S0697: HermeticWiper
Analyst context for executives and security teams
HermeticWiper is a Windows data-wiping malware family documented by ATT&CK as used since early 2022, primarily against Ukraine, with activity also observed in Latvia and Lithuania and sectors including government, financial, defense, aviation, and IT services. Its business significance is availability: the relevant defensive question is not only whether malware can be detected, but whether critical Windows systems, Active Directory-controlled environments, recovery paths, and incident response evidence would survive a destructive event.
Executive priority
Treat this as a resilience and recovery-readiness scenario. Leaders should ask whether critical Windows assets have tested restore procedures, whether identity and Group Policy controls could be abused to spread or launch destructive actions, and whether SOC/IR teams can preserve enough evidence when malware also uses stealth, file deletion, service manipulation, and recovery inhibition behaviors. This object is especially relevant for continuity planning, destructive-malware tabletop exercises, audit evidence around backup and recovery, and prioritizing controls over privileged Windows administration paths.
Technical view
ATT&CK provides no official detection text for HermeticWiper, so defenders should validate coverage through its documented technique relationships. For Windows environments, prioritize visibility into scheduled tasks, command shell execution, Windows service creation/execution, registry modification, access token manipulation, code signing trust decisions, Group Policy modification, local storage discovery, service stopping, reboot/shutdown activity, file deletion, and disk wipe behaviors. Because the malware is associated with obfuscation/compression, deobfuscation, legitimate-looking resource names or locations, and time-based checks, detection engineering should avoid relying only on static filenames or sandbox results.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Windows Task Scheduler creation, modification, and execution events
- Windows service creation, modification, control, and execution telemetry
- Registry modification events, especially changes tied to services, persistence, or system behavior
- Active Directory and Group Policy change auditing, including SYSVOL/GPO modification evidence
Detection direction
- Map existing detections to the ATT&CK relationships: T1053.005, T1059.003, T1112, T1134, T1484.001, T1485, T1489, T1490, T1529, T1543.003, T1553.002, T1561.001, T1561.002, and T1569.002 should receive priority in Windows monitoring.
- Correlate execution behaviors with impact behaviors: scheduled task, command shell, service execution, or service creation followed by storage discovery, service stopping, recovery inhibition, reboot, or disk wipe activity should be higher priority than any single event alone.
- Tune for administrative false positives carefully. Legitimate software deployment, IT automation, backup tools, and endpoint management commonly use tasks, services, registry changes, and reboots; detections should emphasize unusual scope, timing, actor identity, asset criticality, and destructive follow-on activity.
- Validate blind spots around Group Policy and privileged administration. If GPO changes, service control, or scheduled task creation are not centrally logged and retained, destructive activity may only be visible after systems are already unavailable.
- Do not depend only on malware names or known aliases. ATT&CK lists related references including DriveSlayer and Trojan.Killdisk, but local detection should focus on behaviors and telemetry rather than labels alone.
Mitigation priorities
- Prioritize recoverability first: maintain offline or otherwise protected backups and test restoration for critical Windows systems and identity infrastructure.
- Restrict and monitor privileged paths that can create scheduled tasks, modify services, alter registry settings, manipulate Group Policy, stop services, or reboot systems at scale.
- Harden Active Directory and Group Policy administration with change control, least privilege, and alerting on unexpected GPO/SYSVOL modifications.
- Ensure endpoint controls collect and retain process, service, registry, file, and system event telemetry from critical Windows assets, including servers and administrative workstations.
- Review recovery protections, including controls that reduce the ability to delete or disable recovery artifacts and critical services.
Analyst notes and limits
The most decision-useful aspect of this ATT&CK object is the combination of destructive impact techniques with Windows administrative execution and persistence mechanisms. For Glexia-style validation, this should be handled as a cross-functional scenario spanning SOC detection, identity/AD control assurance, backup governance, and incident recovery exercises rather than a simple malware signature check.
ATT&CK does not provide official detection guidance or tactics for the HermeticWiper software object. The assessment above is derived from the official description, Windows platform field, external references, and the supplied technique relationships. Local conclusions require environment-specific telemetry, asset criticality, backup architecture, and administrative baseline data.
