File manipulation actions associated with CRASHOVERRIDE wiper

Hunt Hypothesis

Adversaries may manipulate files as part of the CRASHOVERRIDE wiper campaign to exfiltrate data or disrupt systems. SOC teams should proactively hunt for these file manipulation patterns in Azure Sentinel to identify potential wiper activity early and mitigate impact.

YARA Rule

rule dragos_crashoverride_wiperFileManipulation {
    meta:
		description = "File manipulation actions associated with CRASHOVERRIDE wiper"
        author = "Dragos Inc"
		reference = "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf"
    strings:
        $s0 = { 6a 00 68 80 00 00 00 6a 03 6a 00 6a 02 8b f9 68 00 00 00 40 57 ff 15 1c ?? ?? ?? 8b d8 }
        $s2 = { 6a 00 50 57 56 53 ff 15 4c ?? ?? ?? 56 }
    condition:
        all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://dragos.com/blog/crashoverride/CrashOverride-01.pdf
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Job
  Description: A legitimate scheduled task runs a script that modifies system files during routine maintenance.
  Filter/Exclusion: process.name != "schtasks.exe" OR file.path != "C:\Windows\System32\*"

• Scenario: Admin Performing File Cleanup
  Description: An administrator manually deletes temporary files or logs using tools like del or rm in a command prompt.
  Filter/Exclusion: process.name != "cmd.exe" OR file.path != "C:\Windows\Temp\*"

• Scenario: Software Update Deployment
  Description: A patch management tool like Microsoft Endpoint Configuration Manager (MECM) or SCCM performs file replacement during an update.
  Filter/Exclusion: process.name != "msiexec.exe" OR file.path != "C:\Windows\Temp\*"

• Scenario: Antivirus Quarantine Operation
  Description: Antivirus software like Windows Defender or Bitdefender quarantines malicious files, which may trigger file manipulation alerts.
  Filter/Exclusion: process.name != "MsMpEng.exe" OR file.path != "C:\ProgramData\Microsoft\Windows Defender\Quarantine\*"

• Scenario: Database Backup and Restore
  Description: A database administrator performs a backup or restore operation using tools like sqlcmd or mysqldump, which may involve file manipulation.
  Filter/Exclusion: process.name != "sqlcmd.exe" OR file.path != "C:\Program Files\MySQL\*"