GitHub Repo

Analytics Story: Industroyer2

Updated Date: 2026-05-13 ID: 7ff7db2b-b001-498e-8fe8-caf2dbc3428a Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the Industroyer2 attack, including file writes associated with its payload, lateral movement, persistence, privilege escalation and data destruction.

Why it matters

Industroyer2 is part of continuous attack to ukraine targeting energy facilities. This malware is a windows binary that implement IEC-104 protocol to communicate with industrial equipments. This attack consist of several destructive linux script component to wipe or delete several linux critical files, powershell for domain enumeration and caddywiper to wipe boot sector of the targeted host.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Linux Auditd Stop Services Service Stop Hunting
Executables Or Script Creation In Temp Path Masquerading Anomaly
Impacket Lateral Movement Commandline Parameters SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Executable File Written in Administrative SMB Share SMB/Windows Admin Shares TTP
Linux System Network Discovery System Network Configuration Discovery Anomaly
Impacket Lateral Movement WMIExec Commandline Parameters SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Linux DD File Overwrite Data Destruction TTP
AdsiSearcher Account Discovery Domain Account TTP
Windows Root Domain linked policies Discovery Domain Account Anomaly
Linux Stop Services Service Stop TTP
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Linux Adding Crontab Using List Parameter Cron Hunting
Windows Sensitive Registry Hive Dump Via CommandLine Security Account Manager TTP
Recon Using WMI Class PowerShell, Gather Victim Host Information Anomaly
Windows Processes Killed By Industroyer2 Malware Service Stop Anomaly
Windows Suspicious Process File Path Match Legitimate Resource Name or Location, Create or Modify System Process TTP
Linux High Frequency Of File Deletion In Boot Folder File Deletion, Data Destruction TTP
Windows Linked Policies In ADSI Discovery Domain Account Anomaly
Linux Auditd Dd File Overwrite Data Destruction TTP
Linux Shred Overwrite Command Data Destruction TTP
Linux Deleting Critical Directory Using RM Command Data Destruction TTP
Impacket Lateral Movement smbexec CommandLine Parameters SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Linux Stdout Redirection To Dev Null File Disable or Modify System Firewall Anomaly
Linux Disable Services Service Stop TTP
Windows Hidden Schedule Task Settings Scheduled Task/Job TTP
Dump LSASS via comsvcs DLL LSASS Memory TTP
Schtasks Run Task On Demand Scheduled Task/Job Anomaly
WinEvent Scheduled Task Created Within Public Path Scheduled Task TTP
Linux Auditd Shred Overwrite Command Data Destruction TTP
WinEvent Windows Task Scheduler Event Action Started Scheduled Task Hunting

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Linux Auditd Service Stop Linux icon Linux auditd auditd
Sysmon EventID 11 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Sysmon EventID 1 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
CrowdStrike ProcessRollup2 Other crowdstrike:events:sensor crowdstrike
Windows Event Log Security 5145 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Sysmon for Linux EventID 1 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational
Osquery Results Other osquery:results osquery
Powershell Script Block Logging 4104 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 5 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon for Linux EventID 11 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational
Linux Auditd Proctitle Linux icon Linux auditd auditd
Windows Event Log Security 4698 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log TaskScheduler 200 Windows icon Windows wineventlog WinEventLog:Microsoft-Windows-TaskScheduler/Operational
Windows Event Log TaskScheduler 201 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security

References

Source: GitHub | Version: 2