Try in Splunk Security Cloud
Description
This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive attack or campaign found by “THE DFIR Report” that uses Truebot, FlawedGrace and MBR killer malware. This analytic story looks for suspicious dropped files, cobalt strike execution, im-packet execution, registry modification, scripts, persistence, lateral movement, impact, exfiltration and recon.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint, Network_Traffic
- Last Updated: 2023-06-15
- Author: Teoderick Contreras, Splunk
- ID: 83b15b3c-6bda-45aa-a3b6-b05c52443f44
Narrative
Graceful Wipe Out Attack is a destructive malware campaign found by “The DFIR Report” targeting multiple organizations to collect, exfiltrate and wipe the data of targeted networks. This malicious payload corrupts or wipes Master Boot Records by using an NSIS script after the exfiltration of sensitive information from the targeted host or system.
Detections
| Name |
Technique |
Type |
| Anomalous usage of 7zip |
Archive via Utility, Archive Collected Data |
Anomaly |
| Attempt To Stop Security Service |
Disable or Modify Tools, Impair Defenses |
TTP |
| CMD Echo Pipe - Escalation |
Command and Scripting Interpreter, Windows Command Shell, Windows Service, Create or Modify System Process |
TTP |
| Cobalt Strike Named Pipes |
Process Injection |
TTP |
| DLLHost with no Command Line Arguments with Network |
Process Injection |
TTP |
| Deleting Of Net Users |
Account Access Removal |
TTP |
| Detect Regsvr32 Application Control Bypass |
System Binary Proxy Execution, Regsvr32 |
TTP |
| Domain Account Discovery With Net App |
Domain Account, Account Discovery |
TTP |
| Domain Group Discovery With Net |
Permission Groups Discovery, Domain Groups |
Hunting |
| Excessive Usage Of Net App |
Account Access Removal |
Anomaly |
| Executable File Written in Administrative SMB Share |
Remote Services, SMB/Windows Admin Shares |
TTP |
| Executables Or Script Creation In Suspicious Path |
Masquerading |
Anomaly |
| GPUpdate with no Command Line Arguments with Network |
Process Injection |
TTP |
| Impacket Lateral Movement Commandline Parameters |
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
| Impacket Lateral Movement WMIExec Commandline Parameters |
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
| Impacket Lateral Movement smbexec CommandLine Parameters |
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
| Net Localgroup Discovery |
Permission Groups Discovery, Local Groups |
Hunting |
| Remote WMI Command Attempt |
Windows Management Instrumentation |
TTP |
| Rundll32 with no Command Line Arguments with Network |
System Binary Proxy Execution, Rundll32 |
TTP |
| SAM Database File Access Attempt |
Security Account Manager, OS Credential Dumping |
Hunting |
| SearchProtocolHost with no Command Line with Network |
Process Injection |
TTP |
| SecretDumps Offline NTDS Dumping Tool |
NTDS, OS Credential Dumping |
TTP |
| Services Escalate Exe |
Abuse Elevation Control Mechanism |
TTP |
| Suspicious DLLHost no Command Line Arguments |
Process Injection |
TTP |
| Suspicious GPUpdate no Command Line Arguments |
Process Injection |
TTP |
| Suspicious MSBuild Rename |
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild |
Hunting |
| Suspicious Process File Path |
Create or Modify System Process |
TTP |
| Suspicious Rundll32 StartW |
System Binary Proxy Execution, Rundll32 |
TTP |
| Suspicious Rundll32 no Command Line Arguments |
System Binary Proxy Execution, Rundll32 |
TTP |
| Suspicious SearchProtocolHost no Command Line Arguments |
Process Injection |
TTP |
| Suspicious microsoft workflow compiler rename |
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities |
Hunting |
| Suspicious msbuild path |
Masquerading, Trusted Developer Utilities Proxy Execution, Rename System Utilities, MSBuild |
TTP |
| Windows AdFind Exe |
Remote System Discovery |
TTP |
| Windows Process Injection Remote Thread |
Process Injection, Portable Executable Injection |
TTP |
| Windows Raw Access To Disk Volume Partition |
Disk Structure Wipe, Disk Wipe |
Anomaly |
| Windows Raw Access To Master Boot Record Drive |
Disk Structure Wipe, Disk Wipe |
TTP |
| Windows Service Stop By Deletion |
Service Stop |
TTP |
| Windows Service Stop Via Net and SC Application |
Service Stop |
Anomaly |
Reference
source | version: 1