Analytics Story: Swift Slicer

Date: 2023-02-01 ID: 234c9dd7-52fb-4d6f-aec9-075ef88a2cea Author: Teoderick Contreras, Rod Soto, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the swift slicer malware including overwriting of files and etc.

Why it matters

Swift Slicer is one of Windows destructive malware found by ESET that was used in a targeted organizarion to wipe critical files like windows drivers and other files to destroy and left the machine inoperable. This malware like Caddy Wiper was deliver through GPO which suggests that the attacker had taken control of the victims active directory environment.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Suspicious Process File Path Create or Modify System Process TTP
Windows Data Destruction Recursive Exec Files Deletion Data Destruction TTP
Windows High File Deletion Frequency Data Destruction Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 23 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 1