Skip to content

Instantly share code, notes, and snippets.

@MHaggis

MHaggis/HANDALA-ATOMIC-CHAIN.yaml

Created March 13, 2026 16:01
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save MHaggis/b2d9f103fd1fe242bd82f99a6cc7f72c to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save MHaggis/b2d9f103fd1fe242bd82f99a6cc7f72c to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gist.md

Summary of what’s in place:

1. Handala review (threat + web search)

  • Attribution: Iran-aligned hacktivist group (IBM X-Force, Check Point; MOIS-linked personas).
  • Notable TTPs: Spearphishing (e.g. PDF with malicious link), NSIS → obfuscated batch (“Carroll”) → AutoIT (.a3x) loading wiper, Telegram C2, victim info (e.g. icanhazip.com), disk overwrite/wipe, BYOVD (ListOpenedFileDrv).
  • Stryker (Mar 2026): Global disruption; wiper/Intune abuse; Handala branding; 50TB exfil claimed.
  • References: Newsweek, Splunk Handala’s Wiper, Check Point, IBM X-Force.

2. Security detections MCP

  • identify_gaps("apt"): No critical gaps; 18/18 apt techniques covered in your MCP index.
  • Handala-relevant coverage (from list_by_mitre / search):
    • T1561.002: e.g. Windows Raw Access To Disk Volume Partition, Windows Raw Access To Master Boot Record Drive (Sysmon EventCode 9).
    • T1059.001 / T1059.003 / T1027: Multiple detections in your indexed content.
  • Suggested MCP follow-ups: search("wiper OR AutoIt OR icanhazip"), list_by_mitre("T1059.010"), list_by_mitre("T1497.003"), list_by_mitre("T1020").

3. Atomic Red Team chain (for lab “fun”)

You have three files in the repo:

File Purpose
HANDALA-THREAT-SUMMARY.md Handala overview, TTP table, MITRE mapping, detection mapping, data sources.
HANDALA-ATOMIC-CHAIN.yaml Ordered “chain reaction”: T1566.001 → T1059.003 → T1059.001 → T1059.010 → T1027.013 → T1497.003 → T1016.001 → T1020 → custom T1561.002 safe test.
HANDALA-T1561.002-SAFE-ATOMIC.yaml Deployable custom atomic: overwrites one file in %TEMP% then deletes it (no real wipe).
HANDALA-ATOMIC-RUNBOOK.md Step-by-step: clone ART, install Invoke-AtomicRedTeam, run order, Splunk validation queries.

Get Atomic Red Team (if you don’t have it):

git clone https://github.com/redcanaryco/atomic-red-team.git

Run the chain (PowerShell on a Windows lab box with Invoke-AtomicRedTeam):

Invoke-AtomicTest T1566.001 -TestNumbers 1
Invoke-AtomicTest T1059.003 -TestNumbers 1,2
Invoke-AtomicTest T1059.001 -TestNumbers 1,2
Invoke-AtomicTest T1059.010 -TestNumbers 1
Invoke-AtomicTest T1027.013 -TestNumbers 1
Invoke-AtomicTest T1497.003 -TestNumbers 1
Invoke-AtomicTest T1016.001 -TestNumbers 1
Invoke-AtomicTest T1020 -TestNumbers 1   # if available
# Then run HANDALA-T1561.002-SAFE-ATOMIC (deploy to ART atomics/T1561.002/ or merge into T1561.002.yaml)

Attack Range (if you use it):

python attack_range.py simulate -e ART -te T1059.003 -t <windows_target>
# repeat for T1059.001, T1059.010, etc.

ART’s matrix shows T1561.002 (Disk Structure Wipe) and T1020 (Automated Exfiltration) as “CONTRIBUTE A TEST,” so coverage may be limited; the chain uses the next-best techniques (e.g. T1016.001 for IP check) and a custom safe T1561.002 so you can still test wiper-related overwrite/delete and raw-disk detections in the lab without real destruction.

