XDR: Vendor Advisory for SolarWinds Orion Products - Countermeasure guidelines

XDR: Vendor Advisory for SolarWinds Orion Products - Countermeasure guidelines

December 2020

Detect SolarWinds SUNBURST Backdoor

with Stellar Cyber Open-XDR Platform

On December 13 2020, multiple vendors such as FireEye and Microsoft reported emerging threats from a nation-state threat actor who compromised SolarWinds, and trojanized SolarWinds Orion business software updates in order to distribute backdoor malware called SUNBURST. Because of the popularity of SolarWinds, the attacks have affected multiple government agencies and many Fortune 500 companies. It also appeared in the recent CISA Emergency Directive 20-01. Given its importance, we would like to provide a quick response and suggestions for you to deal with this critical threat.

1.       Mitigate SolarWinds Orion Supply Chain Compromise

CISA Emergency Directive 20-01 provides very good suggestions on how to mitigate the SolarWinds Orion supply chain compromise.  You first need to identify whether you are running the affected version of SolarWinds Orion products (2019.4 through 2020.2.1 HF1). Any hosts managed by such software should be considered as compromised based on the CISA


2.       Detect Suspicious Network Communications

We have already incorporated the threat intelligence of SUNBURST into our platform.

2.1 Network Level IoCs

SUNBURST employs a complex, multi-staged mechanism to connect to a C2 (Command & Control) channel. It first connects to a domain with assvmcloud.comas the TLD. The domain resolves and returns a CNAME to another malicious domain, then to the IP address. We have incorporated the IoCs in terms of domains and IP addresses in our emerging threat intelligence and pushed through the Stellar Cyber cloud. Every customer already has the update automatically. If any IP address or domain matches the IoC from threat intelligence, we will enrich the Interflow record and the corresponding IP address with the following fields in the traffic index:

•   dstip_reputation: emerging_threat

•    dstip_reputation_source: SolarWinds_Backdoor

With that, you can create an ATH (Automated Threat Hunting) rule to run a customized detection for such C2 alerts (our customer support team can also help with that).

Data ingestion that can trigger domain reputation

•   network sensor

•   security sensor

Data ingestion that can trigger IP address reputation:

•   network sensor

•   security sensor

•   Windows event log/Sysmon

•   firewall connection logs

2.2 IDS Signatures

From our threat intelligence sources, we have also incorporated the IDS signatures into our security sensors to detect suspicious SolarWinds Orion communications with SUNBURST. Every customer already has the update automatically.

Look for:


in the ML-IDS/Malware index.

With that, you can create an ATH rule to run a customized detection (our customer support team can also help with that).

Data ingestion that can trigger IDS signatures: security sensor.

3.       Detect Suspicious Signals on the Hosts

There are also different signals we can detect based on the host-level data.

3.1 Windows Event Log from Sysmon

If you have configured Sysmon to capture event 17 & 18, you can run the following query in the

Windows Event index to capture possible malicious behavior related to the Windows pipe.

(event_id:17 OR event_id:18) AND log_name: "Microsoft-Windows-Sysmon/Operational " AND

event_data.PipeName: "583da945-62af-10e8-4902-a8f205c72b2e "

With that, you can create an ATH rule to run a customized detection (our customer support team can also help with that).

Data ingestion requirement: Sysmon with event 17 & 18 turned on.

3.2 EDR Alert Ingestions

EDR software, such as CrowdStrike, Carbon Black, etc. might already detect host-level IoCs for SUNBURST. If data ingestion is properly configured, you can also view the EDR alerts in Starlight and correlate with the other signals.

4.       Detect Suspicious Lateral Movement

Given that SUNBURST might penetrate to many different enterprises, the attacker might use different ways to establish persistent footholds and lateraly move to attack different targets in different enterprises. Detecting lateral movement is crucial.

4.1 Lateral Movement to Azure AD

As shown in the report from Microsoft, the attackers might use the SUNBURST backdoor to target Azure AD, through capturing password or forged SAML tokens. You can convert the following queries to ATH rules (our customer support team can also help with that).

(1) New Service Principals:

msg_class:azure_ad_audit AND activityDisplayName.keyword:"Add service principal"

(2) Credentials and certificates added to Apps or Service Principals:

msg_class:azure_ad_audit AND activityDisplayName.keyword:"Add service principal credentials"

(3) Permissions and role assignments added to Apps or Service Principals:

msg_class:azure_ad_audit AND activityDisplayName.keyword:("Add app role assignment to service principal" OR "Add delegated permission grant" OR "Add application")

(4) Apps modified to allow multi-tenant access:

msg_class:azure_ad_audit AND activityDisplayName.keyword:"Update application" AND operationType.keyword:"Update" AND result.keyword:"success" AND targetResources.modifiedProperties.displayName.keyword:"AvailableToOtherTenants"

(5) Changes to Azure AD Custom Domains:

msg_class:azure_ad_audit AND (activityDisplayName.keyword:"Add unverified domain" OR


Data ingestion requirement: Azure AD audit log.

4.2 Lateral Movement Through RDP

The threat research from Splunk shows that RDP might be used in lateral movement with SUNBURST. In Starlight 3.10.0 we developed 10 RDP-related detections that can help identify the RDP-related lateral movement (and RDP attacks in general).

Data ingestion requirement:

•   network sensor

•   security sensor

•   and/or Windows event log

4.3 Other Lateral Movement Detection Suggestions

Overall, SUNBURST might establish permanent footholds inside enterprises, which might create more signals with lateral movement.

You can search the historical data stored in Starlight for IoCs or suspicious activity from hosts with SolarWinds Orion installed. For example, search for "dstip_host:*avsvmcloud* OR metadata.request.query: *avsvmcloud* in Traffic data prior to 12/13/2020 to see whether any hosts were already involved in SUNBURST C2.

Moreover, you can filter the alerts with the global query "srcip_type:private AND dstip_type:private", so you can pay more attention to the internally generated alerts and identify potential internal network signals.

5.       Conclusions

Through research on SUNBURST, we quickly developed some ideas you can use to detect SUNBURST using Starlight. We are constantly working on threat research and will release more up-to-date information and additional detections when it becomes available. Stay tuned!

    • Related Articles

    • Alienvault-Advisory

        SolarWinds Orion Supply Chain Attack                        Detections in AT&T Unified Security Management™ and IoCs in the AT&T Alien Labs Open Threat Exchange™ December 16, 2020, 11:15am (CST) TLP: Amber Dear USM Customer, The details of this ...
    • XDR-Syslog Forwarding- Ports To Send To

      Firewall Ports to Open for Log Ingestion Network and security sensors require open inbound UDP ports on your firewall in order to receive and parse logs from devices on your network. The ports are already open by default on the sensor, so you must ...

         Pre-Requisites: You will need Domain Administrator Privileges to configure the G-Suite Integration within BDS.   Preparation Before configuring G-Suite in data processor, user would need to enable this feature in the google admin dashboard. 1. ...
    • XDR: Deploying The Windows Agent

      Overview The Windows agent collects relevant security data from Windows event logs running. Forwarding Windows event logs provides necessary log data required for many compliance regulations and increases overall visibility within the organization. ...
    • XDR: EVENT ID Search in BDS Platform

      An Alarm raised by SOC? Curious to know what the alarm is and why SOC raised it? We provide complete transparency to check what event/alarm was raised by the SOC to the Partner/Client Pre – Requisites:  1. Login Credentials 2. Portal URL to login 3. ...