SUNBURST network beacons
| Id | ce1e7025-866c-41f3-9b08-ec170e05e73e |
| Rulename | SUNBURST network beacons |
| Description | Identifies SolarWinds SUNBURST domain beacon IOCs in DeviceNetworkEvents References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html - https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f |
| Severity | Medium |
| Tactics | Execution Persistence InitialAccess |
| Techniques | T1195 T1059 T1546 |
| Required data connectors | MicrosoftThreatProtection |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/SolarWinds_SUNBURST_Network-IOCs.yaml |
| Version | 1.0.5 |
| Arm template | ce1e7025-866c-41f3-9b08-ec170e05e73e.json |
let SunburstURL=dynamic(["panhardware.com","databasegalore.com","avsvmcloud.com","freescanonline.com","thedoccloud.com","deftsecurity.com"]);
DeviceNetworkEvents
| where ActionType == "ConnectionSuccess"
| where RemoteUrl in(SunburstURL)
| extend HashAlgorithm = 'MD5'
| extend HostName = tostring(split(DeviceName, ".")[0]), DomainIndex = toint(indexof(DeviceName, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)
description: |
Identifies SolarWinds SUNBURST domain beacon IOCs in DeviceNetworkEvents
References:
- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f
version: 1.0.5
triggerThreshold: 0
tactics:
- Execution
- Persistence
- InitialAccess
queryPeriod: 1d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Defender XDR/Analytic Rules/SolarWinds_SUNBURST_Network-IOCs.yaml
triggerOperator: gt
status: Available
id: ce1e7025-866c-41f3-9b08-ec170e05e73e
name: SUNBURST network beacons
queryFrequency: 1d
severity: Medium
kind: Scheduled
entityMappings:
- fieldMappings:
- columnName: DeviceName
identifier: FullName
- columnName: HostName
identifier: HostName
- columnName: HostNameDomain
identifier: DnsDomain
entityType: Host
- fieldMappings:
- columnName: InitiatingProcessAccountUpn
identifier: FullName
- columnName: InitiatingProcessAccountName
identifier: Name
- columnName: InitiatingProcessAccountDomain
identifier: UPNSuffix
entityType: Account
- fieldMappings:
- columnName: RemoteIP
identifier: Address
entityType: IP
- fieldMappings:
- columnName: RemoteUrl
identifier: Url
entityType: URL
- fieldMappings:
- columnName: HashAlgorithm
identifier: Algorithm
- columnName: InitiatingProcessMD5
identifier: Value
entityType: FileHash
relevantTechniques:
- T1195
- T1059
- T1546
query: |
let SunburstURL=dynamic(["panhardware.com","databasegalore.com","avsvmcloud.com","freescanonline.com","thedoccloud.com","deftsecurity.com"]);
DeviceNetworkEvents
| where ActionType == "ConnectionSuccess"
| where RemoteUrl in(SunburstURL)
| extend HashAlgorithm = 'MD5'
| extend HostName = tostring(split(DeviceName, ".")[0]), DomainIndex = toint(indexof(DeviceName, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)
requiredDataConnectors:
- dataTypes:
- DeviceNetworkEvents
connectorId: MicrosoftThreatProtection