Raw
HANDALA-ATOMIC-CHAIN.yaml
# Handala Threat Group - Atomic Red Team Chain Reaction
# Run in order to simulate endpoint behaviors (initial access -> execution -> evasion -> discovery -> exfil -> impact).
# Use with Invoke-AtomicRedTeam or Attack Range in a LAB only.
#
# Get Atomic Red Team:
# git clone https://github.com/redcanaryco/atomic-red-team.git
# Install-Module -Name Invoke-AtomicRedTeam -Scope CurrentUser
#
# Run full chain (PowerShell on Windows lab host):
# Invoke-AtomicTest All -TestGuids (see test_guids below) -ShowDetailsBrief
# Or run by technique: Invoke-AtomicTest T1059.003 -TestNumbers 1,2
#
# Attack Range (if configured):
# python attack_range.py simulate -e ART -te T1059.003 -t <windows_target>
chain_name: Handala Endpoint Chain
description: |
Simulates Handala TTPs for detection validation: phishing-led execution,
obfuscated batch/cmd, AutoIT, time-based evasion, victim info gathering,
automated exfil pattern, and safe disk-wipe simulation.
threat_group: Handala
references:
- https://www.splunk.com/en_us/blog/security/handalas-wiper-threat-analysis-and-detections.html
- https://www.newsweek.com/stryker-cyber-attack-iran-handala-outage-11660284
- https://attack.mitre.org/groups/GXXXX/
# Ordered steps matching Handala attack flow
steps:
# --- Phase 1: Initial access (simulate user execution from phishing) ---
- order: 1
phase: initial-access
technique_id: T1566.001
technique_name: Phishing - Spearphishing Attachment
art_tests: "Run 1-2 safe tests that simulate document/link leading to payload (see ART atomics)."
run_commands:
- "Invoke-AtomicTest T1566.001 -TestNumbers 1 -GetPrereqs # or 2 if available"
detection_focus: Phishing / malicious doc or link leading to execution.
# --- Phase 2: Execution - Command shell (NSIS -> cmd / copy & execute) ---
- order: 2
phase: execution
technique_id: T1059.003
technique_name: Windows Command Shell
art_tests: "cmd.exe /c copy and execute; batch-style execution."
run_commands:
- "Invoke-AtomicTest T1059.003 -TestNumbers 1"
- "Invoke-AtomicTest T1059.003 -TestNumbers 2"
detection_focus: cmd.exe spawned from installer/script; copy then execute.
# --- Phase 3: Execution - PowerShell (AI-assisted / scripting in campaigns) ---
- order: 3
phase: execution
technique_id: T1059.001
technique_name: PowerShell
art_tests: "Encoded or script block execution."
run_commands:
- "Invoke-AtomicTest T1059.001 -TestNumbers 1"
- "Invoke-AtomicTest T1059.001 -TestNumbers 2"
detection_focus: PowerShell with -enc/-encodedcommand or suspicious parent.
# --- Phase 4: Execution - AutoIT (wiper loader) ---
- order: 4
phase: execution
technique_id: T1059.010
technique_name: Command and Scripting Interpreter - AutoHotKey & AutoIT
art_tests: "AutoIT3 execution."
run_commands:
- "Invoke-AtomicTest T1059.010 -TestNumbers 1"
detection_focus: AutoIt3.exe or AutoIt*.exe execution; often from temp/public paths.
# --- Phase 5: Defense evasion - Obfuscation ---
- order: 5
phase: defense-evasion
technique_id: T1027
technique_name: Obfuscated Files or Information
art_tests: "Obfuscated script or encoded content (e.g. T1027.013)."
run_commands:
- "Invoke-AtomicTest T1027.013 -TestNumbers 1"
detection_focus: Encoded/obfuscated scripts or binaries.
# --- Phase 6: Defense evasion - Time-based (AV check + sleep) ---
- order: 6
phase: defense-evasion
technique_id: T1497.003
technique_name: Virtualization/Sandbox Evasion - Time Based Evasion
art_tests: "Sleep/delay to evade sandbox."
run_commands:
- "Invoke-AtomicTest T1497.003 -TestNumbers 1"
detection_focus: Long sleep/delay after process or script start.
# --- Phase 7: Discovery - Gather victim info (IP, hostname, etc.) ---
- order: 7
phase: discovery
technique_id: T1590
technique_name: Gather Victim Information
art_tests: "IP check or system info. Use T1016.001 (Internet connection discovery) or custom."
run_commands:
- "Invoke-AtomicTest T1016.001 -TestNumbers 1"
detection_focus: DNS/HTTP to icanhazip.com, ipinfo.io, or similar; systeminfo/hostname.
# --- Phase 8: Exfiltration - Automated (Telegram C2 pattern) ---
- order: 8
phase: exfiltration
technique_id: T1020
technique_name: Automated Exfiltration
art_tests: "ART may have limited T1020 tests; simulate scheduled/automated data transfer."
run_commands:
- "Invoke-AtomicTest T1020 -TestNumbers 1"
detection_focus: Automated or scripted outbound transfer of data.
# --- Phase 9: Impact - Disk wipe (SAFE simulation only) ---
- order: 9
phase: impact
technique_id: T1561.002
technique_name: Disk Structure Wipe / Disk Content Wipe
art_tests: "ART has no official T1561.002 test. Use custom safe atomic below."
run_commands:
- "Invoke-AtomicTest HANDALA-T1561.002-SAFE # custom atomic; see custom_atomic below"
detection_focus: Raw disk access (Sysmon 9), or mass file overwrite/delete in a folder.
warning: "Run ONLY in isolated lab. Custom atomic overwrites a single test file, not real disk."
# Custom safe atomic for T1561.002 (no real wipe)
# Deploy this to ART atomics folder or run inline in lab.
custom_atomic:
technique_id: T1561.002
display_name: "Handala-style disk overwrite (SAFE - single test file)"
file: HANDALA-T1561.002-SAFE.yaml
description: |
Overwrites one file in %TEMP% with random bytes then deletes it.
Validates detections for file overwrite/delete patterns and process behavior.
Does NOT touch MBR, volume, or real data.
executor: powershell
command: |
$f = "$env:TEMP\handala_wiper_test_$(Get-Random).dat"
[System.IO.File]::WriteAllBytes($f, (New-Object byte[] 4096))
Start-Sleep -Seconds 1
Remove-Item $f -Force
cleanup: "Remove-Item $env:TEMP\\handala_wiper_test_*.dat -Force -ErrorAction SilentlyContinue"
# One-liner to run entire chain (PowerShell; run from lab host with ART installed)
run_all_script: |
# Handala chain - run each technique in order (adjust TestNumbers per your ART version)
$techniques = @('T1566.001','T1059.003','T1059.001','T1059.010','T1027.013','T1497.003','T1016.001','T1020')
foreach ($t in $techniques) { Invoke-AtomicTest $t -TestNumbers 1 }
# Then run custom T1561.002 safe atomic if deployed
Raw
HANDALA-ATOMIC-RUNBOOK.md

