Analytics Story: WhisperGate

Date: 2022-01-19 ID: 0150e6e5-3171-442e-83f8-1ccd8599569b Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive malware targeting Ukrainian organizations also known as "WhisperGate". This analytic story looks for suspicious process execution, command-line activity, downloads, DNS queries and more.

Why it matters

WhisperGate/DEV-0586 is destructive malware operation found by MSTIC (Microsoft Threat Inteligence Center) targeting multiple organizations in Ukraine. This operation campaign consist of several malware component like the downloader that abuses discord platform, overwrite or destroy master boot record (MBR) of the targeted host, wiper and also windows defender evasion techniques.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Attempt To Stop Security Service Disable or Modify Tools TTP
Suspicious Process File Path Create or Modify System Process TTP
Add or Set Windows Defender Exclusion Disable or Modify Tools TTP
CMD Carry Out String Command Parameter Windows Command Shell Hunting
Excessive File Deletion In WinDefender Folder Data Destruction TTP
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Impacket Lateral Movement Commandline Parameters SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Impacket Lateral Movement smbexec CommandLine Parameters SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Impacket Lateral Movement WMIExec Commandline Parameters SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Malicious PowerShell Process - Encoded Command Obfuscated Files or Information Hunting
Ping Sleep Batch Command Time Based Evasion Anomaly
Powershell Remove Windows Defender Directory Disable or Modify Tools TTP
Powershell Windows Defender Exclusion Commands Disable or Modify Tools TTP
Process Deleting Its Process File Path Indicator Removal TTP
Suspicious Process DNS Query Known Abuse Web Services Visual Basic TTP
Suspicious Process With Discord DNS Query Visual Basic Anomaly
Windows Attempt To Stop Security Service Disable or Modify Tools TTP
Windows DotNet Binary in Non Standard Path Rename System Utilities, InstallUtil TTP
Windows High File Deletion Frequency Data Destruction Anomaly
Windows InstallUtil in Non Standard Path Rename System Utilities, InstallUtil TTP
Windows NirSoft AdvancedRun Tool TTP
Windows NirSoft Utilities Tool Hunting
Windows Raw Access To Master Boot Record Drive Disk Structure Wipe TTP
Windows Suspicious Process File Path Create or Modify System Process, Match Legitimate Name or Location TTP
Wscript Or Cscript Suspicious Child Process Process Injection, Parent PID Spoofing, Create or Modify System Process TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 22 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 23 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 9 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 1