Try in Splunk Security Cloud
Description
Leverage searches that allow you to detect and investigate unusual activities that might relate to the Industroyer2 attack, including file writes associated with its payload, lateral movement, persistence, privilege escalation and data destruction.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint
- Last Updated: 2022-04-21
- Author: Teoderick Contreras, Splunk
- ID: 7ff7db2b-b001-498e-8fe8-caf2dbc3428a
Narrative
Industroyer2 is part of continuous attack to ukraine targeting energy facilities. This malware is a windows binary that implement IEC-104 protocol to communicate with industrial equipments. This attack consist of several destructive linux script component to wipe or delete several linux critical files, powershell for domain enumeration and caddywiper to wipe boot sector of the targeted host.
Detections
Name |
Technique |
Type |
AdsiSearcher Account Discovery |
Domain Account, Account Discovery |
TTP |
Attempted Credential Dump From Registry via Reg exe |
Security Account Manager, OS Credential Dumping |
TTP |
Dump LSASS via comsvcs DLL |
LSASS Memory, OS Credential Dumping |
TTP |
Executable File Written in Administrative SMB Share |
Remote Services, SMB/Windows Admin Shares |
TTP |
Executables Or Script Creation In Suspicious Path |
Masquerading |
Anomaly |
Impacket Lateral Movement Commandline Parameters |
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
Impacket Lateral Movement WMIExec Commandline Parameters |
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
Impacket Lateral Movement WMIExec Commandline Parameters |
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
Impacket Lateral Movement smbexec CommandLine Parameters |
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
Impacket Lateral Movement smbexec CommandLine Parameters |
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
Linux Adding Crontab Using List Parameter |
Cron, Scheduled Task/Job |
Hunting |
Linux DD File Overwrite |
Data Destruction |
TTP |
Linux Deleting Critical Directory Using RM Command |
Data Destruction |
TTP |
Linux Disable Services |
Service Stop |
TTP |
Linux High Frequency Of File Deletion In Boot Folder |
Data Destruction, File Deletion, Indicator Removal |
TTP |
Linux Shred Overwrite Command |
Data Destruction |
TTP |
Linux Stdout Redirection To Dev Null File |
Disable or Modify System Firewall, Impair Defenses |
Anomaly |
Linux Stop Services |
Service Stop |
TTP |
Linux System Network Discovery |
System Network Configuration Discovery |
Anomaly |
Recon Using WMI Class |
Gather Victim Host Information, PowerShell |
Anomaly |
Schtasks Run Task On Demand |
Scheduled Task/Job |
TTP |
Suspicious Process File Path |
Create or Modify System Process |
TTP |
WinEvent Scheduled Task Created Within Public Path |
Scheduled Task, Scheduled Task/Job |
TTP |
WinEvent Windows Task Scheduler Event Action Started |
Scheduled Task |
Hunting |
Windows Hidden Schedule Task Settings |
Scheduled Task/Job |
TTP |
Windows Linked Policies In ADSI Discovery |
Domain Account, Account Discovery |
Anomaly |
Windows Processes Killed By Industroyer2 Malware |
Service Stop |
Anomaly |
Windows Root Domain linked policies Discovery |
Domain Account, Account Discovery |
Anomaly |
Reference
source | version: 1