Analytics Story: Data Destruction
Description
Leverage searches that allow you to detect and investigate unusual activities that might relate to the data destruction, including deleting files, overwriting files, wiping disk and unrecoverable file encryption. This analytic story may cover several known activities related to malware implants used in geo-political war to wipe disks or files to interrupt the network-wide operation of a targeted organization. Analytics can detect the behavior of "DoubleZero Destructor", "CaddyWiper", "AcidRain", "AwfulShred", "Hermetic Wiper", "Swift Slicer", "Whisper Gate" and many more.
Why it matters
Adversaries may partially or completely overwrite the contents of a storage device rendering the data irrecoverable through the storage interface or using 3rd party drivers to directly access disk content like Master Boot Record to wipe it. Some of these attacks were seen in geo-political war to impair the operation of targeted organizations or to interrupt network-wide services.
Detections
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Windows Event Log Security 4688 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| CrowdStrike ProcessRollup2 | Other | crowdstrike:events:sensor |
crowdstrike |
| Sysmon EventID 1 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Sysmon EventID 22 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Cisco Network Visibility Module Flow Data | cisco:nvm:flowdata |
not_applicable |
|
| Sysmon for Linux EventID 1 | sysmon:linux |
Syslog:Linux-Sysmon/Operational |
|
| Office 365 Universal Audit Log | Other | o365:management:activity |
o365 |
| Powershell Script Block Logging 4104 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-PowerShell/Operational |
|
| Sysmon EventID 13 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Sysmon EventID 11 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Sysmon EventID 5 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Sysmon EventID 26 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Sysmon EventID 23 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Sysmon for Linux EventID 11 | sysmon:linux |
Syslog:Linux-Sysmon/Operational |
|
| Windows Event Log Security 4698 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Linux Auditd Proctitle | auditd |
auditd |
|
| AWS Cloudfront | aws:cloudfront:accesslogs |
aws |
|
| Office 365 Reporting Message Trace | Other | o365:reporting:messagetrace |
o365 |
| Linux Auditd Execve | auditd |
auditd |
|
| Sysmon EventID 9 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Sysmon EventID 10 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Sysmon EventID 12 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Windows Event Log Security 4769 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Osquery Results | Other | osquery:results |
osquery |
| Sysmon EventID 7 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Windows Event Log TaskScheduler 201 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Windows Event Log TaskScheduler 200 | wineventlog |
WinEventLog:Microsoft-Windows-TaskScheduler/Operational |
|
| Linux Auditd Service Stop | auditd |
auditd |
|
| Windows Event Log Security 5145 | XmlWinEventLog |
XmlWinEventLog:Security |
References
- https://attack.mitre.org/techniques/T1485/
- https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware
- https://www.splunk.com/en_us/blog/security/threat-update-industroyer2.html
- https://www.splunk.com/en_us/blog/security/threat-update-doublezero-destructor.html
- https://www.splunk.com/en_us/blog/security/threat-advisory-strt-ta02-destructive-software.html
- https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/
- https://www.splunk.com/en_us/blog/security/threat-update-caddywiper.html
- https://www.splunk.com/en_us/blog/security/strt-ta03-cpe-destructive-software.html
- https://www.splunk.com/en_us/blog/security/threat-advisory-swiftslicer-wiper-strt-ta03.html
- https://www.splunk.com/en_us/blog/security/threat-update-acidrain-wiper.html
- https://www.splunk.com/en_us/blog/security/detecting-hermeticwiper.html
- https://www.splunk.com/en_us/blog/security/threat-update-cyclopsblink.html
Source: GitHub | Version: 2