HermeticWiper
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1053.005 | Scheduled Task Sub-technique | HermeticWiper has the ability to use scheduled tasks for execution.CitationSymantec Ukraine Wipers February 2022 |
| Enterprise | T1685 | Disable or Modify Tools | HermeticWiper has the ability to set the `HKLM:\SYSTEM\\CurrentControlSet\\Control\\CrashControl\CrashDumpEnabled` Registry key to `0` in order to disable crash dumps.CitationSentinelOne Hermetic Wiper February 2022CitationCrowdstrike DriveSlayer February 2022CitationQualys Hermetic Wiper March 2022 |
| Enterprise | T1134 | Access Token Manipulation | HermeticWiper can use `AdjustTokenPrivileges` to grant itself privileges for debugging with `SeDebugPrivilege`, creating backups with `SeBackupPrivilege`, loading drivers with `SeLoadDriverPrivilege`, and shutting down a local system with `SeShutdownPrivilege`.CitationQualys Hermetic Wiper March 2022CitationCrowdstrike DriveSlayer February 2022 |
| Enterprise | T1484.001 | Group Policy Modification Sub-technique | HermeticWiper has the ability to deploy through an infected system's default domain policy.CitationESET Hermetic Wizard March 2022 |
| Enterprise | T1485 | Data Destruction | HermeticWiper can recursively wipe folders and files in `Windows`, `Program Files`, `Program Files(x86)`, `PerfLogs`, `Boot, System`, `Volume Information`, and `AppData` folders using `FSCTL_MOVE_FILE`. HermeticWiper can also overwrite symbolic links and big files in `My Documents` and on the Desktop with random bytes.CitationESET Hermetic Wizard March 2022 |
| Enterprise | T1553.002 | Code Signing Sub-technique | The HermeticWiper executable has been signed with a legitimate certificate issued to Hermetica Digital Ltd.CitationSymantec Ukraine Wipers February 2022CitationCrowdstrike DriveSlayer February 2022CitationESET Hermetic Wiper February 2022CitationQualys Hermetic Wiper March 2022 |
| Enterprise | T1112 | Modify Registry | HermeticWiper has the ability to modify Registry keys to disable crash dumps, colors for compressed files, and pop-up information about folders and desktop items.CitationSentinelOne Hermetic Wiper February 2022CitationCrowdstrike DriveSlayer February 2022CitationQualys Hermetic Wiper March 2022 |
| Enterprise | T1070 | Indicator Removal | HermeticWiper can disable pop-up information about folders and desktop items and delete Registry keys to hide malicious services.CitationCrowdstrike DriveSlayer February 2022CitationESET Hermetic Wizard March 2022 |
| Enterprise | T1083 | File and Directory Discovery | HermeticWiper can enumerate common folders such as My Documents, Desktop, and AppData.CitationSentinelOne Hermetic Wiper February 2022CitationQualys Hermetic Wiper March 2022 |
| Enterprise | T1561.002 | Disk Structure Wipe Sub-technique | HermeticWiper has the ability to corrupt disk partitions, damage the Master Boot Record (MBR), and overwrite the Master File Table (MFT) of all available physical drives.CitationSentinelOne Hermetic Wiper February 2022CitationSymantec Ukraine Wipers February 2022CitationCrowdstrike DriveSlayer February 2022CitationQualys Hermetic Wiper March 2022 |
| Enterprise | T1490 | Inhibit System Recovery | HermeticWiper can disable the VSS service on a compromised host using the service control manager.CitationCrowdstrike DriveSlayer February 2022CitationESET Hermetic Wizard March 2022CitationQualys Hermetic Wiper March 2022 |
| Enterprise | T1497.003 | Time Based Checks Sub-technique | HermeticWiper has the ability to receive a command parameter to sleep prior to carrying out destructive actions on a targeted host.CitationCrowdstrike DriveSlayer February 2022 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | HermeticWiper can decompress and copy driver files using `LZCopy`.CitationCrowdstrike DriveSlayer February 2022 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | HermeticWiper can use `cmd.exe /Q/c move CSIDL_SYSTEM_DRIVE\temp\sys.tmp1 CSIDL_WINDOWS\policydefinitions\postgresql.exe 1> \\127.0.0.1\ADMIN$\_1636727589.6007507 2>&1` to deploy on an infected system.CitationESET Hermetic Wizard March 2022 |
| Enterprise | T1082 | System Information Discovery | HermeticWiper can determine the OS version and bitness on a targeted host.CitationSentinelOne Hermetic Wiper February 2022CitationCrowdstrike DriveSlayer February 2022CitationESET Hermetic Wizard March 2022CitationQualys Hermetic Wiper March 2022 |
