Windows Processes Killed By Industroyer2 Malware

name: Windows Processes Killed By Industroyer2 Malware
id: d8bea5ca-9d4a-4249-8b56-64a619109835
version: 8
date: '2026-03-10'
author: Teoderick Contreras, Splunk
status: production
type: Anomaly
description: The following analytic detects the termination of specific processes by the Industroyer2 malware. It leverages Sysmon EventCode 5 to identify when processes like "PServiceControl.exe" and "PService_PPD.exe" are killed. This activity is significant as it targets processes related to energy facility networks, indicating a potential attack on critical infrastructure. If confirmed malicious, this could lead to disruption of essential services, loss of control over energy systems, and significant operational impact. Immediate investigation is required to determine the cause and mitigate any potential threats.
data_source:
    - Sysmon EventID 5
search: |-
    `sysmon` EventCode=5 process_name IN ("PServiceControl.exe", "PService_PPD.exe")
      | stats min(_time) as firstTime max(_time) as lastTime count
        BY dest process process_exec
           process_guid process_id process_name
           process_path signature signature_id
           user_id vendor_product
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `windows_processes_killed_by_industroyer2_malware_filter`
how_to_implement: To successfully implement this search, you need to be ingesting Windows Security Event Logs with 4698 EventCode enabled. The Windows TA is also required.
known_false_positives: False positives are possible if legitimate applications are allowed to terminate this process during testing or updates. Filter as needed based on paths that are used legitimately.
references:
    - https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/
drilldown_searches:
    - name: View the detection results for - "$dest$"
      search: '%original_detection_search% | search  dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: process was terminated $process_name$ on $dest$
    risk_objects:
        - field: dest
          type: system
          score: 20
    threat_objects: []
tags:
    analytic_story:
        - Data Destruction
        - Industroyer2
    asset_type: Endpoint
    mitre_attack_id:
        - T1489
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/malware/industroyer2/sysmon.log
          source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
          sourcetype: XmlWinEventLog