Detecting WhisperGate malware
WhisperGate is a destructive malware operation that targets multiple organizations in Ukraine. These searches detect and investigate unusual activities that might relate to WhisperGate malware, including looking for suspicious process execution, command-line activity, downloads, and DNS queries.
Required data
How to use Splunk software for this use case
- Add or set Windows Defender exclusion
- Attempt to stop security service
- CMD carry out string command parameter
- Excessive file deletion in WinDefender folder
- Executables or script creation in suspicious path
- Impacket lateral movement commandline parameters
- Impacket lateral movement WMIExec commandline parameters
- Impacket lateral movement smbexec commandLine parameters
- Malicious PowerShell process - encoded command
- Ping sleep batch command
- Powershell remove Windows Defender Directory
- Powershell Windows Defender exclusion commands
- Process deleting its process file path
- Suspicious process DNS query known abuse web services
- Suspicious process file path
- Suspicious process with Discord DNS query
- Windows DotNet binary in non standard path
- Windows high file deletion frequency
- Windows InstallUtil in non standard path
- Windows LOLBin binary in non standard path
- Windows NirSoft AdvancedRun
- Windows NirSoft utilities
- Windows raw access to master boot record drive
- Wscript Or Cscript suspicious child process
Next steps
In addition, these Splunk resources might help you understand and implement this use case:
- Blog: Threat Hunting with Splunk: Hands-on Tutorials for the Active Hunter
- If you are a Splunk Enterprise Security customer, you can also get help from the Security Research team's support options on GitHub.