Analytics Story: WhisperGate

Date: 2022-01-19 ID: 0150e6e5-3171-442e-83f8-1ccd8599569b Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive malware targeting Ukrainian organizations also known as "WhisperGate". This analytic story looks for suspicious process execution, command-line activity, downloads, DNS queries and more.

Why it matters

WhisperGate/DEV-0586 is destructive malware operation found by MSTIC (Microsoft Threat Inteligence Center) targeting multiple organizations in Ukraine. This operation campaign consist of several malware component like the downloader that abuses discord platform, overwrite or destroy master boot record (MBR) of the targeted host, wiper and also windows defender evasion techniques.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Add or Set Windows Defender Exclusion	Disable or Modify Tools, Impair Defenses	TTP
Attempt To Stop Security Service	Disable or Modify Tools, Impair Defenses	TTP
CMD Carry Out String Command Parameter	Windows Command Shell, Command and Scripting Interpreter	Hunting
Excessive File Deletion In WinDefender Folder	Data Destruction	TTP
Executables Or Script Creation In Suspicious Path	Masquerading	Anomaly
Impacket Lateral Movement Commandline Parameters	Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service	TTP
Impacket Lateral Movement smbexec CommandLine Parameters	Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service	TTP
Impacket Lateral Movement WMIExec Commandline Parameters	Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service	TTP
Malicious PowerShell Process - Encoded Command	Obfuscated Files or Information	Hunting
Ping Sleep Batch Command	Virtualization/Sandbox Evasion, Time Based Evasion	Anomaly
Powershell Remove Windows Defender Directory	Disable or Modify Tools, Impair Defenses	TTP
Powershell Windows Defender Exclusion Commands	Disable or Modify Tools, Impair Defenses	TTP
Process Deleting Its Process File Path	Indicator Removal	TTP
Suspicious Process DNS Query Known Abuse Web Services	Visual Basic, Command and Scripting Interpreter	TTP
Suspicious Process File Path	Create or Modify System Process	TTP
Suspicious Process With Discord DNS Query	Visual Basic, Command and Scripting Interpreter	Anomaly
Windows DotNet Binary in Non Standard Path	Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil	TTP
Windows High File Deletion Frequency	Data Destruction	Anomaly
Windows InstallUtil in Non Standard Path	Masquerading, Rename System Utilities, System Binary Proxy Execution, InstallUtil	TTP
Windows NirSoft AdvancedRun	Tool	TTP
Windows NirSoft Utilities	Tool	Hunting
Windows Raw Access To Master Boot Record Drive	Disk Structure Wipe, Disk Wipe	TTP
Wscript Or Cscript Suspicious Child Process	Process Injection, Create or Modify System Process, Parent PID Spoofing, Access Token Manipulation	TTP

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
CrowdStrike ProcessRollup2	N/A	`crowdstrike:events:sensor`	`crowdstrike`
Powershell Script Block Logging 4104	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-PowerShell/Operational`
Sysmon EventID 1	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 11	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 22	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 23	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 9	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 4688	Windows	`xmlwineventlog`	`XmlWinEventLog:Security`

References

Source: GitHub | Version: 1