Analytics Story: Data Destruction

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the data destruction, including deleting files, overwriting files, wiping disk and unrecoverable file encryption. This analytic story may cover several known activities related to malware implants used in geo-political war to wipe disks or files to interrupt the network-wide operation of a targeted organization. Analytics can detect the behavior of "DoubleZero Destructor", "CaddyWiper", "AcidRain", "AwfulShred", "Hermetic Wiper", "Swift Slicer", "Whisper Gate" and many more.

Why it matters

Adversaries may partially or completely overwrite the contents of a storage device rendering the data irrecoverable through the storage interface or using 3rd party drivers to directly access disk content like Master Boot Record to wipe it. Some of these attacks were seen in geo-political war to impair the operation of targeted organizations or to interrupt network-wide services.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Email Attachments With Lots Of Spaces None Anomaly
Suspicious Email Attachment Extensions Spearphishing Attachment, Phishing Anomaly
Active Setup Registry Autostart Active Setup, Boot or Logon Autostart Execution TTP
Add or Set Windows Defender Exclusion Disable or Modify Tools, Impair Defenses TTP
AdsiSearcher Account Discovery Domain Account, Account Discovery TTP
Any Powershell DownloadFile Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer TTP
Any Powershell DownloadString Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer TTP
Attempt To Stop Security Service Disable or Modify Tools, Impair Defenses TTP
Attempted Credential Dump From Registry via Reg exe Security Account Manager, OS Credential Dumping TTP
Change Default File Association Change Default File Association, Event Triggered Execution TTP
Child Processes of Spoolsv exe Exploitation for Privilege Escalation TTP
CMD Carry Out String Command Parameter Windows Command Shell, Command and Scripting Interpreter Hunting
Detect Empire with PowerShell Script Block Logging Command and Scripting Interpreter, PowerShell TTP
Detect Mimikatz With PowerShell Script Block Logging OS Credential Dumping, PowerShell TTP
Dump LSASS via comsvcs DLL LSASS Memory, OS Credential Dumping TTP
ETW Registry Disabled Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses TTP
Excessive File Deletion In WinDefender Folder Data Destruction TTP
Executable File Written in Administrative SMB Share Remote Services, SMB/Windows Admin Shares TTP
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Impacket Lateral Movement Commandline Parameters Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Impacket Lateral Movement smbexec CommandLine Parameters Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Impacket Lateral Movement WMIExec Commandline Parameters Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Kerberoasting spn request with RC4 encryption Steal or Forge Kerberos Tickets, Kerberoasting TTP
Linux Adding Crontab Using List Parameter Cron, Scheduled Task/Job Hunting
Linux Auditd Data Destruction Command Data Destruction TTP
Linux Auditd Dd File Overwrite Data Destruction TTP
Linux Auditd Hardware Addition Swapoff Hardware Additions Anomaly
Linux Auditd Service Restarted Systemd Timers, Scheduled Task/Job Anomaly
Linux Auditd Shred Overwrite Command Data Destruction TTP
Linux Auditd Stop Services Service Stop TTP
Linux Data Destruction Command Data Destruction TTP
Linux DD File Overwrite Data Destruction TTP
Linux Deleting Critical Directory Using RM Command Data Destruction TTP
Linux Deletion Of Cron Jobs Data Destruction, File Deletion, Indicator Removal Anomaly
Linux Deletion Of Init Daemon Script Data Destruction, File Deletion, Indicator Removal TTP
Linux Deletion Of Services Data Destruction, File Deletion, Indicator Removal TTP
Linux Disable Services Service Stop TTP
Linux Hardware Addition SwapOff Hardware Additions Anomaly
Linux High Frequency Of File Deletion In Boot Folder Data Destruction, File Deletion, Indicator Removal TTP
Linux High Frequency Of File Deletion In Etc Folder Data Destruction, File Deletion, Indicator Removal Anomaly
Linux Impair Defenses Process Kill Disable or Modify Tools, Impair Defenses Hunting
Linux Indicator Removal Clear Cache Indicator Removal TTP
Linux Indicator Removal Service File Deletion File Deletion, Indicator Removal Anomaly
Linux Java Spawning Shell Exploit Public-Facing Application, External Remote Services TTP
Linux Service Restarted Systemd Timers, Scheduled Task/Job Anomaly
Linux Shred Overwrite Command Data Destruction TTP
Linux Stdout Redirection To Dev Null File Disable or Modify System Firewall, Impair Defenses Anomaly
Linux Stop Services Service Stop TTP
Linux System Network Discovery System Network Configuration Discovery Anomaly
Linux System Reboot Via System Request Key System Shutdown/Reboot TTP
Linux Unix Shell Enable All SysRq Functions Unix Shell, Command and Scripting Interpreter Anomaly
Logon Script Event Trigger Execution Boot or Logon Initialization Scripts, Logon Script (Windows) TTP
Malicious PowerShell Process - Encoded Command Obfuscated Files or Information Hunting
Malicious PowerShell Process With Obfuscation Techniques Command and Scripting Interpreter, PowerShell TTP
MSI Module Loaded by Non-System Binary DLL Side-Loading, Hijack Execution Flow Hunting
Overwriting Accessibility Binaries Event Triggered Execution, Accessibility Features TTP
