Analytics Story: Industroyer2
Description
Leverage searches that allow you to detect and investigate unusual activities that might relate to the Industroyer2 attack, including file writes associated with its payload, lateral movement, persistence, privilege escalation and data destruction.
Why it matters
Industroyer2 is part of continuous attack to ukraine targeting energy facilities. This malware is a windows binary that implement IEC-104 protocol to communicate with industrial equipments. This attack consist of several destructive linux script component to wipe or delete several linux critical files, powershell for domain enumeration and caddywiper to wipe boot sector of the targeted host.
Detections
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| CrowdStrike ProcessRollup2 | Other | crowdstrike:events:sensor |
crowdstrike |
| Sysmon EventID 1 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Windows Event Log Security 4688 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Sysmon for Linux EventID 1 | sysmon:linux |
Syslog:Linux-Sysmon/Operational |
|
| Windows Event Log Security 4698 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Windows Event Log TaskScheduler 201 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Windows Event Log TaskScheduler 200 | wineventlog |
WinEventLog:Microsoft-Windows-TaskScheduler/Operational |
|
| Windows Event Log Security 5145 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Linux Auditd Service Stop | auditd |
auditd |
|
| Linux Auditd Proctitle | auditd |
auditd |
|
| Powershell Script Block Logging 4104 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-PowerShell/Operational |
|
| Sysmon for Linux EventID 11 | sysmon:linux |
Syslog:Linux-Sysmon/Operational |
|
| Sysmon EventID 11 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Sysmon EventID 5 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Osquery Results | Other | osquery:results |
osquery |
References
- https://cert.gov.ua/article/39518
- https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/
Source: GitHub | Version: 2