Hermetic Wiper TG Process Patterns
Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022
Sigma rule (View on GitHub)
1title: Hermetic Wiper TG Process Patterns
2id: 2f974656-6d83-4059-bbdf-68ac5403422f
3status: test
4description: Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022
5references:
6 - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia
7author: Florian Roth (Nextron Systems)
8date: 2022/02/25
9modified: 2022/09/09
10tags:
11 - attack.execution
12 - attack.lateral_movement
13 - attack.t1021.001
14 - detection.emerging_threats
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection1:
20 Image|endswith: '\policydefinitions\postgresql.exe'
21 selection2:
22 - CommandLine|contains:
23 - 'CSIDL_SYSTEM_DRIVE\temp\sys.tmp'
24 - ' 1> \\\\127.0.0.1\ADMIN$\__16'
25 - CommandLine|contains|all:
26 - 'powershell -c '
27 - '\comsvcs.dll MiniDump '
28 - '\winupd.log full'
29 condition: 1 of selection*
30falsepositives:
31 - Unknown
32level: high
References
-
Destructive malware deployed against targets in Ukraine and other countries in the region in the hours prior to invasion.
Read More
Related rules
- Turla Group Lateral Movement
- Adwind RAT / JRAT
- Mint Sandstorm - AsperaFaspex Suspicious Process Execution
- Mint Sandstorm - ManageEngine Suspicious Process Execution
- OMIGOD HTTP No Authentication RCE