Using Splunk Attack Range to Test and Detect Data Destruction (ATT&CK 1485)

Data destruction is an aggressive attack technique observed in several nation-state campaigns. This technique under MITRE ATT&CK 1485, describes actions of adversaries that may “..destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives”. 

Some of the Indicators of compromise of destructive software include:

• Removal of Volume Snapshot Service Files (VSS). This prevents system restoration and backup. 
• Modification/Deletion of Master Boot Record and System files. Prevents system initiation.
• Deletion of mapped and unmapped local and network shares.
  
  

Data destruction against unprepared enterprises can significantly impact their capacity to continue doing business. Enterprises must be prepared and have back up procedures in place. It is also important to notice that attached backups will be targeted, so attached backups do not qualify as a reliable backup as they are likely to be deleted or modified.

A recent advisory from the Cybersecurity and Infrastructure Security Agency (CISA) indicates the possibility of malicious campaigns against organizations. In this alert, a series of MITRE ATT&CK TTP's are described as pointers for preparation against these possible attacks.

When looking at adversaries it is important to understand their use of TTP's in past campaigns in relation to their current and future objectives. One of the known TTP's from named adversaries has been the use of destructive software with great effectiveness and a significant impact on adversaries.

Based on the history of campaigns of adversaries we decided to address one TTP not mentioned in the advisory but likely to be present. MITRE ATT&CK 1485 is the deliberate destruction of data to impact the targeted organization's business continuity. 

In the following steps, we are going to use Splunk Attack Range to reproduce one of the indicators of this technique using the Atomic Red Team MITRE ATT&CK simulation engine.

Replicating Attack Technique

First, we need to build the attack range (cloud/terraform mode) to test our technique against (https://github.com/splunk/attack_range#build-attack-range) with the following commands.

python attack_range.py -m terraform -a build
Once the attack range is up and running we can execute various “atomics” for this technique using the atomic red team simulation engine. We are going to simulate MITRE ATT&CK T1485 in this case we chose destructive software since it relates to techniques used by named actors in the aforementioned CISA Alert.

Next, we check to see if the atomic that ran in this test executed successfully. For this example the first atomic runs vssadmin.exe to delete volume shadow copies: Figure shows attack_range MITRE ATT&CK T1485 simulation.

^{Source* Atomic Red Team}

Next, we check if we have any content in the security-content for this technique. There are various ways to do this, the simplest way is by simply searching using keywords by Splunk ES Content Updates App.

Keyword Search via Splunk ES Content Updates App

Another way to search for such content is by visiting the Splunk Security Content Github page. 

Search the Github Project

The following is a detection syntax under ransomware story that can be applied to this scenario as it searches for windows processes deleting shadow copies. 

Using the endpoint data model and looking for the related processes, we can try this search in the Splunk instance along with the attack range. The next graph shows the successful detection of Data Destruction MITRE ATT&CK T1485.

Once successful detection is performed, Playbooks from Splunk Phantom can be used to further investigate and successfully contain this type of attack.

Phantom playbook example: Ransomware Investigate and Contain

To learn how to build your own Splunk Attack Range and simulate your own attack’s to test your detections visit the Attack Range Github page.