Try in Splunk Security Cloud
Description
This analytic story features detections that enable security analysts to identify and investigate unusual activities potentially related to the destructive malware and tools employed by the “Sandworm” group. This analytic story focuses on monitoring suspicious process executions, command-line activities, Master Boot Record (MBR) wiping, data destruction, and other related indicators.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint, Risk
- Last Updated: 2022-04-05
- Author: Teoderick Contreras, Splunk
- ID: 54146850-9d26-4877-a611-2db33231e63e
Narrative
The Sandworm group’s tools are part of destructive malware operations designed to disrupt or attack Ukraine’s National Information Agencies. This operation campaign consists of several malware components, including scripts, native Windows executables (LOLBINs), data wiper malware that overwrites or destroys the Master Boot Record (MBR), and file wiping using sdelete.exe on targeted hosts.
Detections
Name |
Technique |
Type |
Detect Mimikatz Using Loaded Images |
LSASS Memory, OS Credential Dumping |
TTP |
Detect Mimikatz With PowerShell Script Block Logging |
OS Credential Dumping, PowerShell |
TTP |
Detect PsExec With accepteula Flag |
Remote Services, SMB/Windows Admin Shares |
TTP |
Detect Renamed PSExec |
System Services, Service Execution |
Hunting |
Icacls Deny Command |
File and Directory Permissions Modification |
TTP |
Linux Iptables Firewall Modification |
Disable or Modify System Firewall, Impair Defenses |
Anomaly |
Linux Kworker Process In Writable Process Path |
Masquerade Task or Service, Masquerading |
Hunting |
Local Account Discovery with Net |
Account Discovery, Local Account |
Hunting |
Malicious PowerShell Process - Encoded Command |
Obfuscated Files or Information |
Hunting |
Mimikatz PassTheTicket CommandLine Parameters |
Use Alternate Authentication Material, Pass the Ticket |
TTP |
Permission Modification using Takeown App |
File and Directory Permissions Modification |
TTP |
Scheduled Task Deleted Or Created via CMD |
Scheduled Task, Scheduled Task/Job |
TTP |
Suspicious Copy on System32 |
Rename System Utilities, Masquerading |
TTP |
WinEvent Windows Task Scheduler Event Action Started |
Scheduled Task |
Hunting |
Windows Common Abused Cmd Shell Risk Behavior |
File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Configuration Discovery, Command and Scripting Interpreter |
Correlation |
Windows DNS Gather Network Info |
DNS |
Anomaly |
Windows High File Deletion Frequency |
Data Destruction |
Anomaly |
Windows Mimikatz Binary Execution |
OS Credential Dumping |
TTP |
Windows Mimikatz Crypto Export File Extensions |
Steal or Forge Authentication Certificates |
Anomaly |
Windows System Shutdown CommandLine |
System Shutdown/Reboot |
Anomaly |
Reference
source | version: 1