestricted or Bypass	Command and Scripting Interpreter, PowerShell	TTP
Suspicious Email Attachment Extensions	Spearphishing Attachment, Phishing	Anomaly
Suspicious Process DNS Query Known Abuse Web Services	Visual Basic, Command and Scripting Interpreter	TTP
Suspicious Process File Path	Create or Modify System Process	TTP
Suspicious Process With Discord DNS Query	Visual Basic, Command and Scripting Interpreter	Anomaly
Time Provider Persistence Registry	Time Providers, Boot or Logon Autostart Execution	TTP
Unloading AMSI via Reflection	Impair Defenses, PowerShell, Command and Scripting Interpreter	TTP
W3WP Spawning Shell	Server Software Component, Web Shell	TTP
WMI Recon Running Process Or Services	Gather Victim Host Information	Anomaly
WinEvent Scheduled Task Created Within Public Path	Scheduled Task, Scheduled Task/Job	TTP
WinEvent Windows Task Scheduler Event Action Started	Scheduled Task	Hunting
Windows Data Destruction Recursive Exec Files Deletion	Data Destruction	TTP
Windows Deleted Registry By A Non Critical Process File Path	Modify Registry	Anomaly
Windows Disable Memory Crash Dump	Data Destruction	TTP
Windows DotNet Binary in Non Standard Path	Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil	TTP
Windows File Without Extension In Critical Folder	Data Destruction	TTP
Windows Hidden Schedule Task Settings	Scheduled Task/Job	TTP
Windows High File Deletion Frequency	Data Destruction	Anomaly
Windows InstallUtil in Non Standard Path	Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil	TTP
Windows Linked Policies In ADSI Discovery	Domain Account, Account Discovery	Anomaly
Windows Modify Show Compress Color And Info Tip Registry	Modify Registry	TTP
Windows NirSoft AdvancedRun	Tool	TTP
Windows NirSoft Utilities	Tool	Hunting
Windows Processes Killed By Industroyer2 Malware	Service Stop	Anomaly
Windows Raw Access To Disk Volume Partition	Disk Structure Wipe, Disk Wipe	Anomaly
Windows Raw Access To Master Boot Record Drive	Disk Structure Wipe, Disk Wipe	TTP
Windows Root Domain linked policies Discovery	Domain Account, Account Discovery	Anomaly
Windows Terminating Lsass Process	Disable or Modify Tools, Impair Defenses	Anomaly
Wscript Or Cscript Suspicious Child Process	Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation	TTP

Reference

• https://attack.mitre.org/techniques/T1485/
• https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/
• https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware
• https://www.splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html
• https://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html
• https://www.splunk.com/en_us/blog/security/threat-update-doublezero-destructor.html
• https://www.splunk.com/en_us/blog/security/threat-update-caddywiper.html
• https://www.splunk.com/en_us/blog/security/strt-ta03-cpe-destructive-software.html
• https://www.splunk.com/en_us/blog/security/threat-update-cyclopsblink.html
• https://www.splunk.com/en_us/blog/security/threat-update-acidrain-wiper.html
• https://www.splunk.com/en_us/blog/security/threat-update-industroyer2.html
• https://www.splunk.com/en_us/blog/security/threat-advisory-swiftslicer-wiper-strt-ta03.html

source | version: 1