Try in Splunk Security Cloud
Description
This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive malware targeting Ukrainian organizations also known as “WhisperGate”. This analytic story looks for suspicious process execution, command-line activity, downloads, DNS queries and more.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint
- Last Updated: 2022-01-19
- Author: Teoderick Contreras, Splunk
- ID: 0150e6e5-3171-442e-83f8-1ccd8599569b
Narrative
WhisperGate/DEV-0586 is destructive malware operation found by MSTIC (Microsoft Threat Inteligence Center) targeting multiple organizations in Ukraine. This operation campaign consist of several malware component like the downloader that abuses discord platform, overwrite or destroy master boot record (MBR) of the targeted host, wiper and also windows defender evasion techniques.
Detections
| Name |
Technique |
Type |
| Add or Set Windows Defender Exclusion |
Disable or Modify Tools, Impair Defenses |
TTP |
| Attempt To Stop Security Service |
Disable or Modify Tools, Impair Defenses |
TTP |
| CMD Carry Out String Command Parameter |
Windows Command Shell, Command and Scripting Interpreter |
Hunting |
| Excessive File Deletion In WinDefender Folder |
Data Destruction |
TTP |
| Executables Or Script Creation In Suspicious Path |
Masquerading |
Anomaly |
| Impacket Lateral Movement Commandline Parameters |
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
| Impacket Lateral Movement WMIExec Commandline Parameters |
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
| Impacket Lateral Movement smbexec CommandLine Parameters |
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
| Malicious PowerShell Process - Encoded Command |
Obfuscated Files or Information |
Hunting |
| Ping Sleep Batch Command |
Virtualization/Sandbox Evasion, Time Based Evasion |
Anomaly |
| Powershell Remove Windows Defender Directory |
Disable or Modify Tools, Impair Defenses |
TTP |
| Powershell Windows Defender Exclusion Commands |
Disable or Modify Tools, Impair Defenses |
TTP |
| Process Deleting Its Process File Path |
Indicator Removal |
TTP |
| Suspicious Process DNS Query Known Abuse Web Services |
Visual Basic, Command and Scripting Interpreter |
TTP |
| Suspicious Process File Path |
Create or Modify System Process |
TTP |
| Suspicious Process With Discord DNS Query |
Visual Basic, Command and Scripting Interpreter |
Anomaly |
| Windows DotNet Binary in Non Standard Path |
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil |
TTP |
| Windows DotNet Binary in Non Standard Path |
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil |
Anomaly |
| Windows High File Deletion Frequency |
Data Destruction |
Anomaly |
| Windows InstallUtil in Non Standard Path |
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil |
TTP |
| Windows LOLBin Binary in Non Standard Path |
Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil |
Anomaly |
| Windows NirSoft AdvancedRun |
Tool |
TTP |
| Windows NirSoft Utilities |
Tool |
Hunting |
| Windows Raw Access To Master Boot Record Drive |
Disk Structure Wipe, Disk Wipe |
TTP |
| Wscript Or Cscript Suspicious Child Process |
Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation |
TTP |
Reference
source | version: 1