GitHub Repo

Analytics Story: Hermetic Wiper

Updated Date: 2026-05-13 ID: b7511c2e-9a10-11ec-99e3-acde48001122 Author: Teoderick Contreras, Rod Soto, Michael Haag, Splunk Product: Splunk Enterprise Security

Description

This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive malware targeting Ukrainian organizations also known as "Hermetic Wiper". This analytic story looks for abuse of Regsvr32, executables written in administrative SMB Share, suspicious processes, disabling of memory crash dump and more.

Why it matters

Hermetic Wiper is destructive malware operation found by Sentinel One targeting multiple organizations in Ukraine. This malicious payload corrupts Master Boot Records, uses signed drivers and manipulates NTFS attributes for file destruction.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
PowerShell - Connect To Internet With Hidden Window PowerShell Hunting
Windows Suspicious Process File Path Match Legitimate Resource Name or Location, Create or Modify System Process TTP
Print Processor Registry Autostart Print Processors TTP
Registry Keys Used For Privilege Escalation Image File Execution Options Injection TTP
Kerberoasting spn request with RC4 encryption Kerberoasting TTP
Time Provider Persistence Registry Time Providers TTP
Malicious PowerShell Process With Obfuscation Techniques PowerShell TTP
Malicious PowerShell Process - Encoded Command Obfuscated Files or Information Hunting
Windows Modify Show Compress Color And Info Tip Registry Modify Registry TTP
Active Setup Registry Autostart Active Setup TTP
Regsvr32 Silent and Install Param Dll Loading Regsvr32 Anomaly
Powershell Enable SMB1Protocol Feature Indicator Removal from Tools TTP
Overwriting Accessibility Binaries Accessibility Features TTP
Windows Disable Memory Crash Dump Data Destruction TTP
Powershell Using memory As Backing Store PowerShell TTP
Powershell Execute COM Object PowerShell, Component Object Model Hijacking TTP
Detect Empire with PowerShell Script Block Logging PowerShell TTP
Recon Using WMI Class PowerShell, Gather Victim Host Information Anomaly
Screensaver Event Trigger Execution Screensaver TTP
Windows Raw Access To Disk Volume Partition Disk Structure Wipe Anomaly
ETW Registry Disabled Trusted Developer Utilities Proxy Execution, Disable or Modify Tools TTP
PowerShell Domain Enumeration PowerShell TTP
Executables Or Script Creation In Temp Path Masquerading Anomaly
Windows Raw Access To Master Boot Record Drive Disk Structure Wipe TTP
Email Attachments With Lots Of Spaces Masquerade File Type, Spearphishing Attachment Anomaly
Windows File Download Via PowerShell PowerShell, Ingress Tool Transfer Anomaly
Set Default PowerShell Execution Policy To Unrestricted or Bypass PowerShell TTP
PowerShell 4104 Hunting PowerShell Hunting
Detect Mimikatz With PowerShell Script Block Logging OS Credential Dumping, PowerShell TTP
Powershell Processing Stream Of Data PowerShell TTP
Suspicious Email Attachment Extensions Spearphishing Attachment Anomaly
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Web or Application Server Spawning a Shell External Remote Services, Exploit Public-Facing Application TTP
Windows New Default File Association Value Set Change Default File Association Hunting
Windows File Without Extension In Critical Folder Data Destruction TTP
Executable File Written in Administrative SMB Share SMB/Windows Admin Shares TTP
Powershell Fileless Script Contains Base64 Encoded Content Obfuscated Files or Information, PowerShell TTP
Runas Execution in CommandLine Token Impersonation/Theft Hunting
Possible Lateral Movement PowerShell Spawn Distributed Component Object Model, Windows Remote Management, Windows Management Instrumentation, Scheduled Task, PowerShell, MMC, Windows Service Anomaly
Recon AVProduct Through Pwh or WMI Gather Victim Host Information TTP
WMI Recon Running Process Or Services Gather Victim Host Information Anomaly
CMD Carry Out String Command Parameter Windows Command Shell Hunting
MSI Module Loaded by Non-System Binary DLL Hunting
Child Processes of Spoolsv exe Exploitation for Privilege Escalation TTP
Logon Script Event Trigger Execution Logon Script (Windows) TTP
PowerShell Loading DotNET into Memory via Reflection PowerShell Anomaly
Unloading AMSI via Reflection PowerShell, Disable or Modify Tools TTP
Powershell Fileless Process Injection via GetProcAddress Process Injection, PowerShell TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 Other crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Sysmon EventID 13 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4769 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Powershell Script Block Logging 4104 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 11 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 9 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Cisco Network Visibility Module Flow Data Network icon Network cisco:nvm:flowdata not_applicable
Sysmon for Linux EventID 1 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational
Windows Event Log Security 5145 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Sysmon EventID 7 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

References

Source: GitHub | Version: 2