Analytics Story: Graceful Wipe Out Attack

Date: 2023-06-15 ID: 83b15b3c-6bda-45aa-a3b6-b05c52443f44 Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive attack or campaign found by "THE DFIR Report" that uses Truebot, FlawedGrace and MBR killer malware. This analytic story looks for suspicious dropped files, cobalt strike execution, im-packet execution, registry modification, scripts, persistence, lateral movement, impact, exfiltration and recon.

Why it matters

Graceful Wipe Out Attack is a destructive malware campaign found by "The DFIR Report" targeting multiple organizations to collect, exfiltrate and wipe the data of targeted networks. This malicious payload corrupts or wipes Master Boot Records by using an NSIS script after the exfiltration of sensitive information from the targeted host or system.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Attempt To Stop Security Service Disable or Modify Tools TTP
Deleting Of Net Users Account Access Removal TTP
Domain Account Discovery With Net App Domain Account TTP
Domain Group Discovery With Net Domain Groups Hunting
Excessive Usage Of Net App Account Access Removal Anomaly
Net Localgroup Discovery Local Groups Hunting
Suspicious Process File Path Create or Modify System Process TTP
Windows Service Stop Via Net and SC Application Service Stop Anomaly
Anomalous usage of 7zip Archive via Utility Anomaly
CMD Echo Pipe - Escalation Windows Command Shell, Windows Service TTP
Cobalt Strike Named Pipes Process Injection TTP
Detect Regsvr32 Application Control Bypass Regsvr32 TTP
DLLHost with no Command Line Arguments with Network Process Injection TTP
Executable File Written in Administrative SMB Share SMB/Windows Admin Shares TTP
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
GPUpdate with no Command Line Arguments with Network Process Injection TTP
Impacket Lateral Movement Commandline Parameters SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Impacket Lateral Movement smbexec CommandLine Parameters SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Impacket Lateral Movement WMIExec Commandline Parameters SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Remote WMI Command Attempt Windows Management Instrumentation TTP
Rundll32 with no Command Line Arguments with Network Rundll32 TTP
SAM Database File Access Attempt Security Account Manager Hunting
SearchProtocolHost with no Command Line with Network Process Injection TTP
SecretDumps Offline NTDS Dumping Tool NTDS TTP
Services Escalate Exe Abuse Elevation Control Mechanism TTP
Suspicious DLLHost no Command Line Arguments Process Injection TTP
Suspicious GPUpdate no Command Line Arguments Process Injection TTP
Suspicious microsoft workflow compiler rename Rename System Utilities, Trusted Developer Utilities Proxy Execution Hunting
Suspicious msbuild path Rename System Utilities, MSBuild TTP
Suspicious MSBuild Rename Rename System Utilities, MSBuild Hunting
Suspicious Rundll32 no Command Line Arguments Rundll32 TTP
Suspicious Rundll32 StartW Rundll32 TTP
Suspicious SearchProtocolHost no Command Line Arguments Process Injection TTP
Windows AdFind Exe Remote System Discovery TTP
Windows Attempt To Stop Security Service Disable or Modify Tools TTP
Windows Excessive Usage Of Net App Account Access Removal Anomaly
Windows Group Discovery Via Net Local Groups, Domain Groups Hunting
Windows Office Product Spawned Rundll32 With No DLL Spearphishing Attachment TTP
Windows Process Injection Remote Thread Portable Executable Injection TTP
Windows Raw Access To Disk Volume Partition Disk Structure Wipe Anomaly
Windows Raw Access To Master Boot Record Drive Disk Structure Wipe TTP
Windows Service Stop Attempt Service Stop Hunting
Windows Service Stop By Deletion Service Stop TTP
Windows Suspicious Process File Path Create or Modify System Process, Match Legitimate Name or Location TTP
Windows User Deletion Via Net Account Access Removal Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 17 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 18 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 3 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 8 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 9 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4663 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 5145 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 1