Try in Splunk Security Cloud

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the swift slicer malware including overwriting of files and etc.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2023-02-01
  • Author: Teoderick Contreras, Rod Soto, Splunk
  • ID: 234c9dd7-52fb-4d6f-aec9-075ef88a2cea

Narrative

Swift Slicer is one of Windows destructive malware found by ESET that was used in a targeted organizarion to wipe critical files like windows drivers and other files to destroy and left the machine inoperable. This malware like Caddy Wiper was deliver through GPO which suggests that the attacker had taken control of the victims active directory environment.

Detections

Name Technique Type
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Suspicious Process File Path Create or Modify System Process TTP
Windows Data Destruction Recursive Exec Files Deletion Data Destruction TTP
Windows High File Deletion Frequency Data Destruction Anomaly

Reference

source | version: 1