Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. TEARDROP memory-only dropper

TEARDROP memory-only dropper

Back
Id738702fd-0a66-42c7-8586-e30f0583f8fe
RulenameTEARDROP memory-only dropper
DescriptionIdentifies SolarWinds TEARDROP memory-only dropper IOCs in Window’s defender Exploit Guard activity

References:

- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f
SeverityHigh
TacticsExecution
Persistence
DefenseEvasion
TechniquesT1543
T1059
T1027
Required data connectorsMicrosoftThreatProtection
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/SolarWinds_TEARDROP_Process-IOCs.yaml
Version1.0.6
Arm template738702fd-0a66-42c7-8586-e30f0583f8fe.json
Deploy To Azure
DeviceEvents
| where ActionType has "ExploitGuardNonMicrosoftSignedBlocked"
| where InitiatingProcessFileName has "svchost.exe" and FileName has "NetSetupSvc.dll"
| extend HashAlgorithm = "SHA1"
| extend HostName = tostring(split(DeviceName, ".")[0]), DomainIndex = toint(indexof(DeviceName, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)

id: 738702fd-0a66-42c7-8586-e30f0583f8fe
relevantTechniques:
- T1543
- T1059
- T1027
tags:
- Sunburst
- Solorigate
- NOBELIUM
description: |
  Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window's defender Exploit Guard activity
  References:
  - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
  - https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/SolarWinds_TEARDROP_Process-IOCs.yaml
query: |
  DeviceEvents
  | where ActionType has "ExploitGuardNonMicrosoftSignedBlocked"
  | where InitiatingProcessFileName has "svchost.exe" and FileName has "NetSetupSvc.dll"
  | extend HashAlgorithm = "SHA1"
  | extend HostName = tostring(split(DeviceName, ".")[0]), DomainIndex = toint(indexof(DeviceName, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)  
queryFrequency: 1d
status: Available
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: DeviceName
  - identifier: HostName
    columnName: HostName
  - identifier: DnsDomain
    columnName: HostNameDomain
  entityType: Host
- fieldMappings:
  - identifier: FullName
    columnName: InitiatingProcessAccountUpn
  - identifier: Name
    columnName: InitiatingProcessAccountName
  - identifier: UPNSuffix
    columnName: InitiatingProcessAccountDomain
  entityType: Account
- fieldMappings:
  - identifier: Algorithm
    columnName: HashAlgorithm
  - identifier: Value
    columnName: InitiatingProcessSHA1
  entityType: FileHash
severity: High
kind: Scheduled
tactics:
- Execution
- Persistence
- DefenseEvasion
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceEvents
triggerOperator: gt
triggerThreshold: 0
version: 1.0.6
queryPeriod: 1d
name: TEARDROP memory-only dropper