GitHub Repo

Analytics Story: Industroyer2

Updated Date: 2026-05-13 ID: 7ff7db2b-b001-498e-8fe8-caf2dbc3428a Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the Industroyer2 attack, including file writes associated with its payload, lateral movement, persistence, privilege escalation and data destruction.

Why it matters

Industroyer2 is part of continuous attack to ukraine targeting energy facilities. This malware is a windows binary that implement IEC-104 protocol to communicate with industrial equipments. This attack consist of several destructive linux script component to wipe or delete several linux critical files, powershell for domain enumeration and caddywiper to wipe boot sector of the targeted host.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Linux Auditd Stop Services Service Stop Hunting
Impacket Lateral Movement WMIExec Commandline Parameters SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
WinEvent Scheduled Task Created Within Public Path Scheduled Task TTP
Executables Or Script Creation In Temp Path Masquerading Anomaly
WinEvent Windows Task Scheduler Event Action Started Scheduled Task Hunting
Linux Shred Overwrite Command Data Destruction TTP
AdsiSearcher Account Discovery Domain Account TTP
Linux Auditd Shred Overwrite Command Data Destruction TTP
Linux Stdout Redirection To Dev Null File Disable or Modify System Firewall Anomaly
Windows Suspicious Process File Path Match Legitimate Resource Name or Location, Create or Modify System Process TTP
Linux High Frequency Of File Deletion In Boot Folder File Deletion, Data Destruction TTP
Linux System Network Discovery System Network Configuration Discovery Anomaly
Windows Processes Killed By Industroyer2 Malware Service Stop Anomaly
Schtasks Run Task On Demand Scheduled Task/Job Anomaly
Linux Adding Crontab Using List Parameter Cron Hunting
Linux Deleting Critical Directory Using RM Command Data Destruction TTP
Windows Sensitive Registry Hive Dump Via CommandLine Security Account Manager TTP
Linux DD File Overwrite Data Destruction TTP
Impacket Lateral Movement smbexec CommandLine Parameters SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Linux Disable Services Service Stop TTP
Windows Hidden Schedule Task Settings Scheduled Task/Job TTP
Dump LSASS via comsvcs DLL LSASS Memory TTP
Windows Linked Policies In ADSI Discovery Domain Account Anomaly
Executable File Written in Administrative SMB Share SMB/Windows Admin Shares TTP
Linux Stop Services Service Stop TTP
Windows Root Domain linked policies Discovery Domain Account Anomaly
Impacket Lateral Movement Commandline Parameters SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Linux Auditd Dd File Overwrite Data Destruction TTP
Recon Using WMI Class PowerShell, Gather Victim Host Information Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Linux Auditd Service Stop Linux icon Linux auditd auditd
CrowdStrike ProcessRollup2 Other crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4698 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Sysmon EventID 11 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log TaskScheduler 201 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log TaskScheduler 200 Windows icon Windows wineventlog WinEventLog:Microsoft-Windows-TaskScheduler/Operational
Sysmon for Linux EventID 1 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational
Powershell Script Block Logging 4104 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Linux Auditd Proctitle Linux icon Linux auditd auditd
Sysmon for Linux EventID 11 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational
Osquery Results Other osquery:results osquery
Sysmon EventID 5 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 5145 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security

References

Source: GitHub | Version: 2