Analytics Story: Graceful Wipe Out Attack

Date: 2023-06-15 ID: 83b15b3c-6bda-45aa-a3b6-b05c52443f44 Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive attack or campaign found by "THE DFIR Report" that uses Truebot, FlawedGrace and MBR killer malware. This analytic story looks for suspicious dropped files, cobalt strike execution, im-packet execution, registry modification, scripts, persistence, lateral movement, impact, exfiltration and recon.

Why it matters

Graceful Wipe Out Attack is a destructive malware campaign found by "The DFIR Report" targeting multiple organizations to collect, exfiltrate and wipe the data of targeted networks. This malicious payload corrupts or wipes Master Boot Records by using an NSIS script after the exfiltration of sensitive information from the targeted host or system.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Anomalous usage of 7zip Archive via Utility, Archive Collected Data Anomaly
Attempt To Stop Security Service Disable or Modify Tools, Impair Defenses TTP
CMD Echo Pipe - Escalation Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process TTP
Cobalt Strike Named Pipes Process Injection TTP
Deleting Of Net Users Account Access Removal TTP
Detect Regsvr32 Application Control Bypass System Binary Proxy Execution, Regsvr32 TTP
DLLHost with no Command Line Arguments with Network Process Injection TTP
Domain Account Discovery With Net App Domain Account, Account Discovery TTP
Domain Group Discovery With Net Permission Groups Discovery, Domain Groups Hunting
Excessive Usage Of Net App Account Access Removal Anomaly
Executable File Written in Administrative SMB Share Remote Services, SMB/Windows Admin Shares TTP
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
GPUpdate with no Command Line Arguments with Network Process Injection TTP
Impacket Lateral Movement Commandline Parameters Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Impacket Lateral Movement smbexec CommandLine Parameters Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Impacket Lateral Movement WMIExec Commandline Parameters Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Net Localgroup Discovery Permission Groups Discovery, Local Groups Hunting
Remote WMI Command Attempt Windows Management Instrumentation TTP
Rundll32 with no Command Line Arguments with Network System Binary Proxy Execution, Rundll32 TTP
SAM Database File Access Attempt Security Account Manager, OS Credential Dumping Hunting
SearchProtocolHost with no Command Line with Network Process Injection TTP
SecretDumps Offline NTDS Dumping Tool NTDS, OS Credential Dumping TTP
Services Escalate Exe Abuse Elevation Control Mechanism TTP
Suspicious DLLHost no Command Line Arguments Process Injection TTP
Suspicious GPUpdate no Command Line Arguments Process Injection TTP
Suspicious microsoft workflow compiler rename Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities Hunting
Suspicious msbuild path Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild TTP
Suspicious MSBuild Rename Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild Hunting
Suspicious Process File Path Create or Modify System Process TTP
Suspicious Rundll32 no Command Line Arguments System Binary Proxy Execution, Rundll32 TTP
Suspicious Rundll32 StartW System Binary Proxy Execution, Rundll32 TTP
Suspicious SearchProtocolHost no Command Line Arguments Process Injection TTP
Windows AdFind Exe Remote System Discovery TTP
Windows Process Injection Remote Thread Process Injection, Portable Executable Injection TTP
Windows Raw Access To Disk Volume Partition Disk Structure Wipe, Disk Wipe Anomaly
Windows Raw Access To Master Boot Record Drive Disk Structure Wipe, Disk Wipe TTP
Windows Service Stop By Deletion Service Stop TTP
Windows Service Stop Via Net and SC Application Service Stop Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 17 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 18 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 3 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 8 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 9 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4663 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 5145 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 1