forked from sar2901/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathindustroyer2.yml
25 lines (25 loc) · 1.1 KB
/
industroyer2.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
name: Industroyer2
id: 7ff7db2b-b001-498e-8fe8-caf2dbc3428a
version: 1
date: '2022-04-21'
author: Teoderick Contreras, Splunk
type: batch
description: Leverage searches that allow you to detect and investigate unusual activities
that might relate to the Industroyer2 attack, including file writes associated with its payload,
lateral movement, persistence, privilege escalation and data destruction.
narrative: Industroyer2 is part of continuous attack to ukraine targeting energy facilities.
This malware is a windows binary that implement IEC-104 protocol to communicate with industrial equipments.
This attack consist of several destructive linux script component to wipe or delete several linux critical files,
powershell for domain enumeration and caddywiper to wipe boot sector of the targeted host.
references:
- https://cert.gov.ua/article/39518
- https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/
tags:
analytic_story: Industroyer2
category:
- Malware
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Advanced Threat Detection