Try in Splunk Security Cloud

Description

This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive malware targeting Ukrainian organizations also known as “Hermetic Wiper”. This analytic story looks for abuse of Regsvr32, executables written in administrative SMB Share, suspicious processes, disabling of memory crash dump and more.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Email, Endpoint
  • Last Updated: 2022-03-02
  • Author: Teoderick Contreras, Rod Soto, Michael Haag, Splunk
  • ID: b7511c2e-9a10-11ec-99e3-acde48001122

Narrative

Hermetic Wiper is destructive malware operation found by Sentinel One targeting multiple organizations in Ukraine. This malicious payload corrupts Master Boot Records, uses signed drivers and manipulates NTFS attributes for file destruction.

Detections

Name Technique Type
Suspicious Powershell Command-Line Arguments PowerShell TTP
Uncommon Processes On Endpoint Malicious File Hunting
Active Setup Registry Autostart Active Setup, Boot or Logon Autostart Execution TTP
Any Powershell DownloadFile Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer TTP
Any Powershell DownloadString Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer TTP
Change Default File Association Change Default File Association, Event Triggered Execution TTP
CMD Carry Out String Command Parameter Windows Command Shell, Command and Scripting Interpreter Hunting
Detect Empire with PowerShell Script Block Logging Command and Scripting Interpreter, PowerShell TTP
Detect Mimikatz With PowerShell Script Block Logging OS Credential Dumping TTP
ETW Registry Disabled Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses TTP
Executable File Written in Administrative SMB Share Remote Services, SMB/Windows Admin Shares TTP
Executables Or Script Creation In Suspicious Path Masquerading TTP
Kerberoasting spn request with RC4 encryption Steal or Forge Kerberos Tickets, Kerberoasting TTP
Linux Java Spawning Shell Exploit Public-Facing Application TTP
Logon Script Event Trigger Execution Boot or Logon Initialization Scripts, Logon Script (Windows) TTP
Malicious PowerShell Process - Encoded Command Obfuscated Files or Information Hunting
Malicious PowerShell Process With Obfuscation Techniques Command and Scripting Interpreter, PowerShell TTP
MSI Module Loaded by Non-System Binary DLL Side-Loading, Hijack Execution Flow Hunting
Overwriting Accessibility Binaries Event Triggered Execution, Accessibility Features TTP
Possible Lateral Movement PowerShell Spawn Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShell TTP
PowerShell 4104 Hunting Command and Scripting Interpreter, PowerShell Hunting
PowerShell - Connect To Internet With Hidden Window PowerShell, Command and Scripting Interpreter Hunting
PowerShell Domain Enumeration Command and Scripting Interpreter, PowerShell TTP
Powershell Enable SMB1Protocol Feature Obfuscated Files or Information, Indicator Removal from Tools TTP
Powershell Execute COM Object Component Object Model Hijacking, Event Triggered Execution TTP
Powershell Fileless Process Injection via GetProcAddress Command and Scripting Interpreter, Process Injection, PowerShell TTP
Powershell Fileless Script Contains Base64 Encoded Content Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell TTP
PowerShell Loading DotNET into Memory via Reflection Command and Scripting Interpreter, PowerShell TTP
Powershell Processing Stream Of Data Command and Scripting Interpreter, PowerShell TTP
Powershell Using memory As Backing Store PowerShell, Command and Scripting Interpreter TTP
Recon AVProduct Through Pwh or WMI Gather Victim Host Information TTP
Recon Using WMI Class Gather Victim Host Information TTP
Registry Keys Used For Privilege Escalation Image File Execution Options Injection, Event Triggered Execution TTP
Regsvr32 Silent and Install Param Dll Loading Signed Binary Proxy Execution, Regsvr32 Anomaly
Runas Execution in CommandLine Access Token Manipulation, Token Impersonation/Theft Hunting
Screensaver Event Trigger Execution Event Triggered Execution, Screensaver TTP
Set Default PowerShell Execution Policy To Unrestricted or Bypass Command and Scripting Interpreter, PowerShell TTP
Suspicious Process File Path Create or Modify System Process TTP
Time Provider Persistence Registry Time Providers, Boot or Logon Autostart Execution TTP
Unloading AMSI via Reflection Impair Defenses, PowerShell, Command and Scripting Interpreter TTP
W3WP Spawning Shell Server Software Component, Web Shell TTP
Windows Disable Memory Crash Dump Data Destruction TTP
Windows File Without Extension In Critical Folder Data Destruction TTP
Windows Modify Show Compress Color And Info Tip Registry Modify Registry TTP
Windows Raw Access To Disk Volume Partition Disk Structure Wipe, Disk Wipe Anomaly
Windows Raw Access To Master Boot Record Drive Disk Structure Wipe, Disk Wipe TTP
WMI Recon Running Process Or Services Gather Victim Host Information TTP
Email Attachments With Lots Of Spaces None Anomaly
Suspicious Email Attachment Extensions Spearphishing Attachment, Phishing Anomaly
Child Processes of Spoolsv exe Exploitation for Privilege Escalation TTP
Print Processor Registry Autostart Print Processors, Boot or Logon Autostart Execution TTP

Reference

source | version: 1