Analytics Story: WhisperGate

Description

This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive malware targeting Ukrainian organizations also known as "WhisperGate". This analytic story looks for suspicious process execution, command-line activity, downloads, DNS queries and more.

Why it matters

WhisperGate/DEV-0586 is destructive malware operation found by MSTIC (Microsoft Threat Inteligence Center) targeting multiple organizations in Ukraine. This operation campaign consist of several malware component like the downloader that abuses discord platform, overwrite or destroy master boot record (MBR) of the targeted host, wiper and also windows defender evasion techniques.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Add or Set Windows Defender Exclusion Disable or Modify Tools, Impair Defenses TTP
Attempt To Stop Security Service Disable or Modify Tools, Impair Defenses TTP
CMD Carry Out String Command Parameter Windows Command Shell, Command and Scripting Interpreter Hunting
Excessive File Deletion In WinDefender Folder Data Destruction TTP
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Impacket Lateral Movement Commandline Parameters Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Impacket Lateral Movement smbexec CommandLine Parameters Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Impacket Lateral Movement WMIExec Commandline Parameters Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Malicious PowerShell Process - Encoded Command Obfuscated Files or Information Hunting
Ping Sleep Batch Command Virtualization/Sandbox Evasion, Time Based Evasion Anomaly
Powershell Remove Windows Defender Directory Disable or Modify Tools, Impair Defenses TTP
Powershell Windows Defender Exclusion Commands Disable or Modify Tools, Impair Defenses TTP
Process Deleting Its Process File Path Indicator Removal TTP
Suspicious Process DNS Query Known Abuse Web Services Visual Basic, Command and Scripting Interpreter TTP
Suspicious Process File Path Create or Modify System Process TTP
Suspicious Process With Discord DNS Query Visual Basic, Command and Scripting Interpreter Anomaly
Windows DotNet Binary in Non Standard Path Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil TTP
Windows High File Deletion Frequency Data Destruction Anomaly
Windows InstallUtil in Non Standard Path Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil TTP
Windows NirSoft AdvancedRun Tool TTP
Windows NirSoft Utilities Tool Hunting
Windows Raw Access To Master Boot Record Drive Disk Structure Wipe, Disk Wipe TTP
Wscript Or Cscript Suspicious Child Process Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 22 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 23 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 9 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References


Source: GitHub | Version: 1