CRASHOVERRIDE v1 Wiper

Hunt Hypothesis

The CRASHOVERRIDE v1 Wiper detection rule identifies potential adversary behavior involving the use of a known wiper malware variant, which may indicate a targeted data destruction attempt. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage attacks that could lead to irreversible data loss.

YARA Rule

rule dragos_crashoverride_suspcious {
	meta:
		description = "CRASHOVERRIDE v1 Wiper"
		author = "Dragos Inc"
		reference = "https://dragos.com/blog/crashoverride/CrashOverride-01.pdf"
	strings:
		$s0 = "SYS_BASCON.COM" fullword nocase wide
		$s1 = ".pcmp" fullword nocase wide
		$s2 = ".pcmi" fullword nocase wide
		$s3 = ".pcmt" fullword nocase wide
		$s4 = ".cin" fullword nocase wide
	condition:
		pe.exports("Crash") and any of ($s*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

References

• https://dragos.com/blog/crashoverride/CrashOverride-01.pdf
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Job
  Description: A legitimate system maintenance job (e.g., schtasks.exe or task scheduler) is configured to clean temporary files or perform disk defragmentation, which may trigger the rule due to file deletion activity.
  Filter/Exclusion: Check for ProcessName containing schtasks.exe or taskhost.exe, and filter by CommandLine containing /create or /run with maintenance-related parameters.

• Scenario: Antivirus Quarantine Process
  Description: An antivirus tool (e.g., Windows Defender, Malwarebytes, or Kaspersky) is performing a quarantine operation, which may involve deleting files from infected systems.
  Filter/Exclusion: Filter by ProcessName containing MsMpEng.exe, mbam.exe, or kavservice.exe, and check for CommandLine containing quarantine or delete.

• Scenario: Database Backup and Restore
  Description: A database backup or restore operation (e.g., using sqlcmd.exe, mysqldump, or pg_dump) may involve file deletion or overwriting, which could be mistaken for a wiper.
  Filter/Exclusion: Filter by ProcessName containing sqlcmd.exe, mysqldump, or pg_dump, and check for CommandLine containing backup, restore, or --backup.

• Scenario: User-Initiated File Cleanup
  Description: A user or admin manually deletes files using tools like del.exe, rm.exe, or file management utilities (e.g., CCleaner), which may trigger the rule.
  Filter/Exclusion: Filter by ProcessName containing cmd.exe, del.exe, or rm.exe, and check for CommandLine