Analytics Story: Hermetic Wiper
Description
This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive malware targeting Ukrainian organizations also known as "Hermetic Wiper". This analytic story looks for abuse of Regsvr32, executables written in administrative SMB Share, suspicious processes, disabling of memory crash dump and more.
Why it matters
Hermetic Wiper is destructive malware operation found by Sentinel One targeting multiple organizations in Ukraine. This malicious payload corrupts Master Boot Records, uses signed drivers and manipulates NTFS attributes for file destruction.
Detections
| Name ▲▼ |
Technique ▲▼ |
Type ▲▼ |
| Windows File Download Via PowerShell |
PowerShell, Ingress Tool Transfer |
Anomaly |
| PowerShell 4104 Hunting |
PowerShell |
Hunting |
| PowerShell - Connect To Internet With Hidden Window |
PowerShell |
Hunting |
| Windows File Without Extension In Critical Folder |
Data Destruction |
TTP |
| CMD Carry Out String Command Parameter |
Windows Command Shell |
Hunting |
| Overwriting Accessibility Binaries |
Accessibility Features |
TTP |
| Regsvr32 Silent and Install Param Dll Loading |
Regsvr32 |
Anomaly |
| Web or Application Server Spawning a Shell |
External Remote Services, Exploit Public-Facing Application |
TTP |
| Executables Or Script Creation In Temp Path |
Masquerading |
Anomaly |
| Powershell Fileless Script Contains Base64 Encoded Content |
Obfuscated Files or Information, PowerShell |
TTP |
| Possible Lateral Movement PowerShell Spawn |
Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, PowerShell, MMC, Windows Service |
Anomaly |
| Suspicious Email Attachment Extensions |
Spearphishing Attachment |
Anomaly |
| Windows Suspicious Process File Path |
Match Legitimate Resource Name or Location, Create or Modify System Process |
TTP |
| Powershell Using memory As Backing Store |
PowerShell |
TTP |
| Email Attachments With Lots Of Spaces |
Masquerade File Type, Spearphishing Attachment |
Anomaly |
| Malicious PowerShell Process With Obfuscation Techniques |
PowerShell |
TTP |
| Screensaver Event Trigger Execution |
Screensaver |
TTP |
| WMI Recon Running Process Or Services |
Gather Victim Host Information |
Anomaly |
| Windows Disable Memory Crash Dump |
Data Destruction |
TTP |
| Set Default PowerShell Execution Policy To Unrestricted or Bypass |
PowerShell |
TTP |
| Runas Execution in CommandLine |
Token Impersonation/Theft |
Hunting |
| Registry Keys Used For Privilege Escalation |
Image File Execution Options Injection |
TTP |
| ETW Registry Disabled |
Trusted Developer Utilities Proxy Execution, Disable or Modify Tools |
TTP |
| Detect Empire with PowerShell Script Block Logging |
PowerShell |
TTP |
| Detect Mimikatz With PowerShell Script Block Logging |
OS Credential Dumping, PowerShell |
TTP |
| Logon Script Event Trigger Execution |
Logon Script (Windows) |
TTP |
| Powershell Processing Stream Of Data |
PowerShell |
Anomaly |
| MSI Module Loaded by Non-System Binary |
DLL |
Hunting |
| Powershell Enable SMB1Protocol Feature |
Indicator Removal from Tools |
TTP |
| Powershell Execute COM Object |
PowerShell, Component Object Model Hijacking |
TTP |
| Time Provider Persistence Registry |
Time Providers |
TTP |
| Kerberoasting spn request with RC4 encryption |
Kerberoasting |
TTP |
| Windows Raw Access To Disk Volume Partition |
Disk Structure Wipe |
Anomaly |
| Recon Using WMI Class |
PowerShell, Gather Victim Host Information |
Anomaly |
| PowerShell Domain Enumeration |
PowerShell |
Anomaly |
| Windows New Default File Association Value Set |
Change Default File Association |
Hunting |
| Child Processes of Spoolsv exe |
Exploitation for Privilege Escalation |
TTP |
| Powershell Fileless Process Injection via GetProcAddress |
Process Injection, PowerShell |
TTP |
| Unloading AMSI via Reflection |
PowerShell, Disable or Modify Tools |
TTP |
| Active Setup Registry Autostart |
Active Setup |
TTP |
| Recon AVProduct Through Pwh or WMI |
Gather Victim Host Information |
TTP |
| Executable File Written in Administrative SMB Share |
SMB/Windows Admin Shares |
TTP |
| Executables Or Script Creation In Suspicious Path |
Masquerading |
Anomaly |
| PowerShell Loading DotNET into Memory via Reflection |
PowerShell |
Anomaly |
| Windows Raw Access To Master Boot Record Drive |
Disk Structure Wipe |
TTP |
| Malicious PowerShell Process - Encoded Command |
Obfuscated Files or Information |
Hunting |
| Windows Modify Show Compress Color And Info Tip Registry |
Modify Registry |
TTP |
| Print Processor Registry Autostart |
Print Processors |
TTP |
Data Sources
References
Source: GitHub | Version: 2