Handala Atomic Red Team – Lab Runbook

Run this chain in an isolated lab (Attack Range, VM, or test endpoint) to generate telemetry that matches Handala behaviors and validate your detections.

Prerequisites

  1. Atomic Red Team

    git clone https://github.com/redcanaryco/atomic-red-team.git
cd atomic-red-team

  2. Invoke-AtomicRedTeam (on Windows lab host)

    Install-Module -Name Invoke-AtomicRedTeam -Scope CurrentUser -Force
Import-Module Invoke-AtomicRedTeam -Force

  3. Optional – Attack Range: If you use Attack Range, point it at the same ART clone and use simulate -e ART -te <TID> -t <target>.

Run order (Handala chain)

Order Technique What to run
1 T1566.001 Invoke-AtomicTest T1566.001 -TestNumbers 1 (or 2)
2 T1059.003 Invoke-AtomicTest T1059.003 -TestNumbers 1,2
3 T1059.001 Invoke-AtomicTest T1059.001 -TestNumbers 1,2
4 T1059.010 Invoke-AtomicTest T1059.010 -TestNumbers 1
5 T1027.013 Invoke-AtomicTest T1027.013 -TestNumbers 1
6 T1497.003 Invoke-AtomicTest T1497.003 -TestNumbers 1
7 T1016.001 Invoke-AtomicTest T1016.001 -TestNumbers 1 (recon)
8 T1020 Invoke-AtomicTest T1020 -TestNumbers 1 (if available)
9 T1561.002 Use HANDALA-T1561.002-SAFE-ATOMIC.yaml (see below)

Check test numbers: Invoke-AtomicTest T1059.003 -ShowDetailsBrief

Custom safe T1561.002 (wiper simulation)

ART does not ship a safe T1561.002 test. Use the provided safe atomic:

  1. Copy HANDALA-T1561.002-SAFE-ATOMIC.yaml into your ART clone:

    • Either add its content as a new test in atomics/T1561.002/T1561.002.yaml, or
    • Create atomics/T1561.002/ and place the file there (Invoke-AtomicRedTeam may require the test to be in the standard technique file).

