Try in Splunk Security Cloud

Description

Double Zero Destructor is a destructive payload that enumerates Domain Controllers and executes killswitch if detected. Overwrites files with Zero blocks or using MS Windows API calls such as NtFileOpen, NtFSControlFile. This payload also deletes registry hives HKCU,HKLM, HKU, HKLM BCD.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2022-03-25
  • Author: Teoderick Contreras, Rod Soto, Splunk
  • ID: f56e8c00-3224-4955-9a6e-924ec7da1df7

Narrative

Double zero destructor enumerates domain controllers, delete registry hives and overwrites files using zero blocks and API calls.

Detections

Name Technique Type
Executables Or Script Creation In Suspicious Path Masquerading TTP
Suspicious Process File Path Create or Modify System Process TTP
Windows Deleted Registry By A Non Critical Process File Path Modify Registry Anomaly
Windows Terminating Lsass Process Disable or Modify Tools, Impair Defenses Anomaly

Reference

source | version: 1