Name:Windows Processes Killed By Industroyer2 Malware id:d8bea5ca-9d4a-4249-8b56-64a619109835 version:3 date:2024-09-30 author:Teoderick Contreras, Splunk status:production type:Anomaly Description:The following analytic detects the termination of specific processes by the Industroyer2 malware. It leverages Sysmon EventCode 5 to identify when processes like "PServiceControl.exe" and "PService_PPD.exe" are killed. This activity is significant as it targets processes related to energy facility networks, indicating a potential attack on critical infrastructure. If confirmed malicious, this could lead to disruption of essential services, loss of control over energy systems, and significant operational impact. Immediate investigation is required to determine the cause and mitigate any potential threats. Data_source:
-Sysmon EventID 5
search:`sysmon` EventCode=5 process_name IN ("PServiceControl.exe", "PService_PPD.exe") | stats min(_time) as firstTime max(_time) as lastTime count by process_name process process_path process_guid process_id EventCode dest user_id | `security_content_ctime(firstTime)`| `security_content_ctime(lastTime)` | `windows_processes_killed_by_industroyer2_malware_filter`
how_to_implement:To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required. known_false_positives:False positives are possible if legitimate applications are allowed to terminate this process during testing or updates. Filter as needed based on paths that are used legitimately. References: -https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/ drilldown_searches: name:'View the detection results for - "$dest$"' search:'%original_detection_search% | search dest = "$dest$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$dest$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Data Destruction' - 'Industroyer2' asset_type:Endpoint confidence:60 impact:60 message:process was terminated $process_name$ in $dest$ mitre_attack_id: - 'T1489' observable: name:'dest' type:'Hostname' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'Processes.dest' - 'Processes.user' - 'Processes.parent_process_name' - 'Processes.parent_process' - 'Processes.original_file_name' - 'Processes.process_name' - 'Processes.process' - 'Processes.process_id' - 'Processes.parent_process_path' - 'Processes.process_path' - 'Processes.parent_process_id' - 'Processes.process_guid' risk_score:36 security_domain:endpoint