  2. Run it:

    Invoke-AtomicTest T1561.002 -TestGuids a1b2c3d4-e5f6-7890-abcd-ef1234567890

    Or run all tests in T1561.002 if you appended the test to the official file.

Validate in Splunk

After each step (wait 2–3 min for indexing), run:

  • Process creation: index=win EventCode=1 earliest=-15m | table _time host Image CommandLine ParentImage
  • PowerShell: index=win EventCode=4104 earliest=-15m | table _time host ScriptBlockText
  • Raw disk access (wiper): index=win EventCode=9 earliest=-15m | table _time host Device Image
  • DNS (IP check): index=win EventCode=22 earliest=-15m QueryName=*icanhazip*

Then run your Handala/wiper detections and confirm they fire.

References

Raw
HANDALA-ATOMIC.yaml
# Safe Handala-style disk overwrite simulation - T1561.002
# Deploy to: atomic-red-team/atomics/T1561.002/T1561.002.yaml (or new file in that folder)
# Run: Invoke-AtomicTest T1561.002 -TestGuids <guid below>
#
# This does NOT wipe real disk; it overwrites one temp file then deletes it.
# Use only in a lab to validate overwrite/delete and process telemetry.
attack_technique: T1561.002
display_name: "Disk Structure Wipe - Handala-style overwrite (SAFE simulation)"
atomic_tests:
- name: "Safe file overwrite and delete (simulates wiper overwrite pattern)"
auto_generated_guid: a1b2c3d4-e5f6-7890-abcd-ef1234567890
description: |
Overwrites a single file in %TEMP% with 4096 bytes then deletes it.
Simulates Handala wiper overwrite+delete behavior for detection validation.
Does not touch MBR, volumes, or user data.
supported_platforms:
- windows
executor:
command: |
$path = "$env:TEMP\handala_wiper_sim_$(Get-Random).dat"
[System.IO.File]::WriteAllBytes($path, (New-Object byte[] 4096))
Start-Sleep -Milliseconds 500
Remove-Item -Path $path -Force
Write-Host "[+] Safe overwrite+delete completed: $path"
cleanup_command: |
Get-ChildItem $env:TEMP -Filter "handala_wiper_sim_*.dat" -ErrorAction SilentlyContinue | Remove-Item -Force
name: powershell
elevation_required: false
Raw
HANDALA-THREAT-SUMMARY.md

Handala Threat Group – Summary & Detection Mapping

1. Threat Overview

Handala (Handala Hacking Team) is a pro-Palestinian, Iran-aligned hacktivist group active since at least December 2023. It is associated with Iranian MOIS-linked personas (e.g., Void Manticore / Red Sandstorm / Banished Kitten) and uses additional names such as Karma and Homeland Justice.

  • Attribution: Iran-aligned; IBM X-Force describes Handala as “pro-Palestinian, Iran-aligned hacktivist threat group.”
  • Targeting: Initially Israeli organizations; expanded to US and Western enterprises (e.g., Stryker March 2026), healthcare, energy, financial services, government.
  • Motivation: Ideological; destruction and disruption over ransom. Uses Telegram, handala.to leak site, Tox, BreachForums for messaging and leaks.

Notable Incidents

Incident Date Summary
CrowdStrike outage abuse Jul 2024 Phishing lures (fake “BSOD fix”) delivering NSIS → obfuscated batch → AutoIT wiper. Wiper uses Telegram C2, BYOVD (ListOpenedFileDrv).
Stryker Mar 2026 Global disruption; wiper/wiper-like impact; abuse of Microsoft Intune reported for remote wipe; 50TB exfil claimed. Handala branding on internal systems.

References: Newsweek – Stryker Handala, Splunk – Handala’s Wiper, Check Point – Handala, IBM X-Force.

