25 lines
954 B
Text
25 lines
954 B
Text
|
rule Windows_Wiper_HERMETICWIPER {
|
||
|
meta:
|
||
|
Author = "Elastic Security"
|
||
|
creation_date = "2022-02-24"
|
||
|
last_modified = "2022-02-24"
|
||
|
os = "Windows"
|
||
|
arch = "x86"
|
||
|
category_type = "Wiper"
|
||
|
family = "HERMETICWIPER"
|
||
|
threat_name = "Windows.Wiper.HERMETICWIPER"
|
||
|
description = "Detects HERMETICWIPER used to target Ukrainian organization"
|
||
|
reference_sample = "1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591"
|
||
|
reference = "https://www.elastic.co/security-labs/elastic-protects-against-data-wiper-malware-targeting-ukraine-hermeticwiper"
|
||
|
|
||
|
strings:
|
||
|
$a1 = "\\\\?\\C:\\Windows\\System32\\winevt\\Logs" wide fullword
|
||
|
$a2 = "\\\\.\\EPMNTDRV\\%u" wide fullword
|
||
|
$a3 = "tdrv.pdb" ascii fullword
|
||
|
$a4 = "%s%.2s" wide fullword
|
||
|
$a5 = "ccessdri" ascii fullword
|
||
|
$a6 = "Hermetica Digital"
|
||
|
condition:
|
||
|
all of them
|
||
|
}
|