forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
hermetic_wiper.yml
22 lines (22 loc) · 1.11 KB
/
hermetic_wiper.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
name: Hermetic Wiper
id: b7511c2e-9a10-11ec-99e3-acde48001122
version: 1
date: '2022-03-02'
author: Teoderick Contreras, Rod Soto, Michael Haag, Splunk
description: This analytic story contains detections that allow security analysts to detect and investigate unusual activities
that might relate to the destructive malware targeting Ukrainian organizations also known as "Hermetic Wiper". This analytic story looks for abuse of Regsvr32, executables written in administrative SMB Share, suspicious processes, disabling of memory crash dump and more.
narrative: Hermetic Wiper is destructive malware operation found by Sentinel One targeting
multiple organizations in Ukraine. This malicious payload corrupts Master Boot Records, uses signed drivers and manipulates NTFS attributes for file destruction.
references:
- https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/
- https://www.cisa.gov/uscert/ncas/alerts/aa22-057a
tags:
category:
- Data Destruction
- Malware
- Adversary Tactics
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Advanced Threat Detection