Detects KillDisk malware from BlackEnergy

Hunt Hypothesis

KillDisk malware, associated with the BlackEnergy campaign, is likely executed on endpoints to exfiltrate data and disrupt critical infrastructure systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats targeting industrial control systems.

YARA Rule

rule BlackEnergy_KillDisk_1 
{

    meta:
        description = "Detects KillDisk malware from BlackEnergy"
        author = "Florian Roth"
        reference = "http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/"
        date = "2016-01-03"
        score = 80
        super_rule = 1
        hash1 = "11b7b8a7965b52ebb213b023b6772dd2c76c66893fc96a18a9a33c8cf125af80"
        hash2 = "5d2b1abc7c35de73375dd54a4ec5f0b060ca80a1831dac46ad411b4fe4eac4c6"
        hash3 = "c7536ab90621311b526aefd56003ef8e1166168f038307ae960346ce8f75203d"
        hash4 = "f52869474834be5a6b5df7f8f0c46cbc7e9b22fa5cb30bee0f363ec6eb056b95"

    strings:
        $s0 = "system32\\cmd.exe" fullword ascii
        $s1 = "system32\\icacls.exe" fullword wide
        $s2 = "/c del /F /S /Q %c:\\*.*" fullword ascii
        $s3 = "shutdown /r /t %d" fullword ascii
        $s4 = "/C /Q /grant " fullword wide
        $s5 = "%08X.tmp" fullword ascii
        $s6 = "/c format %c: /Y /X /FS:NTFS" fullword ascii
        $s7 = "/c format %c: /Y /Q" fullword ascii
        $s8 = "taskhost.exe" fullword wide /* Goodware String - occured 1 times */
        $s9 = "shutdown.exe" fullword wide /* Goodware String - occured 1 times */
 
    condition:
        uint16(0) == 0x5a4d and filesize < 500KB and 8 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 10 string patterns in its detection logic.

References

• http://feedproxy.google.com/~r/eset/blog/~3/BXJbnGSvEFc/
• Source Rule

False Positive Guidance

• Scenario: Legitimate system cleanup using KillDisk tool for disk space management
  Filter/Exclusion: Exclude processes initiated by schtasks.exe with a scheduled job name containing “DiskCleanup” or “DiskSpace”

• Scenario: Scheduled backup job using Veeam Backup & Replication that temporarily writes to disk
  Filter/Exclusion: Exclude processes with vbm.exe or veeam.exe and check for presence of backup job names in the command line

• Scenario: Admin task using PowerShell to remove temporary files during maintenance window
  Filter/Exclusion: Exclude processes with powershell.exe where the command line includes -Command Remove-Item and the path is within a known temporary directory (e.g., C:\Windows\Temp)

• Scenario: Antivirus scan using Kaspersky Endpoint Security that performs disk scanning
  Filter/Exclusion: Exclude processes with kavsvc.exe or kavscan.exe and check for presence of known antivirus scan patterns in the command line

• Scenario: System restore using System File Checker (SFC) that scans and repairs system files
  Filter/Exclusion: Exclude processes with sfc.exe or dism.exe and check for command line arguments like /scannow or /verifyonly