Using Splunk Attack Range to Test and Detect Data Destruction (ATT&CK 1485)
Some of the Indicators of compromise of destructive software include:
- Removal of Volume Snapshot Service Files (VSS). This prevents system restoration and backup.
- Modification/Deletion of Master Boot Record and System files. Prevents system initiation.
- Deletion of mapped and unmapped local and network shares.
Data destruction against unprepared enterprises can significantly impact their capacity to continue doing business. Enterprises must be prepared and have back up procedures in place. It is also important to notice that attached backups will be targeted, so attached backups do not qualify as a reliable backup as they are likely to be deleted or modified.
A recent advisory from the Cybersecurity and Infrastructure Security Agency (CISA) indicates the possibility of malicious campaigns against organizations. In this alert, a series of MITRE ATT&CK TTP's are described as pointers for preparation against these possible attacks.
When looking at adversaries it is important to understand their use of TTP's in past campaigns in relation to their current and future objectives. One of the known TTP's from named adversaries has been the use of destructive software with great effectiveness and a significant impact on adversaries.
Based on the history of campaigns of adversaries we decided to address one TTP not mentioned in the advisory but likely to be present. MITRE ATT&CK 1485 is the deliberate destruction of data to impact the targeted organization's business continuity.
In the following steps, we are going to use Splunk Attack Range to reproduce one of the indicators of this technique using the Atomic Red Team MITRE ATT&CK simulation engine.
Replicating Attack Technique
First, we need to build the attack range (cloud/terraform mode) to test our technique against (https://github.com/splunk/attack_range#build-attack-range) with the following commands.
python attack_range.py -m terraform -a build Once the attack range is up and running we can execute various “atomics” for this technique using the atomic red team simulation engine. We are going to simulate MITRE ATT&CK T1485 in this case we chose destructive software since it relates to techniques used by named actors in the aforementioned CISA Alert.
Next, we check to see if the atomic that ran in this test executed successfully. For this example the first atomic runs vssadmin.exe to delete volume shadow copies: Figure shows attack_range MITRE ATT&CK T1485 simulation.
Next, we check if we have any content in the security-content for this technique. There are various ways to do this, the simplest way is by simply searching using keywords by Splunk ES Content Updates App.
Keyword Search via Splunk ES Content Updates App
Another way to search for such content is by visiting the Splunk Security Content Github page.
Search the Github Project
The following is a detection syntax under ransomware story that can be applied to this scenario as it searches for windows processes deleting shadow copies.
Using the endpoint data model and looking for the related processes, we can try this search in the Splunk instance along with the attack range. The next graph shows the successful detection of Data Destruction MITRE ATT&CK T1485.
Phantom playbook example: Ransomware Investigate and Contain
Related Articles
Defending Against npm Supply Chain Attacks: A Practical Guide to Detection, Emulation, and Analysis
Delivering the Ultimate SOC Analyst Experience: Ending Fatigue with Splunk Enterprise Security
