Elastic Security provides free and open protections for SUNBURST
Note: We have now updated our DGA model for better SUNBURST domain detection. Our model was able to detect all of the SUNBURST domains in this dataset.
Executive summary
- Elastic Security’s malware prevention technology, used by both Elastic Endgame and the endpoint security capabilities within Elastic Security, has been updated and is not affected by attacks described in this disclosure
- Existing Elastic Security rules (listed below) can help identify potential attacks
- New Elastic Security rules (listed below) can help detect new threats
- Recommended searches/threat hunts are listed below for Elastic Security (Elastic Endgame recommendations can be found on our support portal)
- Users can leverage Elastic ML models to detect potential C2 from the SUNBURST attack
- Users are invited to work directly with our protection engineers in our public rules repo
Background
On December 13, SolarWinds released a security advisory regarding a successful supply-chain attack on the Orion management platform. The attack affects Orion versions 2019.4 HF 5 through 2020.2.1, software products released between March and June of 2020. Likewise, on December 13, FireEye released information about a global campaign involving SolarWinds supply-chain compromise that affected some versions of Orion software.
Many details of the intrusion have not been made public, and this content may be later updated as additional information becomes known. Elastic provides this information for users in the free tier, and recommends subscription customers refer to the support portal for additional information about licensed features.
Malware protection
We have updated our MalwareScore protection, used by both Elastic Endgame and Elastic Security. This update includes blocklist entries for known bad file hashes, providing essential prevention capability to mitigate deployed SolarWinds client software containing malicious code. Users should receive this update automatically.
Free and open behavioral detections
We have reviewed public materials disclosed by SolarWinds and FireEye to ensure we have as up-to-date an understanding of tactics, techniques, and procedures (TTPs) as possible. Additionally, Elastic reviewed content published by Volexity describing post-exploitation activities observed during professional services engagements. While information about how the adversary responsible has leveraged this supply-chain compromise is limited, materials published by FireEye and Volexity indicate attempts to obtain lasting operational control by targeting directory services and other forms of authentication with a particular emphasis on information access.
The following existing behavioral detections for the Elastic Security solution may identify evidence of successful post-exploitation:
- User Added as Owner for Azure Service Principal
- Multi-Factor Authentication Disabled for an Azure User
- Attempts to Brute Force a Microsoft 365 User Account
- Potential Password Spraying of Microsoft 365 User Accounts
- Possible Consent Grant Attack via Azure-Registered Application
- Azure Key Vault Modified
- Process Termination followed by Deletion
- Clearing Windows Event Logs
Additionally, new behavioral rules are being released for the following activities:
- Exporting Exchange MailBox via PowerShell
- SolarWinds Process Disabling Services via Registry
- Command Execution via SolarWinds Process
- Suspicious SolarWinds Child Process
- Azure Active Directory PowerShell Sign-in
- Azure Service Principal Addition
- SUNBURST Command and Control Activity Detected
- Azure Application Credential Modification
- Outbound Scheduled Task Activity via PowerShell
Elastic Security users may find value in enabling additional detection-rules in all categories, prioritizing triage and analysis of results related to SolarWinds client software.
Users should note that the detection-rules command-line interface (CLI) is required to import rules, and the import-rules function can import rules in several formats either individually or from a directory.
Threat hunting using Elastic
Users who have deployed the Elastic endpoint may find that hunts focused on the following are important leads to prioritize based on public reporting:
Disabling services via the Windows registry
EQL
registry where registry.path : "HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\Start" and registry.data.strings == "4" and not (process.name : "services.exe" and user.domain: "NT AUTHORITY")
KQL
registry.path:HKLM\\System\\*ControlSet*\\Services\\*\\Start and registry.data.strings:"4" and not (process.name:"services.exe" and user.domain:"NT AUTHORITY")
Unusual descendants of the SolarWinds client
EQL
process where event.type in ("start","process_started") and process.parent.name:("SolarWinds.BusinessLayerHost.exe","SolarWinds.BusinessLayerHostx64.exe")
KQL
event.category:process and event.type:start and process.parent.name:("SolarWinds.BusinessLayerHost.exe" or "SolarWinds.BusinessLayerHostx64.exe")
Creation of executable files by the SolarWinds client
EQL
file where process.name in ("SolarWinds.BusinessLayerHost.exe", "SolarWinds.BusinessLayerHostx64.exe") and file.name : ("*.dll*", "*.exe*", "*.ps1*", "*.jpg*", "*.png*")
KQL
event.category:file and event.type:creation and file.extension:(dll or DLL or exe or EXE or ps1 or PS1 or jpg or JPG or png or PNG) and process.name:("SolarWinds.BusinessLayerHost.exe" or "SolarWinds.BusinessLayerHostx64.exe")
Unexpected network communications by the SolarWinds client
EQL
network where network.protocol == "http" and process.name: ("SolarWinds.BusinessLayerHostx64.exe", "ConfigurationWizard.exe", "NetflowDatabaseMaintenance.exe", "NetFlowService.exe", "SolarWinds.Administration.exe", "SolarWinds.BusinessLayerHost.exe", "SolarWinds.Collector.Service.exe" , "SolarwindsDiagnostics.exe") and wildcard(http.request.body.content, "POST*/swip/Upload.ashx*", "PUT*/swip/Upload.ashx*", "GET*/swip/SystemDescription*", "HEAD*/swip/SystemDescription*", "GET*/swip/Events*", "HEAD*/swip/Events*") and not wildcard(http.request.body.content, "POST*solarwinds.com*", "PUT*solarwinds.com*", "GET*solarwinds.com*", "HEAD*solarwinds.com*")
KQL
event.category:network and event.type:protocol and network.protocol:http and process.name:(ConfigurationWizard.exe or NetFlowService.exe or NetflowDatabaseMaintenance.exe or SolarWinds.Administration.exe or SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe or SolarWinds.Collector.Service.exe or SolarwindsDiagnostics.exe) and http.request.body.content:(((*/swip/Upload.ashx* and (POST* or PUT*)) or (*/swip/SystemDescription* and (GET* or HEAD*)) or (*/swip/Events* and (GET* or HEAD*))) and not *solarwinds.com*)
For our users leveraging machine learning
Machine learning is a critical capability when tracking down and detecting unknown threats. Elastic Security ships prebuilt jobs and rules that can jumpstart security teams across any organization. In this case, SUNBURST detection was not the exception. In this blog, Elastic users can find step-by-step instructions to leverage one of the latest additions to our fleet: a model that combines supervised and unsupervised learning for effectively detect Domain Generation Algorithm (DGA) activity in organizations.
Next steps
Elastic will update our malware protection signer allowlist to remove an allowlist entry for SolarWinds Worldwide, LLC. As a result, SolarWinds users may see malware alerts for software signed by SolarWinds. These may be false positives.
Elastic Security's researchers are monitoring this situation for any updates. As new information emerges, we will evaluate and create additional protections as needed.
Elastic recommends users follow all applicable guidance from SolarWinds in addition to the guidance provided in this document. Users of SolarWinds products should also review reference materials for associated network-based indicators and conduct searches to identify potential evidence of prior or ongoing compromise. Elastic users can easily search for atomic indicators without learning a new query language.