Analytics Story: Graceful Wipe Out Attack
Description
This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive attack or campaign found by "THE DFIR Report" that uses Truebot, FlawedGrace and MBR killer malware. This analytic story looks for suspicious dropped files, cobalt strike execution, im-packet execution, registry modification, scripts, persistence, lateral movement, impact, exfiltration and recon.
Why it matters
Graceful Wipe Out Attack is a destructive malware campaign found by "The DFIR Report" targeting multiple organizations to collect, exfiltrate and wipe the data of targeted networks. This malicious payload corrupts or wipes Master Boot Records by using an NSIS script after the exfiltration of sensitive information from the targeted host or system.
Detections
Data Sources
Name | Platform | Sourcetype | Source |
---|---|---|---|
CrowdStrike ProcessRollup2 | N/A | crowdstrike:events:sensor |
crowdstrike |
Sysmon EventID 1 | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
Sysmon EventID 11 | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
Sysmon EventID 17 | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
Sysmon EventID 18 | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
Sysmon EventID 3 | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
Sysmon EventID 8 | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
Sysmon EventID 9 | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
Windows Event Log Security 4663 | xmlwineventlog |
XmlWinEventLog:Security |
|
Windows Event Log Security 4688 | xmlwineventlog |
XmlWinEventLog:Security |
|
Windows Event Log Security 5145 | xmlwineventlog |
XmlWinEventLog:Security |
References
Source: GitHub | Version: 1