Double Zero Destructor
Description
Double Zero Destructor is a destructive payload that enumerates Domain Controllers and executes killswitch if detected. Overwrites files with Zero blocks or using MS Windows API calls such as NtFileOpen, NtFSControlFile. This payload also deletes registry hives HKCU,HKLM, HKU, HKLM BCD.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint
- Last Updated: 2022-03-25
- Author: Teoderick Contreras, Rod Soto, Splunk
- ID: f56e8c00-3224-4955-9a6e-924ec7da1df7
Narrative
Double zero destructor enumerates domain controllers, delete registry hives and overwrites files using zero blocks and API calls.
Detections
Reference
- https://cert.gov.ua/article/38088
- https://blog.talosintelligence.com/2022/03/threat-advisory-doublezero.html
source | version: 1