Analytics Story: Graceful Wipe Out Attack
Description
This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive attack or campaign found by "THE DFIR Report" that uses Truebot, FlawedGrace and MBR killer malware. This analytic story looks for suspicious dropped files, cobalt strike execution, im-packet execution, registry modification, scripts, persistence, lateral movement, impact, exfiltration and recon.
Why it matters
Graceful Wipe Out Attack is a destructive malware campaign found by "The DFIR Report" targeting multiple organizations to collect, exfiltrate and wipe the data of targeted networks. This malicious payload corrupts or wipes Master Boot Records by using an NSIS script after the exfiltration of sensitive information from the targeted host or system.
Detections
| Name ▲▼ |
Technique ▲▼ |
Type ▲▼ |
| Windows AdFind Exe |
Remote System Discovery |
TTP |
| Windows Raw Access To Disk Volume Partition |
Disk Structure Wipe |
Anomaly |
| Suspicious SearchProtocolHost no Command Line Arguments |
Process Injection |
TTP |
| Suspicious GPUpdate no Command Line Arguments |
Process Injection |
TTP |
| SecretDumps Offline NTDS Dumping Tool |
NTDS |
TTP |
| SAM Database File Access Attempt |
Security Account Manager |
Hunting |
| Windows Process Injection Remote Thread |
Portable Executable Injection |
TTP |
| Services Escalate Exe |
Abuse Elevation Control Mechanism |
TTP |
| Remote WMI Command Attempt |
Windows Management Instrumentation |
TTP |
| Rundll32 with no Command Line Arguments with Network |
Rundll32 |
TTP |
| GPUpdate with no Command Line Arguments with Network |
Process Injection |
TTP |
| Windows User Deletion Via Net |
Account Access Removal |
Anomaly |
| Suspicious MSBuild Rename |
Rename Legitimate Utilities, MSBuild |
Hunting |
| Suspicious msbuild path |
Rename Legitimate Utilities, MSBuild |
TTP |
| Executables Or Script Creation In Suspicious Path |
Masquerading |
Anomaly |
| Anomalous usage of 7zip |
Archive via Utility |
Anomaly |
| Suspicious Rundll32 StartW |
Rundll32 |
TTP |
| Windows Office Product Spawned Rundll32 With No DLL |
Spearphishing Attachment |
TTP |
| Windows Group Discovery Via Net |
Local Groups, Domain Groups |
Hunting |
| Suspicious DLLHost no Command Line Arguments |
Process Injection |
TTP |
| Windows Suspicious C2 Named Pipe |
SMB/Windows Admin Shares, Process Injection, Inter-Process Communication |
TTP |
| Windows Service Stop Attempt |
Service Stop |
Hunting |
| Detect Regsvr32 Application Control Bypass |
Regsvr32 |
TTP |
| Suspicious microsoft workflow compiler rename |
Rename Legitimate Utilities, Trusted Developer Utilities Proxy Execution |
Hunting |
| Impacket Lateral Movement smbexec CommandLine Parameters |
SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
| Windows Suspicious Named Pipe |
SMB/Windows Admin Shares, Process Injection, Inter-Process Communication |
TTP |
| Suspicious Rundll32 no Command Line Arguments |
Rundll32 |
TTP |
| Windows Service Stop By Deletion |
Service Stop |
Hunting |
| Windows Raw Access To Master Boot Record Drive |
Disk Structure Wipe |
TTP |
| DLLHost with no Command Line Arguments with Network |
Process Injection |
TTP |
| Executable File Written in Administrative SMB Share |
SMB/Windows Admin Shares |
TTP |
| Windows Excessive Usage Of Net App |
Account Access Removal |
Anomaly |
| Windows Attempt To Stop Security Service |
Disable or Modify Tools |
TTP |
| Windows Suspicious Process File Path |
Match Legitimate Resource Name or Location, Create or Modify System Process |
TTP |
| Executables Or Script Creation In Temp Path |
Masquerading |
Anomaly |
| CMD Echo Pipe - Escalation |
Windows Command Shell, Windows Service |
TTP |
| SearchProtocolHost with no Command Line with Network |
Process Injection |
TTP |
| Impacket Lateral Movement WMIExec Commandline Parameters |
SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
| Impacket Lateral Movement Commandline Parameters |
SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
Data Sources
References
Source: GitHub | Version: 2