Analytics Story: Data Destruction
Description
Leverage searches that allow you to detect and investigate unusual activities that might relate to the data destruction, including deleting files, overwriting files, wiping disk and unrecoverable file encryption. This analytic story may cover several known activities related to malware implants used in geo-political war to wipe disks or files to interrupt the network-wide operation of a targeted organization. Analytics can detect the behavior of "DoubleZero Destructor", "CaddyWiper", "AcidRain", "AwfulShred", "Hermetic Wiper", "Swift Slicer", "Whisper Gate" and many more.
Why it matters
Adversaries may partially or completely overwrite the contents of a storage device rendering the data irrecoverable through the storage interface or using 3rd party drivers to directly access disk content like Master Boot Record to wipe it. Some of these attacks were seen in geo-political war to impair the operation of targeted organizations or to interrupt network-wide services.
Detections
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Sysmon for Linux EventID 11 | sysmon:linux |
Syslog:Linux-Sysmon/Operational |
|
| Sysmon EventID 22 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Powershell Script Block Logging 4104 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-PowerShell/Operational |
|
| CrowdStrike ProcessRollup2 | Other | crowdstrike:events:sensor |
crowdstrike |
| Sysmon EventID 1 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Windows Event Log Security 4688 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Sysmon for Linux EventID 1 | sysmon:linux |
Syslog:Linux-Sysmon/Operational |
|
| Sysmon EventID 12 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Windows Event Log Security 4698 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Sysmon EventID 13 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Sysmon EventID 7 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Linux Auditd Proctitle | auditd |
auditd |
|
| Office 365 Reporting Message Trace | Other | o365:reporting:messagetrace |
o365 |
| Office 365 Universal Audit Log | Other | o365:management:activity |
o365 |
| AWS Cloudfront | aws:cloudfront:accesslogs |
aws |
|
| Sysmon EventID 11 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Sysmon EventID 23 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Sysmon EventID 26 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Cisco Network Visibility Module Flow Data | cisco:nvm:flowdata |
not_applicable |
|
| Windows Event Log Security 5145 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Windows Event Log Security 4769 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Sysmon EventID 5 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Sysmon EventID 10 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Windows Event Log TaskScheduler 201 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Windows Event Log TaskScheduler 200 | wineventlog |
WinEventLog:Microsoft-Windows-TaskScheduler/Operational |
|
| Linux Auditd Service Stop | auditd |
auditd |
|
| Sysmon EventID 9 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Linux Auditd Execve | auditd |
auditd |
|
| Osquery Results | Other | osquery:results |
osquery |
References
- https://attack.mitre.org/techniques/T1485/
- https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware
- https://www.splunk.com/en_us/blog/security/threat-update-industroyer2.html
- https://www.splunk.com/en_us/blog/security/threat-update-doublezero-destructor.html
- https://www.splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html
- https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/
- https://www.splunk.com/en_us/blog/security/threat-update-caddywiper.html
- https://www.splunk.com/en_us/blog/security/strt-ta03-cpe-destructive-software.html
- https://www.splunk.com/en_us/blog/security/threat-advisory-swiftslicer-wiper-strt-ta03.html
- https://www.splunk.com/en_us/blog/security/threat-update-acidrain-wiper.html
- https://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html
- https://www.splunk.com/en_us/blog/security/threat-update-cyclopsblink.html
Source: GitHub | Version: 2