| Enterprise | T1106 | Native API | HermeticWiper can call multiple Windows API functions used for privilege escalation, service execution, and to overwrite random bites of data.CitationSentinelOne Hermetic Wiper February 2022CitationCrowdstrike DriveSlayer February 2022CitationESET Hermetic Wizard March 2022CitationQualys Hermetic Wiper March 2022 |
| Enterprise | T1027.015 | Compression Sub-technique | HermeticWiper can compress 32-bit and 64-bit driver files with the Lempel-Ziv algorithm.CitationSymantec Ukraine Wipers February 2022CitationCrowdstrike DriveSlayer February 2022CitationQualys Hermetic Wiper March 2022 |
| Enterprise | T1680 | Local Storage Discovery | HermeticWiper can enumerate physical drives on a targeted host.CitationSentinelOne Hermetic Wiper February 2022CitationCrowdstrike DriveSlayer February 2022CitationESET Hermetic Wizard March 2022CitationQualys Hermetic Wiper March 2022 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | HermeticWiper has used the name `postgressql.exe` to mask a malicious payload.CitationESET Hermetic Wizard March 2022 |
| Enterprise | T1685.005 | Clear Windows Event Logs Sub-technique | HermeticWiper can overwrite the `C:\Windows\System32\winevt\Logs` file on a targeted system.CitationESET Hermetic Wizard March 2022 |
| Enterprise | T1543.003 | Windows Service Sub-technique | HermeticWiper can load drivers by creating a new service using the `CreateServiceW` API.CitationCrowdstrike DriveSlayer February 2022 |
| Enterprise | T1070.004 | File Deletion Sub-technique | HermeticWiper has the ability to overwrite its own file with random bites.CitationCrowdstrike DriveSlayer February 2022CitationESET Hermetic Wizard March 2022 |
| Enterprise | T1489 | Service Stop | HermeticWiper has the ability to stop the Volume Shadow Copy service.CitationQualys Hermetic Wiper March 2022 |
| Enterprise | T1561.001 | Disk Content Wipe Sub-technique | HermeticWiper has the ability to corrupt disk partitions and obtain raw disk access to destroy data.CitationCrowdstrike DriveSlayer February 2022CitationSentinelOne Hermetic Wiper February 2022 |
| Enterprise | T1569.002 | Service Execution Sub-technique | HermeticWiper can create system services to aid in executing the payload.CitationSentinelOne Hermetic Wiper February 2022CitationCrowdstrike DriveSlayer February 2022CitationQualys Hermetic Wiper March 2022 |
| Enterprise | T1529 | System Shutdown/Reboot | HermeticWiper can initiate a system shutdown.CitationSentinelOne Hermetic Wiper February 2022CitationQualys Hermetic Wiper March 2022 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | acc3b961fdbc… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
SentinelOne Hermetic Wiper February 2022
Guerrero-Saade, J. (2022, February 23). HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine. Retrieved March 25, 2022.
Open source URL -
[2]
Symantec Ukraine Wipers February 2022
Symantec Threat Hunter Team. (2022, February 24). Ukraine: Disk-wiping Attacks Precede Russian Invasion. Retrieved March 25, 2022.
Open source URL -
[3]
Crowdstrike DriveSlayer February 2022
Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25, 2022.
Open source URL -
[4]
ESET Hermetic Wiper February 2022
ESET. (2022, February 24). HermeticWiper: New data wiping malware hits Ukraine. Retrieved March 25, 2022.
Open source URL -
[5]
Qualys Hermetic Wiper March 2022
Dani, M. (2022, March 1). Ukrainian Targets Hit by HermeticWiper, New Datawiper Malware. Retrieved March 25, 2022.
Open source URL -
[6]
CISA AA22-057A Destructive Malware February 2022
CISA. (2022, February 26). Destructive Malware Targeting Organizations in Ukraine. Retrieved March 25, 2022.
Open source URL -
[7]
Crowdstrike PartyTicket March 2022
Crowdstrike. (2022, March 1). Decryptable PartyTicket Ransomware Reportedly Targeting Ukrainian Entities. Retrieved March 1, 2022.
Open source URL -
[8]
DriveSlayer
(Citation: Crowdstrike PartyTicket March 2022)(Citation: Crowdstrike DriveSlayer February 2022)
-
[9]
Trojan.Killdisk
(Citation: CISA AA22-057A Destructive Malware February 2022)(Citation: Symantec Ukraine Wipers February 2022)
-
[10]
mitre-attack S0697Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.