From 1b66eb3d4c0e6bc76fabb8af34bde159047dd15a Mon Sep 17 00:00:00 2001 From: tccontre Date: Wed, 31 Jul 2024 10:04:07 +0200 Subject: [PATCH] handala_wiper --- .../detect_regasm_spawning_a_process.yml | 1 + .../detect_regasm_with_network_connection.yml | 1 + ..._regasm_with_no_command_line_arguments.yml | 1 + ..._or_script_creation_in_suspicious_path.yml | 1 + .../endpoint/suspicious_process_file_path.yml | 1 + .../endpoint/windows_autoit3_execution.yml | 1 + ...truction_recursive_exec_files_deletion.yml | 3 ++- ...ork_info_through_ip_check_web_services.yml | 7 ++++--- .../windows_high_file_deletion_frequency.yml | 1 + stories/handala_wiper.yml | 20 +++++++++++++++++++ 10 files changed, 33 insertions(+), 4 deletions(-) create mode 100644 stories/handala_wiper.yml diff --git a/detections/endpoint/detect_regasm_spawning_a_process.yml b/detections/endpoint/detect_regasm_spawning_a_process.yml index 3c1cbc05e1..20f4394891 100644 --- a/detections/endpoint/detect_regasm_spawning_a_process.yml +++ b/detections/endpoint/detect_regasm_spawning_a_process.yml @@ -47,6 +47,7 @@ tags: - Living Off The Land - DarkGate Malware - Snake Keylogger + - Handala Wiper asset_type: Endpoint confidence: 80 impact: 80 diff --git a/detections/endpoint/detect_regasm_with_network_connection.yml b/detections/endpoint/detect_regasm_with_network_connection.yml index 75b4df73f2..ad207b3369 100644 --- a/detections/endpoint/detect_regasm_with_network_connection.yml +++ b/detections/endpoint/detect_regasm_with_network_connection.yml @@ -33,6 +33,7 @@ tags: analytic_story: - Suspicious Regsvcs Regasm Activity - Living Off The Land + - Handala Wiper asset_type: Endpoint confidence: 100 impact: 80 diff --git a/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml b/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml index 24689955db..8bba49bde1 100644 --- a/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml +++ b/detections/endpoint/detect_regasm_with_no_command_line_arguments.yml @@ -43,6 +43,7 @@ tags: analytic_story: - Suspicious Regsvcs Regasm Activity - Living Off The Land + - Handala Wiper asset_type: Endpoint confidence: 70 impact: 70 diff --git a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml index 1710b61e9a..c7b581eabe 100644 --- a/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml +++ b/detections/endpoint/executables_or_script_creation_in_suspicious_path.yml @@ -73,6 +73,7 @@ tags: - Data Destruction - Snake Keylogger - AcidPour + - Handala Wiper asset_type: Endpoint confidence: 50 impact: 40 diff --git a/detections/endpoint/suspicious_process_file_path.yml b/detections/endpoint/suspicious_process_file_path.yml index 183bce4670..99bbcf2f49 100644 --- a/detections/endpoint/suspicious_process_file_path.yml +++ b/detections/endpoint/suspicious_process_file_path.yml @@ -78,6 +78,7 @@ tags: - CISA AA23-347A - Data Destruction - Phemedrone Stealer + - Handala Wiper asset_type: Endpoint confidence: 50 impact: 70 diff --git a/detections/endpoint/windows_autoit3_execution.yml b/detections/endpoint/windows_autoit3_execution.yml index 8b6a637a9d..1dd127cc6e 100644 --- a/detections/endpoint/windows_autoit3_execution.yml +++ b/detections/endpoint/windows_autoit3_execution.yml @@ -39,6 +39,7 @@ references: tags: analytic_story: - DarkGate Malware + - Handala Wiper asset_type: Endpoint atomic_guid: [] confidence: 100 diff --git a/detections/endpoint/windows_data_destruction_recursive_exec_files_deletion.yml b/detections/endpoint/windows_data_destruction_recursive_exec_files_deletion.yml index 9832d05ab5..7d4029dfa4 100644 --- a/detections/endpoint/windows_data_destruction_recursive_exec_files_deletion.yml +++ b/detections/endpoint/windows_data_destruction_recursive_exec_files_deletion.yml @@ -19,7 +19,7 @@ data_source: search: '`sysmon` EventCode IN ("23","26") TargetFilename IN ("*.exe", "*.sys", "*.dll") | bin _time span=2m | stats count, values(TargetFilename) as deleted_files, min(_time) as firstTime, max(_time) as lastTime by user, dest, signature, signature_id, Image, - process_name, process_guid | rename Image as process | where count >=500 | `security_content_ctime(firstTime)` + process_name, process_guid | rename Image as process | where count >=100 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_data_destruction_recursive_exec_files_deletion_filter`' how_to_implement: To successfully implement this search, you need to ingest logs that include the process name, TargetFilename, and ProcessID executions from your endpoints. @@ -33,6 +33,7 @@ tags: analytic_story: - Swift Slicer - Data Destruction + - Handala Wiper asset_type: Endpoint confidence: 80 impact: 80 diff --git a/detections/endpoint/windows_gather_victim_network_info_through_ip_check_web_services.yml b/detections/endpoint/windows_gather_victim_network_info_through_ip_check_web_services.yml index ed1ca881f8..40f1a0810d 100644 --- a/detections/endpoint/windows_gather_victim_network_info_through_ip_check_web_services.yml +++ b/detections/endpoint/windows_gather_victim_network_info_through_ip_check_web_services.yml @@ -1,7 +1,7 @@ name: Windows Gather Victim Network Info Through Ip Check Web Services id: 70f7c952-0758-46d6-9148-d8969c4481d1 -version: 3 -date: '2024-05-14' +version: 4 +date: '2024-07-31' author: Teoderick Contreras, Splunk status: production type: Hunting @@ -18,7 +18,7 @@ search: '`sysmon` EventCode=22 QueryName IN ("*wtfismyip.com", "*checkip.*", "* "*ipinfo.io", "*api.ipify.org", "*icanhazip.com", "*ip.anysrc.com","*api.ip.sb", "ident.me", "www.myexternalip.com", "*zen.spamhaus.org", "*cbl.abuseat.org", "*b.barracudacentral.org", "*dnsbl-1.uceprotect.net", "*spam.dnsbl.sorbs.net", "*iplogger.org*", "*ip-api.com*", - "*geoip.*") | stats min(_time) as firstTime max(_time) as lastTime count by Image + "*geoip.*", "*icanhazip.*") | stats min(_time) as firstTime max(_time) as lastTime count by Image ProcessId QueryName QueryStatus QueryResults EventCode Computer | rename Computer as dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_gather_victim_network_info_through_ip_check_web_services_filter`' @@ -36,6 +36,7 @@ tags: - DarkCrystal RAT - Phemedrone Stealer - Snake Keylogger + - Handala Wiper asset_type: Endpoint confidence: 50 impact: 50 diff --git a/detections/endpoint/windows_high_file_deletion_frequency.yml b/detections/endpoint/windows_high_file_deletion_frequency.yml index 8e3e59f1e3..3276eab31b 100644 --- a/detections/endpoint/windows_high_file_deletion_frequency.yml +++ b/detections/endpoint/windows_high_file_deletion_frequency.yml @@ -42,6 +42,7 @@ tags: - Data Destruction - WhisperGate - Sandworm Tools + - Handala Wiper asset_type: Endpoint confidence: 80 impact: 90 diff --git a/stories/handala_wiper.yml b/stories/handala_wiper.yml new file mode 100644 index 0000000000..5ae6560592 --- /dev/null +++ b/stories/handala_wiper.yml @@ -0,0 +1,20 @@ +name: Handala Wiper +id: 1590c46a-e976-4b4b-a166-d9be06ab0056 +version: 1 +date: '2024-07-31' +author: Teoderick Contreras, Splunk +description: Handala Destructive Wiper detection involves monitoring for suspicious activities such as unexpected `regasm` processes, unauthorized AutoIt script executions, and the dropping of malicious drivers. Indicators such as abrupt system slowdowns, and the creation of unknown files or processes. Early detection of these signs is crucial for mitigating the severe impact of this destructive malware. +narrative: Handala Destructive Wiper is a potent malware strain known for its destructive capabilities. It targets and irreversibly wipes data from infected systems, rendering them inoperable. This malware is often used in cyber-attacks against critical infrastructure and organizations, causing significant disruption and data loss. This Wiper employs techniques to evade detection and spread rapidly across networks. Its deployment can lead to extensive downtime, financial loss, and compromised sensitive information, making it a severe threat in the cybersecurity landscape. +references: +- https://www.trellix.com/blogs/research/handalas-wiper-targets-israel/ +- https://cyberint.com/blog/threat-intelligence/handala-hack-what-we-know-about-the-rising-threat-actor/ +tags: + category: + - Data Destruction + - Malware + - Adversary Tactics + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection \ No newline at end of file