Shamoon 2.0 Preparedness
I was working on creating the ARB package for Shamoon malware identification, through analyzing the events in the environment.
Some of the sources which had provided detailed information about Shamoon 2.0 are listed below:
I have used the information from these sites to create the ARB package.
Below are the points which I have considered in the contents:
- Monitor any events in the SIEM that show dates in August 2012.
- Monitor for system time change events that set the clock back to and from August 2012.
- Monitor for Remote Registry service starts.
- Monitor for changes to the aforementioned registry key value, if the value is currently non-zero.
- Prevent and limit access to the aforementioned shares, which could have significant impact based on setup.
- Prevent client-to-client communication to slow down the spread of the malware, which could also have a significant impact based on setup.
- Monitor filesystems for the creation of any of the filenames provided in the Indicators of Compromise list at the bottom of the post.
- Change the credentials of all privileged accounts and ensure local Administrator passwords are unique per system.
Sahmoon Malware Detection ARB package has also been provided in ArcSight Marketplace. Refer to the link below for full information.
Hope this helps to kick start the monitoring process within your environment.