2. TTPs (Present & Past) – MITRE Mapping

MITRE ID Name Handala behavior
T1566.001 Phishing: Spearphishing Attachment PDF lures with malicious links; fake “fix” / crisis-themed lures (e.g., post-CrowdStrike).
T1059 Command and Scripting Interpreter NSIS installer runs cmd/copy; batch scripts (e.g., “Carroll”) for staging and execution.
T1059.003 Windows Command Shell cmd /k copy Carroll Carroll.cmd & Carroll.cmd & exit; batch obfuscation.
T1059.001 PowerShell AI-assisted and other PowerShell used for wiping/scripting in some campaigns.
T1059.010 AutoHotKey & AutoIT AutoIT (.a3x) loads shellcode, decompresses wiper, injects into Regasm.exe.
T1027 Obfuscated Files or Information Batch “garbage” commands; scattered valid instructions; NSIS obfuscation.
T1497.003 Virtualization/Sandbox Evasion: Time Based Evasion tasklist AV checks (e.g., wrsa.exe, opssvc.exe); 90–180s sleep if not found.
T1590 / T1589 Gather Victim Information IP (e.g., icanhazip.com), hostname, username, domain, disk space; sent to Telegram C2.
T1020 Automated Exfiltration Telegram bot as C2; exfiltration of victim info and staged data.
T1561.002 Disk Structure Wipe Overwrite files with 4,096 bytes random/zero; delete after overwrite; can make host unbootable.
T1068 Exploitation for Privilege Escalation BYOVD: ListOpenedFileDrv_32.sys loaded via OpenFileFinder.dll for kernel file-name access.

3. Security Detections MCP – Mapping

Detection coverage was checked via the security detections MCP (search, list_by_mitre, identify_gaps). Summary:

  • APT profile: No critical gaps reported; many core techniques (credential access, lateral movement, execution, etc.) have coverage.
  • Handala-relevant techniques:
    • T1561.002 (Disk Structure Wipe): Multiple detections, including:
      • Windows Raw Access To Disk Volume Partition (Sysmon EventCode 9, non-System32 process accessing \Device\HarddiskVolume*).
      • Windows Raw Access To Master Boot Record Drive (Sysmon EventCode 9, \Device\Harddisk0\DR0).
    • T1059.001 (PowerShell): Many detections (encoded PowerShell, suspicious parents, etc.).
    • T1059.003 (Windows Command Shell): Detections for cmd/batch abuse and suspicious invocation.
    • T1027 (Obfuscated Files or Information): Coverage in ESCU/Sigma content.
    • T1566.001 (Spearphishing Attachment): Coverage in phishing/initial-access analytics.

Suggested MCP follow-ups (run in your environment):

  • search("wiper OR disk wipe OR raw access") – find wiper/disk-impact detections.
  • list_by_mitre("T1059.010") – AutoIT execution.
  • list_by_mitre("T1497.003") – time-based/sandbox evasion.
  • list_by_mitre("T1020") – automated exfiltration.
  • search("AutoIt OR icanhazip OR Telegram") – Handala-specific behaviors.

Splunk’s Handala blog also references analytics such as: Suspicious Process File Path, Executables or Script Creation in Suspicious Path, Windows AutoIt3 Execution, Windows Gather Victim Network Info Through IP Check Web Services (e.g., icanhazip.com), and Regasm with no command-line arguments (process injection).

4. Data Sources to Prioritize

  • Process: Sysmon 1 (creation), 10 (process access for LSASS/injection).
  • Network: Sysmon 3, 22 (DNS – e.g., icanhazip.com); firewall/proxy for Telegram.
  • File: Sysmon 11 (creation in suspicious paths; executables/scripts).
  • Disk: Sysmon 9 (raw access to volume/MBR) for T1561.002.
  • Script content: PowerShell logging (EventCode 4104) for encoded/obfuscated scripts.

5. Atomic Red Team Chain

See HANDALA-ATOMIC-CHAIN.yaml for an ordered “chain reaction” of Atomic Red Team tests that simulate Handala’s endpoint behaviors. Use it in a lab with Invoke-AtomicRedTeam or Attack Range to validate detections.

Run order in the chain:

  1. Initial access / user execution (phishing simulation – T1566.001).
  2. Execution: Command shell (T1059.003), PowerShell (T1059.001), AutoIT (T1059.010).
  3. Defense evasion: Obfuscation (T1027), time-based evasion (T1497.003).
  4. Discovery / recon: System/network info (e.g., IP check – T1590/T1589).
  5. Exfiltration: Automated exfil (T1020) – simulated.
  6. Impact: Disk wipe simulation (T1561.002) – safe, non-destructive test only in lab.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment