Try in Splunk Security Cloud

Description

This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive malware targeting Ukrainian organizations also known as “WhisperGate”. This analytic story looks for suspicious process execution, command-line activity, downloads, DNS queries and more.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint, Endpoint_Processes
  • Last Updated: 2022-01-19
  • Author: Teoderick Contreras, Splunk
  • ID: 0150e6e5-3171-442e-83f8-1ccd8599569b

Narrative

WhisperGate/DEV-0586 is destructive malware operation found by MSTIC (Microsoft Threat Inteligence Center) targeting multiple organizations in Ukraine. This operation campaign consist of several malware component like the downloader that abuses discord platform, overwrite or destroy master boot record (MBR) of the targeted host, wiper and also windows defender evasion techniques.

Detections

Name Technique Type
Add or Set Windows Defender Exclusion Disable or Modify Tools, Impair Defenses TTP
Attempt To Stop Security Service Disable or Modify Tools, Impair Defenses TTP
CMD Carry Out String Command Parameter Windows Command Shell, Command and Scripting Interpreter Hunting
Excessive File Deletion In WinDefender Folder Data Destruction TTP
Executables Or Script Creation In Suspicious Path Masquerading TTP
Impacket Lateral Movement Commandline Parameters Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Malicious PowerShell Process - Encoded Command Obfuscated Files or Information Hunting
Ping Sleep Batch Command Virtualization/Sandbox Evasion, Time Based Evasion Anomaly
Powershell Remove Windows Defender Directory Disable or Modify Tools, Impair Defenses TTP
Powershell Windows Defender Exclusion Commands Disable or Modify Tools, Impair Defenses TTP
Process Deleting Its Process File Path Indicator Removal on Host TTP
Suspicious Process DNS Query Known Abuse Web Services Visual Basic, Command and Scripting Interpreter TTP
Suspicious Process File Path Create or Modify System Process TTP
Suspicious Process With Discord DNS Query Visual Basic, Command and Scripting Interpreter Anomaly
Windows DotNet Binary in Non Standard Path Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil Anomaly
Windows DotNet Binary in Non Standard Path Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil TTP
Windows High File Deletion Frequency Data Destruction Anomaly
Windows InstallUtil in Non Standard Path Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil TTP
Windows LOLBin Binary in Non Standard Path Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil Anomaly
Windows NirSoft AdvancedRun Tool TTP
Windows NirSoft Utilities Tool Hunting
Windows Raw Access To Master Boot Record Drive Disk Structure Wipe, Disk Wipe TTP
Wscript Or Cscript Suspicious Child Process Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation TTP

Reference

source | version: 1