Analytics Story: Industroyer2

Date: 2022-04-21 ID: 7ff7db2b-b001-498e-8fe8-caf2dbc3428a Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the Industroyer2 attack, including file writes associated with its payload, lateral movement, persistence, privilege escalation and data destruction.

Why it matters

Industroyer2 is part of continuous attack to ukraine targeting energy facilities. This malware is a windows binary that implement IEC-104 protocol to communicate with industrial equipments. This attack consist of several destructive linux script component to wipe or delete several linux critical files, powershell for domain enumeration and caddywiper to wipe boot sector of the targeted host.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Suspicious Process File Path Create or Modify System Process TTP
AdsiSearcher Account Discovery Domain Account TTP
Dump LSASS via comsvcs DLL LSASS Memory TTP
Executable File Written in Administrative SMB Share SMB/Windows Admin Shares TTP
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Executables Or Script Creation In Temp Path Masquerading Anomaly
Impacket Lateral Movement Commandline Parameters SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Impacket Lateral Movement smbexec CommandLine Parameters SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Impacket Lateral Movement WMIExec Commandline Parameters SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Linux Adding Crontab Using List Parameter Cron Hunting
Linux Auditd Dd File Overwrite Data Destruction TTP
Linux Auditd Shred Overwrite Command Data Destruction TTP
Linux Auditd Stop Services Service Stop Hunting
Linux DD File Overwrite Data Destruction TTP
Linux Deleting Critical Directory Using RM Command Data Destruction TTP
Linux Disable Services Service Stop TTP
Linux High Frequency Of File Deletion In Boot Folder File Deletion, Data Destruction TTP
Linux Shred Overwrite Command Data Destruction TTP
Linux Stdout Redirection To Dev Null File Disable or Modify System Firewall Anomaly
Linux Stop Services Service Stop TTP
Linux System Network Discovery System Network Configuration Discovery Anomaly
Recon Using WMI Class Gather Victim Host Information, PowerShell Anomaly
Schtasks Run Task On Demand Scheduled Task/Job TTP
Windows Hidden Schedule Task Settings Scheduled Task/Job TTP
Windows Linked Policies In ADSI Discovery Domain Account Anomaly
Windows Processes Killed By Industroyer2 Malware Service Stop Anomaly
Windows Root Domain linked policies Discovery Domain Account Anomaly
Windows Sensitive Registry Hive Dump Via CommandLine Security Account Manager TTP
Windows Suspicious Process File Path Create or Modify System Process, Match Legitimate Name or Location TTP
WinEvent Scheduled Task Created Within Public Path Scheduled Task TTP
WinEvent Windows Task Scheduler Event Action Started Scheduled Task Hunting

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Linux Auditd Proctitle Linux icon Linux auditd auditd
Linux Auditd Service Stop Linux icon Linux auditd auditd
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 5 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon for Linux EventID 1 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational
Sysmon for Linux EventID 11 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4698 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 5145 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log TaskScheduler 200 Windows icon Windows wineventlog WinEventLog:Microsoft-Windows-TaskScheduler/Operational
Windows Event Log TaskScheduler 201 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 1