Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

SUNBURST suspicious SolarWinds child processes Normalized Process Events

Back
Id631d02df-ab51-46c1-8d72-32d0cfec0720
RulenameSUNBURST suspicious SolarWinds child processes (Normalized Process Events)
DescriptionIdentifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor

References:

- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f

To use this analytics rule, make sure you have deployed the ASIM normalization parsers
SeverityMedium
TacticsExecution
Persistence
TechniquesT1059
T1543
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/imProcess_SolarWinds_SUNBURST_Process-IOCs.yaml
Version1.1.6
Arm template631d02df-ab51-46c1-8d72-32d0cfec0720.json
Deploy To Azure
let excludeProcs = dynamic([@"\SolarWinds\Orion\APM\APMServiceControl.exe", @"\SolarWinds\Orion\ExportToPDFCmd.Exe", @"\SolarWinds.Credentials\SolarWinds.Credentials.Orion.WebApi.exe", @"\SolarWinds\Orion\Topology\SolarWinds.Orion.Topology.Calculator.exe", @"\SolarWinds\Orion\Database-Maint.exe", @"\SolarWinds.Orion.ApiPoller.Service\SolarWinds.Orion.ApiPoller.Service.exe", @"\Windows\SysWOW64\WerFault.exe"]);
imProcessCreate
| where Process hassuffix 'solarwinds.businesslayerhost.exe'
| where not(Process has_any (excludeProcs))
| extend AccountName = tostring(split(ActorUsername, @'\')[1]), AccountNTDomain = tostring(split(ActorUsername, @'\')[0])
| extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)
| project-away DomainIndex
severity: Medium
tags:
- version: 1.0.0
  Id: 4a3073ac-7383-48a9-90a8-eb6716183a54
- Schema: ASIMProcessEvent
  SchemaVersion: 0.1.0
- Solorigate
- NOBELIUM
id: 631d02df-ab51-46c1-8d72-32d0cfec0720
queryFrequency: 1d
queryPeriod: 1d
relevantTechniques:
- T1059
- T1543
triggerOperator: gt
tactics:
- Execution
- Persistence
kind: Scheduled
description: |
  Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor
  References:
  - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
  - https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f
  To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)'  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/imProcess_SolarWinds_SUNBURST_Process-IOCs.yaml
requiredDataConnectors: []
metadata:
  support:
    tier: Community
  source:
    kind: Community
  categories:
    domains:
    - Security - 0-day Vulnerability
  author:
    name: Yuval Naor
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: ActorUsername
    identifier: FullName
  - columnName: AccountName
    identifier: Name
  - columnName: AccountNTDomain
    identifier: NTDomain
- entityType: Host
  fieldMappings:
  - columnName: Dvc
    identifier: FullName
  - columnName: HostName
    identifier: HostName
  - columnName: HostNameDomain
    identifier: DnsDomain
- entityType: FileHash
  fieldMappings:
  - columnName: AlgorithmType
    identifier: Algorithm
  - columnName: TargetFileMD5
    identifier: Value
query: |
  let excludeProcs = dynamic([@"\SolarWinds\Orion\APM\APMServiceControl.exe", @"\SolarWinds\Orion\ExportToPDFCmd.Exe", @"\SolarWinds.Credentials\SolarWinds.Credentials.Orion.WebApi.exe", @"\SolarWinds\Orion\Topology\SolarWinds.Orion.Topology.Calculator.exe", @"\SolarWinds\Orion\Database-Maint.exe", @"\SolarWinds.Orion.ApiPoller.Service\SolarWinds.Orion.ApiPoller.Service.exe", @"\Windows\SysWOW64\WerFault.exe"]);
  imProcessCreate
  | where Process hassuffix 'solarwinds.businesslayerhost.exe'
  | where not(Process has_any (excludeProcs))
  | extend AccountName = tostring(split(ActorUsername, @'\')[1]), AccountNTDomain = tostring(split(ActorUsername, @'\')[0])
  | extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)
  | project-away DomainIndex  
version: 1.1.6
name: SUNBURST suspicious SolarWinds child processes (Normalized Process Events)
triggerThreshold: 0
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/631d02df-ab51-46c1-8d72-32d0cfec0720')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/631d02df-ab51-46c1-8d72-32d0cfec0720')]",
      "properties": {
        "alertRuleTemplateName": "631d02df-ab51-46c1-8d72-32d0cfec0720",
        "customDetails": null,
        "description": "Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor\nReferences:\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)'\n",
        "displayName": "SUNBURST suspicious SolarWinds child processes (Normalized Process Events)",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "ActorUsername",
                "identifier": "FullName"
              },
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountNTDomain",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "Dvc",
                "identifier": "FullName"
              },
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "HostNameDomain",
                "identifier": "DnsDomain"
              }
            ]
          },
          {
            "entityType": "FileHash",
            "fieldMappings": [
              {
                "columnName": "AlgorithmType",
                "identifier": "Algorithm"
              },
              {
                "columnName": "TargetFileMD5",
                "identifier": "Value"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimProcess/imProcess_SolarWinds_SUNBURST_Process-IOCs.yaml",
        "query": "let excludeProcs = dynamic([@\"\\SolarWinds\\Orion\\APM\\APMServiceControl.exe\", @\"\\SolarWinds\\Orion\\ExportToPDFCmd.Exe\", @\"\\SolarWinds.Credentials\\SolarWinds.Credentials.Orion.WebApi.exe\", @\"\\SolarWinds\\Orion\\Topology\\SolarWinds.Orion.Topology.Calculator.exe\", @\"\\SolarWinds\\Orion\\Database-Maint.exe\", @\"\\SolarWinds.Orion.ApiPoller.Service\\SolarWinds.Orion.ApiPoller.Service.exe\", @\"\\Windows\\SysWOW64\\WerFault.exe\"]);\nimProcessCreate\n| where Process hassuffix 'solarwinds.businesslayerhost.exe'\n| where not(Process has_any (excludeProcs))\n| extend AccountName = tostring(split(ActorUsername, @'\\')[1]), AccountNTDomain = tostring(split(ActorUsername, @'\\')[0])\n| extend HostName = tostring(split(Dvc, \".\")[0]), DomainIndex = toint(indexof(Dvc, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)\n| project-away DomainIndex\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution",
          "Persistence"
        ],
        "tags": [
          {
            "Id": "4a3073ac-7383-48a9-90a8-eb6716183a54",
            "version": "1.0.0"
          },
          {
            "Schema": "ASIMProcessEvent",
            "SchemaVersion": "0.1.0"
          },
          "Solorigate",
          "NOBELIUM"
        ],
        "techniques": [
          "T1059",
          "T1543"
        ],
        "templateVersion": "1.1.6",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}