Hermetic Wiper TG Process Patterns

Aug 12, 2024 · attack.execution attack.lateral-movement attack.t1021.001 detection.emerging-threats ·

Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022

Sigma rule (View on GitHub)

 1title: Hermetic Wiper TG Process Patterns
 2id: 2f974656-6d83-4059-bbdf-68ac5403422f
 3status: test
 4description: Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022
 5references:
 6    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia
 7author: Florian Roth (Nextron Systems)
 8date: 2022-02-25
 9modified: 2022-09-09
10tags:
11    - attack.execution
12    - attack.lateral-movement
13    - attack.t1021.001
14    - detection.emerging-threats
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection1:
20        Image|endswith: '\policydefinitions\postgresql.exe'
21    selection2:
22        - CommandLine|contains:
23              - 'CSIDL_SYSTEM_DRIVE\temp\sys.tmp'
24              - ' 1> \\\\127.0.0.1\ADMIN$\__16'
25        - CommandLine|contains|all:
26              - 'powershell -c '
27              - '\comsvcs.dll MiniDump '
28              - '\winupd.log full'
29    condition: 1 of selection*
30falsepositives:
31    - Unknown
32level: high

References

Ukraine: Disk-wiping Attacks Precede Russian Invasion

Destructive malware deployed against targets in Ukraine and other countries in the region in the hours prior to invasion.

Read More

Hermetic Wiper TG Process Patterns

Sigma rule (View on GitHub)

References

Ukraine: Disk-wiping Attacks Precede Russian Invasion

Related rules