SIEM Use case for Industroyer detection

London, UK ā€“ June 13, 2017 ā€“ Researchers at ESET have discovered and analyzed samples of malware Win32 / Industroyer. Industroyer seems to be designed to attacks power grids. It is very dangerous, because this malware is able to control circuit breakers directly via industrial communication protocols used throughout the world in critical infrastructures (such as power supply or traffic management). The main component of the malware is a backdoor that helps adversaries manage an attack. This backdoor installs other components, including a data wiper to remove important registry keys and overwrite key system files, and it also communicates with a remote server to receive orders and transmit data to adversaries.

SOC Prime took part in the investigation of the attack on Ukrainian energy companies with BlackEnergy and KillDisk and understands how dangerous such an attack can be and what consequences it can have. Thus, our team has developed a SIEM Use Case based on ESET research and IoCs from Github that detects the activity of Industroyer in any company’s network. We design Industroyer Malware Detector Basicfor HPE ArcSight, IBM QRadar and Splunk, and it contains a list of known hashes and IP addresses of C&C servers. As new Indicators of Compromise for this malware will be detected, we will add them to the use case.
Most of the C2 addresses are part of the Tor network, so for additional protection we recommend to install DetectTor use case. It will help you uncover Tor usage of in your organization, and you will be able to protect yourself from the threats of this network.

Use Case for ArcSight, QRadar, Splunk: https://www.my.socprime.com/integrations/

Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.