forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdouble_zero_destructor.yml
More file actions
20 lines (20 loc) · 904 Bytes
/
double_zero_destructor.yml
File metadata and controls
20 lines (20 loc) · 904 Bytes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
name: Double Zero Destructor
id: f56e8c00-3224-4955-9a6e-924ec7da1df7
version: 1
date: '2022-03-25'
author: Teoderick Contreras, Rod Soto, Splunk
description: Double Zero Destructor is a destructive payload that enumerates Domain Controllers and executes killswitch if detected. Overwrites files with Zero blocks or using MS Windows API calls such as NtFileOpen, NtFSControlFile. This payload also deletes registry hives HKCU,HKLM, HKU, HKLM BCD.
narrative: Double zero destructor enumerates domain controllers, delete registry hives and overwrites files using zero blocks and API calls.
references:
- https://cert.gov.ua/article/38088
- https://blog.talosintelligence.com/2022/03/threat-advisory-doublezero.html
tags:
category:
- Data Destruction
- Malware
- Adversary Tactics
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Advanced Threat Detection