Try in Splunk Security Cloud
Description
Utilize searches that enable you to detect and investigate unusual activities potentially related to the Winter Vivern malicious software. This includes examining multiple timeout executions, scheduled task creations, screenshots, and downloading files through PowerShell, among other indicators.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint
- Last Updated: 2023-02-16
- Author: Teoderick Contreras, Splunk
- ID: 5ce5f311-b311-4568-90ca-0c36781d07a4
Narrative
The Winter Vivern malware, identified by CERT UA, is designed to download and run multiple PowerShell scripts on targeted hosts. These scripts aim to gather a variety of files with specific extensions, including (.edb, .ems, .eme, .emz, .key, .pem, .ovpn, .bat, .cer, .p12, .cfg, .log, .txt, .pdf, .doc, .docx, .xls, .xlsx, and .rdg), primarily from desktop directories. In addition to this, the malware captures desktop screenshots and performs data exfiltration using HTTP. To maintain its presence on the targeted host, Winter Vivern also establishes a persistence mechanism, such as creating a scheduled task.
Detections
| Name |
Technique |
Type |
| Any Powershell DownloadString |
Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer |
TTP |
| CMD Carry Out String Command Parameter |
Windows Command Shell, Command and Scripting Interpreter |
Hunting |
| GetWmiObject User Account with PowerShell |
Account Discovery, Local Account |
Hunting |
| GetWmiObject User Account with PowerShell Script Block |
Account Discovery, Local Account, PowerShell |
Hunting |
| PowerShell Loading DotNET into Memory via Reflection |
Command and Scripting Interpreter, PowerShell |
TTP |
| Powershell Fileless Script Contains Base64 Encoded Content |
Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell |
TTP |
| Schedule Task with HTTP Command Arguments |
Scheduled Task/Job |
TTP |
| Scheduled Task Deleted Or Created via CMD |
Scheduled Task, Scheduled Task/Job |
TTP |
| System User Discovery With Whoami |
System Owner/User Discovery |
Hunting |
| WinEvent Scheduled Task Created Within Public Path |
Scheduled Task, Scheduled Task/Job |
TTP |
| WinEvent Scheduled Task Created to Spawn Shell |
Scheduled Task, Scheduled Task/Job |
TTP |
| WinEvent Windows Task Scheduler Event Action Started |
Scheduled Task |
Hunting |
| WinEvent Windows Task Scheduler Event Action Started |
Scheduled Task |
Hunting |
| Windows Exfiltration Over C2 Via Invoke RestMethod |
Exfiltration Over C2 Channel |
TTP |
| Windows Exfiltration Over C2 Via Powershell UploadString |
Exfiltration Over C2 Channel |
TTP |
| Windows Scheduled Task Created Via XML |
Scheduled Task, Scheduled Task/Job |
TTP |
| Windows Screen Capture Via Powershell |
Screen Capture |
TTP |
Reference
source | version: 1