Analytics Story: Industroyer2

Date: 2022-04-21 ID: 7ff7db2b-b001-498e-8fe8-caf2dbc3428a Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the Industroyer2 attack, including file writes associated with its payload, lateral movement, persistence, privilege escalation and data destruction.

Why it matters

Industroyer2 is part of continuous attack to ukraine targeting energy facilities. This malware is a windows binary that implement IEC-104 protocol to communicate with industrial equipments. This attack consist of several destructive linux script component to wipe or delete several linux critical files, powershell for domain enumeration and caddywiper to wipe boot sector of the targeted host.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
AdsiSearcher Account Discovery Domain Account, Account Discovery TTP
Attempted Credential Dump From Registry via Reg exe Security Account Manager, OS Credential Dumping TTP
Dump LSASS via comsvcs DLL LSASS Memory, OS Credential Dumping TTP
Executable File Written in Administrative SMB Share Remote Services, SMB/Windows Admin Shares TTP
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Impacket Lateral Movement Commandline Parameters Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Impacket Lateral Movement smbexec CommandLine Parameters Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Impacket Lateral Movement WMIExec Commandline Parameters Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Linux Adding Crontab Using List Parameter Cron, Scheduled Task/Job Hunting
Linux Auditd Dd File Overwrite Data Destruction TTP
Linux Auditd Shred Overwrite Command Data Destruction TTP
Linux Auditd Stop Services Service Stop TTP
Linux DD File Overwrite Data Destruction TTP
Linux Deleting Critical Directory Using RM Command Data Destruction TTP
Linux Disable Services Service Stop TTP
Linux High Frequency Of File Deletion In Boot Folder Data Destruction, File Deletion, Indicator Removal TTP
Linux Shred Overwrite Command Data Destruction TTP
Linux Stdout Redirection To Dev Null File Disable or Modify System Firewall, Impair Defenses Anomaly
Linux Stop Services Service Stop TTP
Linux System Network Discovery System Network Configuration Discovery Anomaly
Recon Using WMI Class Gather Victim Host Information, PowerShell Anomaly
Schtasks Run Task On Demand Scheduled Task/Job TTP
Suspicious Process File Path Create or Modify System Process TTP
Windows Hidden Schedule Task Settings Scheduled Task/Job TTP
Windows Linked Policies In ADSI Discovery Domain Account, Account Discovery Anomaly
Windows Processes Killed By Industroyer2 Malware Service Stop Anomaly
Windows Root Domain linked policies Discovery Domain Account, Account Discovery Anomaly
WinEvent Scheduled Task Created Within Public Path Scheduled Task, Scheduled Task/Job TTP
WinEvent Windows Task Scheduler Event Action Started Scheduled Task Hunting

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Linux Auditd Proctitle Linux icon Linux linux:audit /var/log/audit/audit.log
Linux Auditd Service Stop Linux icon Linux linux:audit /var/log/audit/audit.log
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 5 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon for Linux EventID 1 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational
Sysmon for Linux EventID 11 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4698 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 5145 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log TaskScheduler 200 Windows icon Windows wineventlog WinEventLog:Microsoft-Windows-TaskScheduler/Operational

References

Source: GitHub | Version: 1