IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
SUNBURST Command and Control Activity
editSUNBURST Command and Control Activity
editThe malware known as SUNBURST targets the SolarWind’s Orion business software for command and control. This rule detects post-exploitation command and control activity of the SUNBURST backdoor.
Rule type: eql
Rule indices:
- logs-endpoint.events.*
Severity: high
Risk score: 73
Runs every: 5 minutes
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- Host
- Windows
- Threat Detection
- Command and Control
Version: 4 (version history)
Added (Elastic Stack release): 7.11.0
Last modified (Elastic Stack release): 7.13.0
Rule authors: Elastic
Rule license: Elastic License v2
Investigation guide
edit## Triage and analysis The SUNBURST malware attempts to hide within the Orion Improvement Program (OIP) network traffic. As this rule detects post-exploitation network traffic, investigations into this should be prioritized.
Rule query
editnetwork where event.type == "protocol" and network.protocol == "http" and process.name : ("ConfigurationWizard.exe", "NetFlowService.exe", "NetflowDatabaseMaintenance.exe", "SolarWinds.Administration.exe", "SolarWinds.BusinessLayerHost.exe", "SolarWinds.BusinessLayerHostx64.exe", "SolarWinds.Collector.Service.exe", "SolarwindsDiagnostics.exe") and (http.request.body.content : "*/swip/Upload.ashx*" and http.request.body.content : ("POST*", "PUT*")) or (http.request.body.content : ("*/swip/SystemDescription*", "*/swip/Events*") and http.request.body.content : ("GET*", "HEAD*")) and not http.request.body.content : "*solarwinds.com*"
Threat mapping
editFramework: MITRE ATT&CKTM
-
Tactic:
- Name: Command and Control
- ID: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/
-
Technique:
- Name: Application Layer Protocol
- ID: T1071
- Reference URL: https://attack.mitre.org/techniques/T1071/
-
Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
-
Technique:
- Name: Supply Chain Compromise
- ID: T1195
- Reference URL: https://attack.mitre.org/techniques/T1195/
Rule version history
edit- Version 4 (7.13.0 release)
-
-
Updated query, changed from:
event.category:network and event.type:protocol and network.protocol:http and process.name:( ConfigurationWizard.exe or NetFlowService.exe or NetflowDatabaseMaintenance.exe or SolarWinds.Administration.exe or SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe or SolarWinds.Collector.Service.exe or SolarwindsDiagnostics.exe) and http.request.body.content:(( (*/swip/Upload.ashx* and (POST* or PUT*)) or (*/swip/SystemDescription* and (GET* or HEAD*)) or (*/swip/Events* and (GET* or HEAD*))) and not *solarwinds.com*)
-
- Version 3 (7.12.0 release)
-
- Formatting only
- Version 2 (7.11.2 release)
-
- Formatting only