Analytics Story: WhisperGate

Updated Date: 2026-05-13 ID: 0150e6e5-3171-442e-83f8-1ccd8599569b Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

This analytic story contains detections that allow security analysts to detect and investigate unusual activities that might relate to the destructive malware targeting Ukrainian organizations also known as "WhisperGate". This analytic story looks for suspicious process execution, command-line activity, downloads, DNS queries and more.

Why it matters

WhisperGate/DEV-0586 is destructive malware operation found by MSTIC (Microsoft Threat Inteligence Center) targeting multiple organizations in Ukraine. This operation campaign consist of several malware component like the downloader that abuses discord platform, overwrite or destroy master boot record (MBR) of the targeted host, wiper and also windows defender evasion techniques.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
CMD Carry Out String Command Parameter	Windows Command Shell	Hunting
Executables Or Script Creation In Temp Path	Masquerading	Anomaly
Impacket Lateral Movement Commandline Parameters	SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service	TTP
Impacket Lateral Movement WMIExec Commandline Parameters	SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service	TTP
Suspicious Process With Discord DNS Query	Visual Basic	Anomaly
Excessive File Deletion In WinDefender Folder	Data Destruction	TTP
Executables Or Script Creation In Suspicious Path	Masquerading	Anomaly
Ping Sleep Batch Command	Time Based Checks	Anomaly
Windows Suspicious Process File Path	Match Legitimate Resource Name or Location, Create or Modify System Process	TTP
Windows Attempt To Stop Security Service	Disable or Modify Tools	TTP
Malicious PowerShell Process - Encoded Command	Obfuscated Files or Information	Hunting
Powershell Windows Defender Exclusion Commands	Disable or Modify Tools	TTP
Windows High File Deletion Frequency	Data Destruction	Anomaly
Add or Set Windows Defender Exclusion	Disable or Modify Tools	TTP
Powershell Remove Windows Defender Directory	Disable or Modify Tools	TTP
Wscript Or Cscript Suspicious Child Process	Process Injection, Parent PID Spoofing, Create or Modify System Process	Anomaly
Suspicious Process DNS Query Known Abuse Web Services	Visual Basic	TTP
Process Deleting Its Process File Path	Indicator Removal	TTP
Windows Raw Access To Master Boot Record Drive	Disk Structure Wipe	TTP
Impacket Lateral Movement smbexec CommandLine Parameters	SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service	TTP
Windows DotNet Binary in Non Standard Path	Rename Legitimate Utilities, InstallUtil	TTP
Windows NirSoft AdvancedRun	Tool	TTP
Windows InstallUtil in Non Standard Path	Rename Legitimate Utilities, InstallUtil	TTP
Windows NirSoft Utilities	Tool	Hunting
Windows NirSoft Tool Bundle File Created	Tool	Anomaly

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
Windows Event Log Security 4688	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`
Sysmon EventID 1	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
CrowdStrike ProcessRollup2	Other	`crowdstrike:events:sensor`	`crowdstrike`
Sysmon EventID 11	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 22	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 26	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 23	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Powershell Script Block Logging 4104	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-PowerShell/Operational`
Sysmon EventID 9	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`

References

Source: GitHub | Version: 2