Ping Sleep Batch Command Virtualization/Sandbox Evasion, Time Based Evasion Anomaly
Possible Lateral Movement PowerShell Spawn Remote Services, Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, Windows Service, PowerShell, MMC TTP
PowerShell 4104 Hunting Command and Scripting Interpreter, PowerShell Hunting
PowerShell - Connect To Internet With Hidden Window PowerShell, Command and Scripting Interpreter Hunting
PowerShell Domain Enumeration Command and Scripting Interpreter, PowerShell TTP
Powershell Enable SMB1Protocol Feature Obfuscated Files or Information, Indicator Removal from Tools TTP
Powershell Execute COM Object Component Object Model Hijacking, Event Triggered Execution, PowerShell TTP
Powershell Fileless Process Injection via GetProcAddress Command and Scripting Interpreter, Process Injection, PowerShell TTP
Powershell Fileless Script Contains Base64 Encoded Content Command and Scripting Interpreter, Obfuscated Files or Information, PowerShell TTP
PowerShell Loading DotNET into Memory via Reflection Command and Scripting Interpreter, PowerShell TTP
Powershell Processing Stream Of Data Command and Scripting Interpreter, PowerShell TTP
Powershell Remove Windows Defender Directory Disable or Modify Tools, Impair Defenses TTP
Powershell Using memory As Backing Store PowerShell, Command and Scripting Interpreter TTP
Powershell Windows Defender Exclusion Commands Disable or Modify Tools, Impair Defenses TTP
Print Processor Registry Autostart Print Processors, Boot or Logon Autostart Execution TTP
Process Deleting Its Process File Path Indicator Removal TTP
Recon AVProduct Through Pwh or WMI Gather Victim Host Information TTP
Recon Using WMI Class Gather Victim Host Information, PowerShell Anomaly
Registry Keys Used For Privilege Escalation Image File Execution Options Injection, Event Triggered Execution TTP
Regsvr32 Silent and Install Param Dll Loading System Binary Proxy Execution, Regsvr32 Anomaly
Runas Execution in CommandLine Access Token Manipulation, Token Impersonation/Theft Hunting
Schtasks Run Task On Demand Scheduled Task/Job TTP
Screensaver Event Trigger Execution Event Triggered Execution, Screensaver TTP
Set Default PowerShell Execution Policy To Unrestricted or Bypass Command and Scripting Interpreter, PowerShell TTP
Suspicious Process DNS Query Known Abuse Web Services Visual Basic, Command and Scripting Interpreter TTP
Suspicious Process File Path Create or Modify System Process TTP
Suspicious Process With Discord DNS Query Visual Basic, Command and Scripting Interpreter Anomaly
Time Provider Persistence Registry Time Providers, Boot or Logon Autostart Execution TTP
Unloading AMSI via Reflection Impair Defenses, PowerShell, Command and Scripting Interpreter TTP
W3WP Spawning Shell Server Software Component, Web Shell TTP
Windows Data Destruction Recursive Exec Files Deletion Data Destruction TTP
Windows Deleted Registry By A Non Critical Process File Path Modify Registry Anomaly
Windows Disable Memory Crash Dump Data Destruction TTP
Windows DotNet Binary in Non Standard Path Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil TTP
Windows File Without Extension In Critical Folder Data Destruction TTP
Windows Hidden Schedule Task Settings Scheduled Task/Job TTP
Windows High File Deletion Frequency Data Destruction Anomaly
Windows InstallUtil in Non Standard Path Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil TTP
Windows Linked Policies In ADSI Discovery Domain Account, Account Discovery Anomaly
Windows Modify Show Compress Color And Info Tip Registry Modify Registry TTP
Windows NirSoft AdvancedRun Tool TTP
Windows NirSoft Utilities Tool Hunting
Windows Processes Killed By Industroyer2 Malware Service Stop Anomaly
Windows Raw Access To Disk Volume Partition Disk Structure Wipe, Disk Wipe Anomaly
Windows Raw Access To Master Boot Record Drive Disk Structure Wipe, Disk Wipe TTP
Windows Root Domain linked policies Discovery Domain Account, Account Discovery Anomaly
Windows Terminating Lsass Process Disable or Modify Tools, Impair Defenses Anomaly
WinEvent Scheduled Task Created Within Public Path Scheduled Task, Scheduled Task/Job TTP
WinEvent Windows Task Scheduler Event Action Started Scheduled Task Hunting
WMI Recon Running Process Or Services Gather Victim Host Information Anomaly
Wscript Or Cscript Suspicious Child Process Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Linux Auditd Execve Linux icon Linux linux:audit /var/log/audit/audit.log
Linux Auditd Proctitle Linux icon Linux linux:audit /var/log/audit/audit.log
Linux Auditd Service Stop Linux icon Linux linux:audit /var/log/audit/audit.log
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 10 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 22 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 23 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 5 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 9 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon for Linux EventID 1 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational
Sysmon for Linux EventID 11 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4698 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4769 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 5145 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log TaskScheduler 200 Windows icon Windows wineventlog WinEventLog:Microsoft-Windows-TaskScheduler/Operational

References


Source: GitHub | Version: 1