Try in Splunk Security Cloud


This analytic story features detections that enable security analysts to identify and investigate unusual activities potentially related to the destructive malware and tools employed by the “Sandworm” group. This analytic story focuses on monitoring suspicious process executions, command-line activities, Master Boot Record (MBR) wiping, data destruction, and other related indicators.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint, Risk
  • Last Updated: 2022-04-05
  • Author: Teoderick Contreras, Splunk
  • ID: 54146850-9d26-4877-a611-2db33231e63e


The Sandworm group’s tools are part of destructive malware operations designed to disrupt or attack Ukraine’s National Information Agencies. This operation campaign consists of several malware components, including scripts, native Windows executables (LOLBINs), data wiper malware that overwrites or destroys the Master Boot Record (MBR), and file wiping using sdelete.exe on targeted hosts.


Name Technique Type
Detect Mimikatz Using Loaded Images LSASS Memory, OS Credential Dumping TTP
Detect Mimikatz With PowerShell Script Block Logging OS Credential Dumping, PowerShell TTP
Detect PsExec With accepteula Flag Remote Services, SMB/Windows Admin Shares TTP
Detect Renamed PSExec System Services, Service Execution Hunting
Icacls Deny Command File and Directory Permissions Modification TTP
Linux Iptables Firewall Modification Disable or Modify System Firewall, Impair Defenses Anomaly
Linux Kworker Process In Writable Process Path Masquerade Task or Service, Masquerading Hunting
Local Account Discovery with Net Account Discovery, Local Account Hunting
Malicious PowerShell Process - Encoded Command Obfuscated Files or Information Hunting
Mimikatz PassTheTicket CommandLine Parameters Use Alternate Authentication Material, Pass the Ticket TTP
Permission Modification using Takeown App File and Directory Permissions Modification TTP
Scheduled Task Deleted Or Created via CMD Scheduled Task, Scheduled Task/Job TTP
Suspicious Copy on System32 Rename System Utilities, Masquerading TTP
WinEvent Windows Task Scheduler Event Action Started Scheduled Task Hunting
Windows Common Abused Cmd Shell Risk Behavior File and Directory Permissions Modification, System Network Connections Discovery, System Owner/User Discovery, System Shutdown/Reboot, System Network Configuration Discovery, Command and Scripting Interpreter Correlation
Windows DNS Gather Network Info DNS Anomaly
Windows High File Deletion Frequency Data Destruction Anomaly
Windows Mimikatz Binary Execution OS Credential Dumping TTP
Windows Mimikatz Crypto Export File Extensions Steal or Forge Authentication Certificates Anomaly
Windows System Shutdown CommandLine System Shutdown/Reboot Anomaly


source | version: 1