Analytics Story: Industroyer2
Description
Leverage searches that allow you to detect and investigate unusual activities that might relate to the Industroyer2 attack, including file writes associated with its payload, lateral movement, persistence, privilege escalation and data destruction.
Why it matters
Industroyer2 is part of continuous attack to ukraine targeting energy facilities. This malware is a windows binary that implement IEC-104 protocol to communicate with industrial equipments. This attack consist of several destructive linux script component to wipe or delete several linux critical files, powershell for domain enumeration and caddywiper to wipe boot sector of the targeted host.
Detections
Data Sources
Name | Platform | Sourcetype | Source |
---|---|---|---|
CrowdStrike ProcessRollup2 | N/A | crowdstrike:events:sensor |
crowdstrike |
Linux Auditd Proctitle | Linux | linux:audit |
/var/log/audit/audit.log |
Linux Auditd Service Stop | Linux | linux:audit |
/var/log/audit/audit.log |
Powershell Script Block Logging 4104 | Windows | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-PowerShell/Operational |
Sysmon EventID 1 | Windows | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
Sysmon EventID 11 | Windows | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
Sysmon EventID 5 | Windows | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
Sysmon for Linux EventID 1 | Linux | sysmon:linux |
Syslog:Linux-Sysmon/Operational |
Sysmon for Linux EventID 11 | Linux | sysmon:linux |
Syslog:Linux-Sysmon/Operational |
Windows Event Log Security 4688 | Windows | xmlwineventlog |
XmlWinEventLog:Security |
Windows Event Log Security 4698 | Windows | xmlwineventlog |
XmlWinEventLog:Security |
Windows Event Log Security 5145 | Windows | xmlwineventlog |
XmlWinEventLog:Security |
Windows Event Log TaskScheduler 200 | Windows | wineventlog |
WinEventLog:Microsoft-Windows-TaskScheduler/Operational |
References
- https://cert.gov.ua/article/39518
- https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/
Source: GitHub | Version: 1