Analytics Story: Hermetic Wiper

Date: 2022-03-02 ID: b7511c2e-9a10-11ec-99e3-acde48001122 Author: Teoderick Contreras, Rod Soto, Michael Haag, Splunk Product: Splunk Enterprise Security

Description

This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive malware targeting Ukrainian organizations also known as "Hermetic Wiper". This analytic story looks for abuse of Regsvr32, executables written in administrative SMB Share, suspicious processes, disabling of memory crash dump and more.

Why it matters

Hermetic Wiper is destructive malware operation found by Sentinel One targeting multiple organizations in Ukraine. This malicious payload corrupts Master Boot Records, uses signed drivers and manipulates NTFS attributes for file destruction.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Email Attachments With Lots Of Spaces None Anomaly
Suspicious Email Attachment Extensions Spearphishing Attachment Anomaly
Suspicious Process File Path Create or Modify System Process TTP
Active Setup Registry Autostart Active Setup TTP
Any Powershell DownloadFile PowerShell, Ingress Tool Transfer TTP
Any Powershell DownloadString PowerShell, Ingress Tool Transfer TTP
Child Processes of Spoolsv exe Exploitation for Privilege Escalation TTP
CMD Carry Out String Command Parameter Windows Command Shell Hunting
Detect Empire with PowerShell Script Block Logging PowerShell TTP
Detect Mimikatz With PowerShell Script Block Logging OS Credential Dumping, PowerShell TTP
ETW Registry Disabled Trusted Developer Utilities Proxy Execution, Indicator Blocking TTP
Executable File Written in Administrative SMB Share SMB/Windows Admin Shares TTP
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Executables Or Script Creation In Temp Path Masquerading Anomaly
Kerberoasting spn request with RC4 encryption Kerberoasting TTP
Linux Java Spawning Shell Exploit Public-Facing Application, External Remote Services TTP
Logon Script Event Trigger Execution Logon Script (Windows) TTP
Malicious PowerShell Process - Encoded Command Obfuscated Files or Information Hunting
Malicious PowerShell Process With Obfuscation Techniques PowerShell TTP
MSI Module Loaded by Non-System Binary DLL Side-Loading Hunting
Overwriting Accessibility Binaries Accessibility Features TTP
Possible Lateral Movement PowerShell Spawn Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, PowerShell, MMC, Windows Service TTP
PowerShell 4104 Hunting PowerShell Hunting
PowerShell - Connect To Internet With Hidden Window PowerShell Hunting
PowerShell Domain Enumeration PowerShell TTP
Powershell Enable SMB1Protocol Feature Indicator Removal from Tools TTP
Powershell Execute COM Object PowerShell, Component Object Model Hijacking TTP
Powershell Fileless Process Injection via GetProcAddress Process Injection, PowerShell TTP
Powershell Fileless Script Contains Base64 Encoded Content Obfuscated Files or Information, PowerShell TTP
PowerShell Loading DotNET into Memory via Reflection PowerShell Anomaly
Powershell Processing Stream Of Data PowerShell TTP
Powershell Using memory As Backing Store PowerShell TTP
Print Processor Registry Autostart Print Processors TTP
Recon AVProduct Through Pwh or WMI Gather Victim Host Information TTP
Recon Using WMI Class Gather Victim Host Information, PowerShell Anomaly
Registry Keys Used For Privilege Escalation Image File Execution Options Injection TTP
Regsvr32 Silent and Install Param Dll Loading Regsvr32 Anomaly
Runas Execution in CommandLine Token Impersonation/Theft Hunting
Screensaver Event Trigger Execution Screensaver TTP
Set Default PowerShell Execution Policy To Unrestricted or Bypass PowerShell TTP
Time Provider Persistence Registry Time Providers TTP
Unloading AMSI via Reflection PowerShell, Impair Defenses TTP
W3WP Spawning Shell Web Shell TTP
Windows Disable Memory Crash Dump Data Destruction TTP
Windows File Without Extension In Critical Folder Data Destruction TTP
Windows Modify Show Compress Color And Info Tip Registry Modify Registry TTP
Windows New Default File Association Value Set Change Default File Association Hunting
Windows Raw Access To Disk Volume Partition Disk Structure Wipe Anomaly
Windows Raw Access To Master Boot Record Drive Disk Structure Wipe TTP
Windows Suspicious Process File Path Create or Modify System Process, Match Legitimate Name or Location TTP
WMI Recon Running Process Or Services Gather Victim Host Information Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 9 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon for Linux EventID 1 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4769 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 5145 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 1