Try in Splunk Security Cloud

Description

Sunburst is a trojanized updates to SolarWinds Orion IT monitoring and management software. It was discovered by FireEye in December 2020. The actors behind this campaign gained access to numerous public and private organizations around the world.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint, Network_Traffic, Web
  • Last Updated: 2020-12-14
  • Author: Patrick Bareiss, Michael Haag, Splunk
  • ID: 758196b5-2e21-424f-a50c-6e421ce926c2

Narrative

This Analytic Story supports you to detect Tactics, Techniques and Procedures (TTPs) of the NOBELIUM Group. The threat actor behind sunburst compromised the SolarWinds.Orion.Core.BusinessLayer.dll, is a SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers. The detections in this Analytic Story are focusing on the dll loading events, file create events and network events to detect This malware.

Detections

Name Technique Type
Anomalous usage of 7zip Archive via Utility, Archive Collected Data Anomaly
Detect Outbound SMB Traffic File Transfer Protocols, Application Layer Protocol TTP
Detect Prohibited Applications Spawning cmd exe Command and Scripting Interpreter, Windows Command Shell Hunting
Detect Rundll32 Inline HTA Execution Signed Binary Proxy Execution, Mshta TTP
First Time Seen Running Windows Service System Services, Service Execution Anomaly
Malicious PowerShell Process - Encoded Command Obfuscated Files or Information Hunting
Sc exe Manipulating Windows Services Windows Service, Create or Modify System Process TTP
Scheduled Task Deleted Or Created via CMD Scheduled Task, Scheduled Task/Job TTP
Schtasks scheduling job on remote system Scheduled Task, Scheduled Task/Job TTP
Sunburst Correlation DLL and Network Event Exploitation for Client Execution TTP
Supernova Webshell Web Shell TTP
TOR Traffic Application Layer Protocol, Web Protocols TTP
Windows AdFind Exe Remote System Discovery TTP

Reference

source | version: 2