/
windows_raw_access_to_disk_volume_partition.yml
70 lines (70 loc) · 2.56 KB
/
windows_raw_access_to_disk_volume_partition.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
name: Windows Raw Access To Disk Volume Partition
id: a85aa37e-9647-11ec-90c5-acde48001122
version: 1
date: '2023-06-13'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
description: This analytic is to look for suspicious raw access read to device disk
partition of the host machine. This technique was seen in several attacks by adversaries
or threat actor to wipe, encrypt or overwrite the boot sector of each partition
as part of their impact payload for example the "hermeticwiper" malware. This detection
is a good indicator that there is a process try to read or write on boot sector.
data_source:
- Sysmon EventID 9
search: '`sysmon` EventCode=9 Device = \\Device\\HarddiskVolume* NOT (Image IN("*\\Windows\\System32\\*",
"*\\Windows\\SysWOW64\\*")) | stats count min(_time) as firstTime max(_time) as
lastTime by dest signature signature_id process_guid process_name process_path Device | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_raw_access_to_disk_volume_partition_filter`'
how_to_implement: To successfully implement this search, you need to be ingesting
logs with the raw access read event (like sysmon eventcode 9), process name and
process guid from your endpoints. If you are using Sysmon, you must have at least
version 6.0.4 of the Sysmon TA.
known_false_positives: This event is really notable but we found minimal number of
normal application from system32 folder like svchost.exe accessing it too. In this
case we used 'system32' and 'syswow64' path as a filter for this detection.
references:
- https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html
tags:
analytic_story:
- CISA AA22-264A
- Graceful Wipe Out Attack
- Data Destruction
- Hermetic Wiper
- Caddy Wiper
- BlackByte Ransomware
- NjRAT
asset_type: Endpoint
confidence: 100
impact: 90
message: Process accessing disk partition $Device$ in $dest$
mitre_attack_id:
- T1561.002
- T1561
observable:
- name: dest
type: Hostname
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- dest
- signature
- signature_id
- process_guid
- process_name
- process_path
- Device
- EventCode
- Image
risk_score: 90
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/hermetic_wiper/sysmon.log
source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
sourcetype: xmlwineventlog