Analytics Story: Graceful Wipe Out Attack
Description
This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive attack or campaign found by "THE DFIR Report" that uses Truebot, FlawedGrace and MBR killer malware. This analytic story looks for suspicious dropped files, cobalt strike execution, im-packet execution, registry modification, scripts, persistence, lateral movement, impact, exfiltration and recon.
Why it matters
Graceful Wipe Out Attack is a destructive malware campaign found by "The DFIR Report" targeting multiple organizations to collect, exfiltrate and wipe the data of targeted networks. This malicious payload corrupts or wipes Master Boot Records by using an NSIS script after the exfiltration of sensitive information from the targeted host or system.
Detections
| Name ▲▼ |
Technique ▲▼ |
Type ▲▼ |
| Suspicious MSBuild Rename |
Rename Legitimate Utilities, MSBuild |
Hunting |
| Windows Suspicious Process File Path |
Match Legitimate Resource Name or Location, Create or Modify System Process |
TTP |
| Anomalous usage of 7zip |
Archive via Utility |
Anomaly |
| Windows Suspicious Named Pipe |
SMB/Windows Admin Shares, Process Injection, Inter-Process Communication |
TTP |
| Suspicious msbuild path |
Rename Legitimate Utilities, MSBuild |
TTP |
| Windows Group Discovery Via Net |
Local Groups, Domain Groups |
Hunting |
| Windows Attempt To Stop Security Service |
Disable or Modify Tools |
TTP |
| Suspicious Rundll32 StartW |
Rundll32 |
TTP |
| Windows Office Product Spawned Rundll32 With No DLL |
Spearphishing Attachment |
TTP |
| Executable File Written in Administrative SMB Share |
SMB/Windows Admin Shares |
TTP |
| Windows Service Stop By Deletion |
Service Stop |
Hunting |
| DLLHost with no Command Line Arguments with Network |
Process Injection |
TTP |
| Impacket Lateral Movement smbexec CommandLine Parameters |
SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
| Windows Excessive Usage Of Net App |
Account Access Removal |
Anomaly |
| Suspicious Rundll32 no Command Line Arguments |
Rundll32 |
TTP |
| Suspicious SearchProtocolHost no Command Line Arguments |
Process Injection |
TTP |
| Windows User Deletion Via Net |
Account Access Removal |
Anomaly |
| SAM Database File Access Attempt |
Security Account Manager |
Hunting |
| Detect Regsvr32 Application Control Bypass |
Regsvr32 |
TTP |
| Suspicious microsoft workflow compiler rename |
Rename Legitimate Utilities, Trusted Developer Utilities Proxy Execution |
Hunting |
| Windows Service Stop Attempt |
Service Stop |
Hunting |
| Windows Suspicious C2 Named Pipe |
SMB/Windows Admin Shares, Process Injection, Inter-Process Communication |
TTP |
| Suspicious DLLHost no Command Line Arguments |
Process Injection |
TTP |
| Windows Raw Access To Disk Volume Partition |
Disk Structure Wipe |
Anomaly |
| CMD Echo Pipe - Escalation |
Windows Command Shell, Windows Service |
TTP |
| Impacket Lateral Movement Commandline Parameters |
SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
| SearchProtocolHost with no Command Line with Network |
Process Injection |
TTP |
| Services Escalate Exe |
Abuse Elevation Control Mechanism |
TTP |
| Executables Or Script Creation In Suspicious Path |
Masquerading |
Anomaly |
| Executables Or Script Creation In Temp Path |
Masquerading |
Anomaly |
| Windows Raw Access To Master Boot Record Drive |
Disk Structure Wipe |
TTP |
| Suspicious GPUpdate no Command Line Arguments |
Process Injection |
TTP |
| Windows AdFind Exe |
Remote System Discovery |
TTP |
| Rundll32 with no Command Line Arguments with Network |
Rundll32 |
TTP |
| GPUpdate with no Command Line Arguments with Network |
Process Injection |
TTP |
| Remote WMI Command Attempt |
Windows Management Instrumentation |
TTP |
| Windows Process Injection Remote Thread |
Portable Executable Injection |
TTP |
| Impacket Lateral Movement WMIExec Commandline Parameters |
SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
| SecretDumps Offline NTDS Dumping Tool |
NTDS |
TTP |
Data Sources
References
Source: GitHub | Version: 2