GitHub Repo

Analytics Story: Hermetic Wiper

Updated Date: 2026-05-13 ID: b7511c2e-9a10-11ec-99e3-acde48001122 Author: Teoderick Contreras, Rod Soto, Michael Haag, Splunk Product: Splunk Enterprise Security

Description

This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive malware targeting Ukrainian organizations also known as "Hermetic Wiper". This analytic story looks for abuse of Regsvr32, executables written in administrative SMB Share, suspicious processes, disabling of memory crash dump and more.

Why it matters

Hermetic Wiper is destructive malware operation found by Sentinel One targeting multiple organizations in Ukraine. This malicious payload corrupts Master Boot Records, uses signed drivers and manipulates NTFS attributes for file destruction.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Runas Execution in CommandLine Token Impersonation/Theft Hunting
Powershell Processing Stream Of Data PowerShell TTP
Web or Application Server Spawning a Shell External Remote Services, Exploit Public-Facing Application TTP
Recon AVProduct Through Pwh or WMI Gather Victim Host Information TTP
Active Setup Registry Autostart Active Setup TTP
Powershell Enable SMB1Protocol Feature Indicator Removal from Tools TTP
Powershell Using memory As Backing Store PowerShell TTP
Windows File Download Via PowerShell PowerShell, Ingress Tool Transfer Anomaly
Powershell Execute COM Object PowerShell, Component Object Model Hijacking TTP
Executables Or Script Creation In Temp Path Masquerading Anomaly
PowerShell Domain Enumeration PowerShell TTP
Screensaver Event Trigger Execution Screensaver TTP
PowerShell - Connect To Internet With Hidden Window PowerShell Hunting
Email Attachments With Lots Of Spaces Masquerade File Type, Spearphishing Attachment Anomaly
ETW Registry Disabled Trusted Developer Utilities Proxy Execution, Disable or Modify Tools TTP
Windows Suspicious Process File Path Match Legitimate Resource Name or Location, Create or Modify System Process TTP
Malicious PowerShell Process - Encoded Command Obfuscated Files or Information Hunting
Unloading AMSI via Reflection PowerShell, Disable or Modify Tools TTP
Windows Raw Access To Master Boot Record Drive Disk Structure Wipe TTP
Print Processor Registry Autostart Print Processors TTP
Detect Empire with PowerShell Script Block Logging PowerShell TTP
CMD Carry Out String Command Parameter Windows Command Shell Hunting
Possible Lateral Movement PowerShell Spawn Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, PowerShell, MMC, Windows Service Anomaly
Detect Mimikatz With PowerShell Script Block Logging OS Credential Dumping, PowerShell TTP
Windows File Without Extension In Critical Folder Data Destruction TTP
PowerShell 4104 Hunting PowerShell Hunting
Windows Raw Access To Disk Volume Partition Disk Structure Wipe Anomaly
Windows New Default File Association Value Set Change Default File Association Hunting
Windows Disable Memory Crash Dump Data Destruction TTP
Powershell Fileless Script Contains Base64 Encoded Content Obfuscated Files or Information, PowerShell TTP
Kerberoasting spn request with RC4 encryption Kerberoasting TTP
Set Default PowerShell Execution Policy To Unrestricted or Bypass PowerShell TTP
Time Provider Persistence Registry Time Providers TTP
WMI Recon Running Process Or Services Gather Victim Host Information Anomaly
Suspicious Email Attachment Extensions Spearphishing Attachment Anomaly
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Windows Modify Show Compress Color And Info Tip Registry Modify Registry TTP
Malicious PowerShell Process With Obfuscation Techniques PowerShell TTP
Regsvr32 Silent and Install Param Dll Loading Regsvr32 Anomaly
Powershell Fileless Process Injection via GetProcAddress Process Injection, PowerShell TTP
MSI Module Loaded by Non-System Binary DLL Hunting
PowerShell Loading DotNET into Memory via Reflection PowerShell Anomaly
Executable File Written in Administrative SMB Share SMB/Windows Admin Shares TTP
Registry Keys Used For Privilege Escalation Image File Execution Options Injection TTP
Child Processes of Spoolsv exe Exploitation for Privilege Escalation TTP
Logon Script Event Trigger Execution Logon Script (Windows) TTP
Overwriting Accessibility Binaries Accessibility Features TTP
Recon Using WMI Class PowerShell, Gather Victim Host Information Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 Other crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Powershell Script Block Logging 4104 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon for Linux EventID 1 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Cisco Network Visibility Module Flow Data Network icon Network cisco:nvm:flowdata not_applicable
Sysmon EventID 11 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 9 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4769 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Sysmon EventID 7 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 5145 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security

References

Source: GitHub | Version: 2