Try in Splunk Security Cloud
Description
This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive malware targeting Ukrainian organizations also known as “Hermetic Wiper”. This analytic story looks for abuse of Regsvr32, executables written in administrative SMB Share, suspicious processes, disabling of memory crash dump and more.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Email, Endpoint
- Last Updated: 2022-03-02
- Author: Teoderick Contreras, Rod Soto, Michael Haag, Splunk
- ID: b7511c2e-9a10-11ec-99e3-acde48001122
Narrative
Hermetic Wiper is destructive malware operation found by Sentinel One targeting multiple organizations in Ukraine. This malicious payload corrupts Master Boot Records, uses signed drivers and manipulates NTFS attributes for file destruction.
Detections
| Name |
Technique |
Type |
| Active Setup Registry Autostart |
Active Setup, Boot or Logon Autostart Execution |
TTP |
| Any Powershell DownloadFile |
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer |
TTP |
| Any Powershell DownloadString |
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer |
TTP |
| CMD Carry Out String Command Parameter |
Windows Command Shell, Command and Scripting Interpreter |
Hunting |
| Change Default File Association |
Change Default File Association, Event Triggered Execution |
TTP |
| Child Processes of Spoolsv exe |
Exploitation for Privilege Escalation |
TTP |
| Detect Empire with PowerShell Script Block Logging |
Command and Scripting Interpreter, PowerShell |
TTP |
| Detect Mimikatz With PowerShell Script Block Logging |
OS Credential Dumping, PowerShell |
TTP |
| ETW Registry Disabled |
Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses |
TTP |
| Email Attachments With Lots Of Spaces |
|
Anomaly |
| Executable File Written in Administrative SMB Share |
Remote Services, SMB/Windows Admin Shares |
TTP |
| Executables Or Script Creation In Suspicious Path |
Masquerading |
Anomaly |
| Kerberoasting spn request with RC4 encryption |
Steal or Forge Kerberos Tickets, Kerberoasting |
TTP |
| Linux Java Spawning Shell |
Exploit Public-Facing Application, External Remote Services |
TTP |
| Logon Script Event Trigger Execution |
Boot or Logon Initialization Scripts, Logon Script (Windows) |
TTP |
| MSI Module Loaded by Non-System Binary |
DLL Side-Loading, Hijack Execution Flow |
Hunting |
| Malicious PowerShell Process - Encoded Command |
Obfuscated Files or Information |
Hunting |
| Malicious PowerShell Process With Obfuscation Techniques |
Command and Scripting Interpreter, PowerShell |
TTP |
| Overwriting Accessibility Binaries |
Event Triggered Execution, Accessibility Features |
TTP |
| Possible Lateral Movement PowerShell Spawn |
Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShell, MMC |
TTP |
| PowerShell - Connect To Internet With Hidden Window |
PowerShell, Command and Scripting Interpreter |
Hunting |
| PowerShell 4104 Hunting |
Command and Scripting Interpreter, PowerShell |
Hunting |
| PowerShell Domain Enumeration |
Command and Scripting Interpreter, PowerShell |
TTP |
| PowerShell Loading DotNET into Memory via Reflection |
Command and Scripting Interpreter, PowerShell |
TTP |
| Powershell Enable SMB1Protocol Feature |
Obfuscated Files or Information, Indicator Removal from Tools |
TTP |
| Powershell Execute COM Object |
Component Object Model Hijacking, Event Triggered Execution, PowerShell |
TTP |
| Powershell Fileless Process Injection via GetProcAddress |
Command and Scripting Interpreter, Process Injection, PowerShell |
TTP |
| Powershell Fileless Script Contains Base64 Encoded Content |
Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell |
TTP |
| Powershell Processing Stream Of Data |
Command and Scripting Interpreter, PowerShell |
TTP |
| Powershell Using memory As Backing Store |
PowerShell, Command and Scripting Interpreter |
TTP |
| Print Processor Registry Autostart |
Print Processors, Boot or Logon Autostart Execution |
TTP |
| Recon AVProduct Through Pwh or WMI |
Gather Victim Host Information |
TTP |
| Recon Using WMI Class |
Gather Victim Host Information, PowerShell |
Anomaly |
| Registry Keys Used For Privilege Escalation |
Image File Execution Options Injection, Event Triggered Execution |
TTP |
| Regsvr32 Silent and Install Param Dll Loading |
System Binary Proxy Execution, Regsvr32 |
Anomaly |
| Runas Execution in CommandLine |
Access Token Manipulation, Token Impersonation/Theft |
Hunting |
| Screensaver Event Trigger Execution |
Event Triggered Execution, Screensaver |
TTP |
| Set Default PowerShell Execution Policy To Unrestricted or Bypass |
Command and Scripting Interpreter, PowerShell |
TTP |
| Suspicious Email Attachment Extensions |
Spearphishing Attachment, Phishing |
Anomaly |
| Suspicious Powershell Command-Line Arguments |
PowerShell |
TTP |
| Suspicious Process File Path |
Create or Modify System Process |
TTP |
| Time Provider Persistence Registry |
Time Providers, Boot or Logon Autostart Execution |
TTP |
| Uncommon Processes On Endpoint |
Malicious File |
Hunting |
| Unloading AMSI via Reflection |
Impair Defenses, PowerShell, Command and Scripting Interpreter |
TTP |
| W3WP Spawning Shell |
Server Software Component, Web Shell |
TTP |
| WMI Recon Running Process Or Services |
Gather Victim Host Information |
Anomaly |
| Windows Disable Memory Crash Dump |
Data Destruction |
TTP |
| Windows File Without Extension In Critical Folder |
Data Destruction |
TTP |
| Windows Modify Show Compress Color And Info Tip Registry |
Modify Registry |
TTP |
| Windows Raw Access To Disk Volume Partition |
Disk Structure Wipe, Disk Wipe |
Anomaly |
| Windows Raw Access To Master Boot Record Drive |
Disk Structure Wipe, Disk Wipe |
TTP |
Reference
source | version: 1