Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. TEARDROP memory-only dropper

TEARDROP memory-only dropper

Back
Id738702fd-0a66-42c7-8586-e30f0583f8fe
RulenameTEARDROP memory-only dropper
DescriptionIdentifies SolarWinds TEARDROP memory-only dropper IOCs in Window’s defender Exploit Guard activity

References:

- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f
SeverityHigh
TacticsExecution
Persistence
DefenseEvasion
TechniquesT1543
T1059
T1027
Required data connectorsMicrosoftThreatProtection
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/SolarWinds_TEARDROP_Process-IOCs.yaml
Version1.0.6
Arm template738702fd-0a66-42c7-8586-e30f0583f8fe.json
Deploy To Azure
DeviceEvents
| where ActionType has "ExploitGuardNonMicrosoftSignedBlocked"
| where InitiatingProcessFileName has "svchost.exe" and FileName has "NetSetupSvc.dll"
| extend HashAlgorithm = "SHA1"
| extend HostName = tostring(split(DeviceName, ".")[0]), DomainIndex = toint(indexof(DeviceName, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)

description: |
  Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window's defender Exploit Guard activity
  References:
  - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
  - https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f  
kind: Scheduled
tactics:
- Execution
- Persistence
- DefenseEvasion
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceEvents
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/SolarWinds_TEARDROP_Process-IOCs.yaml
severity: High
name: TEARDROP memory-only dropper
triggerThreshold: 0
queryPeriod: 1d
query: |
  DeviceEvents
  | where ActionType has "ExploitGuardNonMicrosoftSignedBlocked"
  | where InitiatingProcessFileName has "svchost.exe" and FileName has "NetSetupSvc.dll"
  | extend HashAlgorithm = "SHA1"
  | extend HostName = tostring(split(DeviceName, ".")[0]), DomainIndex = toint(indexof(DeviceName, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)  
relevantTechniques:
- T1543
- T1059
- T1027
id: 738702fd-0a66-42c7-8586-e30f0583f8fe
queryFrequency: 1d
status: Available
triggerOperator: gt
version: 1.0.6
tags:
- Sunburst
- Solorigate
- NOBELIUM
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: DeviceName
    identifier: FullName
  - columnName: HostName
    identifier: HostName
  - columnName: HostNameDomain
    identifier: DnsDomain
- entityType: Account
  fieldMappings:
  - columnName: InitiatingProcessAccountUpn
    identifier: FullName
  - columnName: InitiatingProcessAccountName
    identifier: Name
  - columnName: InitiatingProcessAccountDomain
    identifier: UPNSuffix
- entityType: FileHash
  fieldMappings:
  - columnName: HashAlgorithm
    identifier: Algorithm
  - columnName: InitiatingProcessSHA1
    identifier: Value