Branch was auto-updated.

detections/endpoint/detect_regasm_spawning_a_process.yml

@@ -47,6 +47,7 @@ tags:
   - Living Off The Land
   - DarkGate Malware
   - Snake Keylogger
+  - Handala Wiper
   asset_type: Endpoint
   confidence: 80
   impact: 80

detections/endpoint/detect_regasm_with_network_connection.yml

@@ -33,6 +33,7 @@ tags:
   analytic_story:
   - Suspicious Regsvcs Regasm Activity
   - Living Off The Land
+  - Handala Wiper
   asset_type: Endpoint
   confidence: 100
   impact: 80

detections/endpoint/detect_regasm_with_no_command_line_arguments.yml

@@ -43,6 +43,7 @@ tags:
   analytic_story:
   - Suspicious Regsvcs Regasm Activity
   - Living Off The Land
+  - Handala Wiper
   asset_type: Endpoint
   confidence: 70
   impact: 70

detections/endpoint/executables_or_script_creation_in_suspicious_path.yml

@@ -73,6 +73,7 @@ tags:
   - Data Destruction
   - Snake Keylogger
   - AcidPour
+  - Handala Wiper
   asset_type: Endpoint
   confidence: 50
   impact: 40

detections/endpoint/suspicious_process_file_path.yml

@@ -78,6 +78,7 @@ tags:
   - CISA AA23-347A
   - Data Destruction
   - Phemedrone Stealer
+  - Handala Wiper
   asset_type: Endpoint
   confidence: 50
   impact: 70

detections/endpoint/windows_autoit3_execution.yml

@@ -39,6 +39,7 @@ references:
 tags:
   analytic_story:
   - DarkGate Malware
+  - Handala Wiper
   asset_type: Endpoint
   atomic_guid: []
   confidence: 100

detections/endpoint/windows_data_destruction_recursive_exec_files_deletion.yml

@@ -19,7 +19,7 @@ data_source:
 search: '`sysmon` EventCode IN ("23","26") TargetFilename IN ("*.exe", "*.sys", "*.dll")
   | bin _time span=2m | stats count, values(TargetFilename) as deleted_files, min(_time)
   as firstTime, max(_time) as lastTime by user, dest, signature, signature_id, Image,
-  process_name, process_guid | rename Image as process | where count >=500 | `security_content_ctime(firstTime)`
+  process_name, process_guid | rename Image as process | where count >=100 | `security_content_ctime(firstTime)`
   | `security_content_ctime(lastTime)` | `windows_data_destruction_recursive_exec_files_deletion_filter`'
 how_to_implement: To successfully implement this search, you need to ingest logs that
   include the process name, TargetFilename, and ProcessID executions from your endpoints.
@@ -33,6 +33,7 @@ tags:
   analytic_story:
   - Swift Slicer
   - Data Destruction
+  - Handala Wiper
   asset_type: Endpoint
   confidence: 80
   impact: 80

detections/endpoint/windows_gather_victim_network_info_through_ip_check_web_services.yml

@@ -1,7 +1,7 @@
 name: Windows Gather Victim Network Info Through Ip Check Web Services
 id: 70f7c952-0758-46d6-9148-d8969c4481d1
-version: 3
-date: '2024-05-14'
+version: 4
+date: '2024-07-31'
 author: Teoderick Contreras, Splunk
 status: production
 type: Hunting
@@ -18,7 +18,7 @@ search: '`sysmon` EventCode=22  QueryName IN ("*wtfismyip.com", "*checkip.*", "*
   "*ipinfo.io", "*api.ipify.org", "*icanhazip.com", "*ip.anysrc.com","*api.ip.sb",
   "ident.me", "www.myexternalip.com", "*zen.spamhaus.org", "*cbl.abuseat.org", "*b.barracudacentral.org",
   "*dnsbl-1.uceprotect.net", "*spam.dnsbl.sorbs.net", "*iplogger.org*", "*ip-api.com*",
-  "*geoip.*") |  stats  min(_time) as firstTime max(_time) as lastTime count by  Image
+  "*geoip.*", "*icanhazip.*") |  stats  min(_time) as firstTime max(_time) as lastTime count by  Image
   ProcessId QueryName QueryStatus QueryResults EventCode Computer | rename Computer
   as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
   | `windows_gather_victim_network_info_through_ip_check_web_services_filter`'
@@ -36,6 +36,7 @@ tags:
   - DarkCrystal RAT
   - Phemedrone Stealer
   - Snake Keylogger
+  - Handala Wiper
   asset_type: Endpoint
   confidence: 50
   impact: 50

detections/endpoint/windows_high_file_deletion_frequency.yml

@@ -42,6 +42,7 @@ tags:
   - Data Destruction
   - WhisperGate
   - Sandworm Tools
+  - Handala Wiper
   asset_type: Endpoint
   confidence: 80
   impact: 90

stories/handala_wiper.yml

@@ -0,0 +1,20 @@
+name: Handala Wiper
+id: 1590c46a-e976-4b4b-a166-d9be06ab0056
+version: 1
+date: '2024-07-31'
+author: Teoderick Contreras, Splunk
+description: Handala Destructive Wiper detection involves monitoring for suspicious activities such as unexpected `regasm` processes, unauthorized AutoIt script executions, and the dropping of malicious drivers. Indicators such as abrupt system slowdowns, and the creation of unknown files or processes. Early detection of these signs is crucial for mitigating the severe impact of this destructive malware.
+narrative: Handala Destructive Wiper is a potent malware strain known for its destructive capabilities. It targets and irreversibly wipes data from infected systems, rendering them inoperable. This malware is often used in cyber-attacks against critical infrastructure and organizations, causing significant disruption and data loss. This Wiper employs techniques to evade detection and spread rapidly across networks. Its deployment can lead to extensive downtime, financial loss, and compromised sensitive information, making it a severe threat in the cybersecurity landscape.
+references:
+- https://www.trellix.com/blogs/research/handalas-wiper-targets-israel/
+- https://cyberint.com/blog/threat-intelligence/handala-hack-what-we-know-about-the-rising-threat-actor/
+tags:
+  category:
+  - Data Destruction
+  - Malware
+  - Adversary Tactics
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  usecase: Advanced Threat Detection