Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. SUNBURST and SUPERNOVA backdoor hashes Normalized File Events

SUNBURST and SUPERNOVA backdoor hashes Normalized File Events

Back
Idbc5ffe2a-84d6-48fe-bc7b-1055100469bc
RulenameSUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)
DescriptionIdentifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in File Events

To use this analytics rule, make sure you have deployed the ASIM normalization parsers

References:

- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f
SeverityHigh
TacticsExecution
Persistence
InitialAccess
TechniquesT1195
T1059
T1546
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimFileEvent/imFileESolarWindsSunburstSupernova.yaml
Version1.0.7
Arm templatebc5ffe2a-84d6-48fe-bc7b-1055100469bc.json
Deploy To Azure
let SunburstMD5=dynamic(["b91ce2fa41029f6955bff20079468448","02af7cec58b9a5da1c542b5a32151ba1","2c4a910a1299cdae2a4e55988a2f102e","846e27a652a5e1bfbd0ddd38a16dc865","4f2eb62fa529c0283b28d05ddd311fae"]);
let SupernovaMD5="56ceb6d0011d87b6e4d7023d7ef85676";
imFileEvent
| where TargetFileMD5 in (SunburstMD5) or TargetFileMD5 in (SupernovaMD5)
| extend AccountName = tostring(split(User, @'\')[1]), AccountNTDomain = tostring(split(User, @'\')[0])
| extend AlgorithmType = "MD5"

relevantTechniques:
- T1195
- T1059
- T1546
name: SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)
requiredDataConnectors: []
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: User
  - identifier: Name
    columnName: AccountName
  - identifier: NTDomain
    columnName: AccountNTDomain
  entityType: Account
- fieldMappings:
  - identifier: FullName
    columnName: Dvc
  - identifier: HostName
    columnName: DvcHostname
  - identifier: DnsDomain
    columnName: DvcDomain
  entityType: Host
- fieldMappings:
  - identifier: Algorithm
    columnName: AlgorithmType
  - identifier: Value
    columnName: TargetFileMD5
  entityType: FileHash
triggerThreshold: 0
id: bc5ffe2a-84d6-48fe-bc7b-1055100469bc
tactics:
- Execution
- Persistence
- InitialAccess
version: 1.0.7
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimFileEvent/imFileESolarWindsSunburstSupernova.yaml
queryPeriod: 1d
kind: Scheduled
tags:
- Id: a3c144f9-8051-47d4-ac29-ffb0c312c910
  version: 1.0.0
metadata:
  categories:
    domains:
    - Security - Threat Intelligence
  author:
    name: Yaron
  support:
    tier: Community
  source:
    kind: Community
queryFrequency: 1d
severity: High
description: |
  Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in File Events
  To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimFileEvent)
  References:
  - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
  - https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f  
query: |
  let SunburstMD5=dynamic(["b91ce2fa41029f6955bff20079468448","02af7cec58b9a5da1c542b5a32151ba1","2c4a910a1299cdae2a4e55988a2f102e","846e27a652a5e1bfbd0ddd38a16dc865","4f2eb62fa529c0283b28d05ddd311fae"]);
  let SupernovaMD5="56ceb6d0011d87b6e4d7023d7ef85676";
  imFileEvent
  | where TargetFileMD5 in (SunburstMD5) or TargetFileMD5 in (SupernovaMD5)
  | extend AccountName = tostring(split(User, @'\')[1]), AccountNTDomain = tostring(split(User, @'\')[0])
  | extend AlgorithmType = "MD5"  
triggerOperator: gt

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bc5ffe2a-84d6-48fe-bc7b-1055100469bc')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bc5ffe2a-84d6-48fe-bc7b-1055100469bc')]",
      "properties": {
        "alertRuleTemplateName": "bc5ffe2a-84d6-48fe-bc7b-1055100469bc",
        "customDetails": null,
        "description": "Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in File Events\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimFileEvent)\nReferences:\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\n",
        "displayName": "SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "User",
                "identifier": "FullName"
              },
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountNTDomain",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "Dvc",
                "identifier": "FullName"
              },
              {
                "columnName": "DvcHostname",
                "identifier": "HostName"
              },
              {
                "columnName": "DvcDomain",
                "identifier": "DnsDomain"
              }
            ]
          },
          {
            "entityType": "FileHash",
            "fieldMappings": [
              {
                "columnName": "AlgorithmType",
                "identifier": "Algorithm"
              },
              {
                "columnName": "TargetFileMD5",
                "identifier": "Value"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimFileEvent/imFileESolarWindsSunburstSupernova.yaml",
        "query": "let SunburstMD5=dynamic([\"b91ce2fa41029f6955bff20079468448\",\"02af7cec58b9a5da1c542b5a32151ba1\",\"2c4a910a1299cdae2a4e55988a2f102e\",\"846e27a652a5e1bfbd0ddd38a16dc865\",\"4f2eb62fa529c0283b28d05ddd311fae\"]);\nlet SupernovaMD5=\"56ceb6d0011d87b6e4d7023d7ef85676\";\nimFileEvent\n| where TargetFileMD5 in (SunburstMD5) or TargetFileMD5 in (SupernovaMD5)\n| extend AccountName = tostring(split(User, @'\\')[1]), AccountNTDomain = tostring(split(User, @'\\')[0])\n| extend AlgorithmType = \"MD5\"\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "High",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution",
          "InitialAccess",
          "Persistence"
        ],
        "tags": [
          {
            "Id": "a3c144f9-8051-47d4-ac29-ffb0c312c910",
            "version": "1.0.0"
          }
        ],
        "techniques": [
          "T1059",
          "T1195",
          "T1546"
        ],
        "templateVersion": "1.0.7",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}