Try in Splunk Security Cloud

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the Industroyer2 attack, including file writes associated with its payload, lateral movement, persistence, privilege escalation and data destruction.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2022-04-21
  • Author: Teoderick Contreras, Splunk
  • ID: 7ff7db2b-b001-498e-8fe8-caf2dbc3428a

Narrative

Industroyer2 is part of continuous attack to ukraine targeting energy facilities. This malware is a windows binary that implement IEC-104 protocol to communicate with industrial equipments. This attack consist of several destructive linux script component to wipe or delete several linux critical files, powershell for domain enumeration and caddywiper to wipe boot sector of the targeted host.

Detections

Name Technique Type
AdsiSearcher Account Discovery Domain Account, Account Discovery TTP
Attempted Credential Dump From Registry via Reg exe Security Account Manager, OS Credential Dumping TTP
Dump LSASS via comsvcs DLL LSASS Memory, OS Credential Dumping TTP
Executable File Written in Administrative SMB Share Remote Services, SMB/Windows Admin Shares TTP
Executables Or Script Creation In Suspicious Path Masquerading TTP
Impacket Lateral Movement Commandline Parameters Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Linux Adding Crontab Using List Parameter Cron, Scheduled Task/Job Hunting
Linux DD File Overwrite Data Destruction TTP
Linux Deleting Critical Directory Using RM Command Data Destruction TTP
Linux Disable Services Service Stop TTP
Linux High Frequency Of File Deletion In Boot Folder Data Destruction, File Deletion, Indicator Removal on Host TTP
Linux Shred Overwrite Command Data Destruction TTP
Linux Stop Services Service Stop TTP
Linux System Network Discovery System Network Configuration Discovery Anomaly
Recon Using WMI Class Gather Victim Host Information TTP
Schtasks Run Task On Demand Scheduled Task/Job TTP
Suspicious Process File Path Create or Modify System Process TTP
Windows Hidden Schedule Task Settings Scheduled Task/Job TTP
Windows Linked Policies In ADSI Discovery Domain Account, Account Discovery Anomaly
Windows Processes Killed By Industroyer2 Malware Service Stop Anomaly
Windows Root Domain linked policies Discovery Domain Account, Account Discovery Anomaly
WinEvent Scheduled Task Created Within Public Path Scheduled Task, Scheduled Task/Job TTP
WinEvent Windows Task Scheduler Event Action Started Scheduled Task Hunting
Linux Stdout Redirection To Dev Null File Disable or Modify System Firewall, Impair Defenses Anomaly

Reference

source | version: 1