Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Shamoon 2.0 Preparedness

Hi Members,

I was working on creating the ARB package for Shamoon malware identification, through analyzing the events in the environment.

Some of the sources which had provided detailed information about Shamoon 2.0 are listed below:

I have used the information from these sites to create the ARB package.

Below are the points which I have considered in the contents:

  • Monitor any events in the SIEM that show dates in August 2012.
  • Monitor for system time change events that set the clock back to and from August 2012.
  • Monitor for Remote Registry service starts.
  • Monitor for changes to the aforementioned registry key value, if the value is currently non-zero.
  • Prevent and limit access to the aforementioned shares, which could have significant impact based on setup.
  • Prevent client-to-client communication to slow down the spread of the malware, which could also have a significant impact based on setup.
  • Monitor filesystems for the creation of any of the filenames provided in the Indicators of Compromise list at the bottom of the post.
  • Change the credentials of all privileged accounts and ensure local Administrator passwords are unique per system.

Sahmoon Malware Detection ARB package has also been provided in ArcSight Marketplace. Refer to the link below for full information.


Hope this helps to kick start the monitoring process within your environment.


Pavan Raja

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.