Analytics Story: Hermetic Wiper
Description
This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive malware targeting Ukrainian organizations also known as "Hermetic Wiper". This analytic story looks for abuse of Regsvr32, executables written in administrative SMB Share, suspicious processes, disabling of memory crash dump and more.
Why it matters
Hermetic Wiper is destructive malware operation found by Sentinel One targeting multiple organizations in Ukraine. This malicious payload corrupts Master Boot Records, uses signed drivers and manipulates NTFS attributes for file destruction.
Detections
| Name ▲▼ |
Technique ▲▼ |
Type ▲▼ |
| PowerShell - Connect To Internet With Hidden Window |
PowerShell |
Hunting |
| Powershell Enable SMB1Protocol Feature |
Indicator Removal from Tools |
TTP |
| Kerberoasting spn request with RC4 encryption |
Kerberoasting |
TTP |
| Web or Application Server Spawning a Shell |
External Remote Services, Exploit Public-Facing Application |
TTP |
| Windows File Download Via PowerShell |
PowerShell, Ingress Tool Transfer |
Anomaly |
| Windows Raw Access To Disk Volume Partition |
Disk Structure Wipe |
Anomaly |
| Suspicious Email Attachment Extensions |
Spearphishing Attachment |
Anomaly |
| Child Processes of Spoolsv exe |
Exploitation for Privilege Escalation |
TTP |
| Recon AVProduct Through Pwh or WMI |
Gather Victim Host Information |
TTP |
| Windows Modify Show Compress Color And Info Tip Registry |
Modify Registry |
TTP |
| PowerShell Domain Enumeration |
PowerShell |
Anomaly |
| PowerShell 4104 Hunting |
PowerShell |
Hunting |
| Windows Disable Memory Crash Dump |
Data Destruction |
TTP |
| Powershell Fileless Script Contains Base64 Encoded Content |
Obfuscated Files or Information, PowerShell |
TTP |
| Unloading AMSI via Reflection |
PowerShell, Disable or Modify Tools |
TTP |
| Logon Script Event Trigger Execution |
Logon Script (Windows) |
TTP |
| Powershell Fileless Process Injection via GetProcAddress |
Process Injection, PowerShell |
TTP |
| CMD Carry Out String Command Parameter |
Windows Command Shell |
Hunting |
| Possible Lateral Movement PowerShell Spawn |
Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, PowerShell, MMC, Windows Service |
Anomaly |
| Malicious PowerShell Process - Encoded Command |
Obfuscated Files or Information |
Hunting |
| ETW Registry Disabled |
Trusted Developer Utilities Proxy Execution, Disable or Modify Tools |
TTP |
| Executables Or Script Creation In Suspicious Path |
Masquerading |
Anomaly |
| Powershell Using memory As Backing Store |
PowerShell |
TTP |
| Regsvr32 Silent and Install Param Dll Loading |
Regsvr32 |
Anomaly |
| Overwriting Accessibility Binaries |
Accessibility Features |
TTP |
| MSI Module Loaded by Non-System Binary |
DLL |
Hunting |
| Malicious PowerShell Process With Obfuscation Techniques |
PowerShell |
TTP |
| Powershell Execute COM Object |
PowerShell, Component Object Model Hijacking |
TTP |
| Windows File Without Extension In Critical Folder |
Data Destruction |
TTP |
| Detect Mimikatz With PowerShell Script Block Logging |
OS Credential Dumping, PowerShell |
TTP |
| Windows New Default File Association Value Set |
Change Default File Association |
Hunting |
| Print Processor Registry Autostart |
Print Processors |
TTP |
| Active Setup Registry Autostart |
Active Setup |
TTP |
| Set Default PowerShell Execution Policy To Unrestricted or Bypass |
PowerShell |
TTP |
| Runas Execution in CommandLine |
Token Impersonation/Theft |
Hunting |
| WMI Recon Running Process Or Services |
Gather Victim Host Information |
Anomaly |
| Powershell Processing Stream Of Data |
PowerShell |
Anomaly |
| Windows Raw Access To Master Boot Record Drive |
Disk Structure Wipe |
TTP |
| Executable File Written in Administrative SMB Share |
SMB/Windows Admin Shares |
TTP |
| Registry Keys Used For Privilege Escalation |
Image File Execution Options Injection |
TTP |
| Recon Using WMI Class |
PowerShell, Gather Victim Host Information |
Anomaly |
| Windows Suspicious Process File Path |
Match Legitimate Resource Name or Location, Create or Modify System Process |
TTP |
| Detect Empire with PowerShell Script Block Logging |
PowerShell |
TTP |
| Executables Or Script Creation In Temp Path |
Masquerading |
Anomaly |
| Screensaver Event Trigger Execution |
Screensaver |
TTP |
| Email Attachments With Lots Of Spaces |
Masquerade File Type, Spearphishing Attachment |
Anomaly |
| PowerShell Loading DotNET into Memory via Reflection |
PowerShell |
Anomaly |
| Time Provider Persistence Registry |
Time Providers |
TTP |
Data Sources
References
Source: GitHub | Version: 2