GitHub Repo

Analytics Story: Graceful Wipe Out Attack

Updated Date: 2026-05-13 ID: 83b15b3c-6bda-45aa-a3b6-b05c52443f44 Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive attack or campaign found by "THE DFIR Report" that uses Truebot, FlawedGrace and MBR killer malware. This analytic story looks for suspicious dropped files, cobalt strike execution, im-packet execution, registry modification, scripts, persistence, lateral movement, impact, exfiltration and recon.

Why it matters

Graceful Wipe Out Attack is a destructive malware campaign found by "The DFIR Report" targeting multiple organizations to collect, exfiltrate and wipe the data of targeted networks. This malicious payload corrupts or wipes Master Boot Records by using an NSIS script after the exfiltration of sensitive information from the targeted host or system.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Windows Suspicious Process File Path Match Legitimate Resource Name or Location, Create or Modify System Process TTP
Suspicious Rundll32 StartW Rundll32 TTP
DLLHost with no Command Line Arguments with Network Process Injection TTP
Windows Service Stop By Deletion Service Stop Hunting
Windows AdFind Exe Remote System Discovery TTP
GPUpdate with no Command Line Arguments with Network Process Injection TTP
Services Escalate Exe Abuse Elevation Control Mechanism TTP
Suspicious MSBuild Rename Rename Legitimate Utilities, MSBuild Hunting
SecretDumps Offline NTDS Dumping Tool NTDS TTP
SearchProtocolHost with no Command Line with Network Process Injection TTP
Suspicious DLLHost no Command Line Arguments Process Injection TTP
Detect Regsvr32 Application Control Bypass Regsvr32 TTP
Suspicious GPUpdate no Command Line Arguments Process Injection TTP
CMD Echo Pipe - Escalation Windows Command Shell, Windows Service TTP
Windows User Deletion Via Net Account Access Removal Anomaly
Impacket Lateral Movement WMIExec Commandline Parameters SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Windows Office Product Spawned Rundll32 With No DLL Spearphishing Attachment TTP
Windows Raw Access To Disk Volume Partition Disk Structure Wipe Anomaly
Executables Or Script Creation In Temp Path Masquerading Anomaly
Windows Raw Access To Master Boot Record Drive Disk Structure Wipe TTP
Windows Suspicious C2 Named Pipe SMB/Windows Admin Shares, Process Injection, Inter-Process Communication TTP
Remote WMI Command Attempt Windows Management Instrumentation TTP
Impacket Lateral Movement Commandline Parameters SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Windows Attempt To Stop Security Service Disable or Modify Tools TTP
Anomalous usage of 7zip Archive via Utility Anomaly
Impacket Lateral Movement smbexec CommandLine Parameters SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Windows Service Stop Attempt Service Stop Hunting
Executable File Written in Administrative SMB Share SMB/Windows Admin Shares TTP
Rundll32 with no Command Line Arguments with Network Rundll32 TTP
Suspicious SearchProtocolHost no Command Line Arguments Process Injection TTP
Windows Excessive Usage Of Net App Account Access Removal Anomaly
Suspicious microsoft workflow compiler rename Rename Legitimate Utilities, Trusted Developer Utilities Proxy Execution Hunting
Windows Process Injection Remote Thread Portable Executable Injection TTP
Windows Group Discovery Via Net Local Groups, Domain Groups Hunting
Suspicious msbuild path Rename Legitimate Utilities, MSBuild TTP
SAM Database File Access Attempt Security Account Manager Hunting
Windows Suspicious Named Pipe SMB/Windows Admin Shares, Process Injection, Inter-Process Communication TTP
Suspicious Rundll32 no Command Line Arguments Rundll32 TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 Other crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Sysmon EventID 3 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 9 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 17 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 18 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 5145 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Sysmon EventID 8 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4663 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security

References

Source: GitHub | Version: 2