Analytics Story: Industroyer2
Description
Leverage searches that allow you to detect and investigate unusual activities that might relate to the Industroyer2 attack, including file writes associated with its payload, lateral movement, persistence, privilege escalation and data destruction.
Why it matters
Industroyer2 is part of continuous attack to ukraine targeting energy facilities. This malware is a windows binary that implement IEC-104 protocol to communicate with industrial equipments. This attack consist of several destructive linux script component to wipe or delete several linux critical files, powershell for domain enumeration and caddywiper to wipe boot sector of the targeted host.
Detections
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Sysmon for Linux EventID 1 | sysmon:linux |
Syslog:Linux-Sysmon/Operational |
|
| Linux Auditd Proctitle | auditd |
auditd |
|
| Powershell Script Block Logging 4104 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-PowerShell/Operational |
|
| Windows Event Log Security 4688 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| CrowdStrike ProcessRollup2 | Other | crowdstrike:events:sensor |
crowdstrike |
| Sysmon EventID 1 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Sysmon EventID 11 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Osquery Results | Other | osquery:results |
osquery |
| Sysmon EventID 5 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Windows Event Log Security 4698 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Windows Event Log TaskScheduler 201 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Windows Event Log TaskScheduler 200 | wineventlog |
WinEventLog:Microsoft-Windows-TaskScheduler/Operational |
|
| Linux Auditd Service Stop | auditd |
auditd |
|
| Sysmon for Linux EventID 11 | sysmon:linux |
Syslog:Linux-Sysmon/Operational |
|
| Windows Event Log Security 5145 | XmlWinEventLog |
XmlWinEventLog:Security |
References
- https://cert.gov.ua/article/39518
- https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/
Source: GitHub | Version: 2