Analytics Story: Hermetic Wiper
Description
This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive malware targeting Ukrainian organizations also known as "Hermetic Wiper". This analytic story looks for abuse of Regsvr32, executables written in administrative SMB Share, suspicious processes, disabling of memory crash dump and more.
Why it matters
Hermetic Wiper is destructive malware operation found by Sentinel One targeting multiple organizations in Ukraine. This malicious payload corrupts Master Boot Records, uses signed drivers and manipulates NTFS attributes for file destruction.
Detections
Data Sources
Name | Platform | Sourcetype | Source |
---|---|---|---|
CrowdStrike ProcessRollup2 | N/A | crowdstrike:events:sensor |
crowdstrike |
Powershell Script Block Logging 4104 | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-PowerShell/Operational |
|
Sysmon EventID 1 | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
Sysmon EventID 11 | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
Sysmon EventID 12 | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
Sysmon EventID 13 | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
Sysmon EventID 7 | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
Sysmon EventID 9 | xmlwineventlog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
Sysmon for Linux EventID 1 | sysmon:linux |
Syslog:Linux-Sysmon/Operational |
|
Windows Event Log Security 4688 | xmlwineventlog |
XmlWinEventLog:Security |
|
Windows Event Log Security 4769 | xmlwineventlog |
XmlWinEventLog:Security |
|
Windows Event Log Security 5145 | xmlwineventlog |
XmlWinEventLog:Security |
References
- https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/
- https://www.cisa.gov/uscert/ncas/alerts/aa22-057a
Source: GitHub | Version: 1