Command Execution via SolarWinds Process
A suspicious SolarWinds child process (Cmd.exe or Powershell.exe) was detected.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/12/14"
3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
4maturity = "production"
5updated_date = "2025/01/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = "A suspicious SolarWinds child process (Cmd.exe or Powershell.exe) was detected."
12false_positives = [
13 "Trusted SolarWinds child processes. Verify process details such as network connections and file writes.",
14]
15from = "now-9m"
16index = [
17 "winlogbeat-*",
18 "logs-endpoint.events.process-*",
19 "logs-windows.forwarded*",
20 "logs-windows.sysmon_operational-*",
21 "endgame-*",
22 "logs-system.security*",
23 "logs-m365_defender.event-*",
24 "logs-sentinel_one_cloud_funnel.*",
25 "logs-crowdstrike.fdr*",
26]
27language = "eql"
28license = "Elastic License v2"
29name = "Command Execution via SolarWinds Process"
30references = [
31 "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html",
32 "https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20FILEWRITES%20(METHODOLOGY).ioc",
33]
34risk_score = 47
35rule_id = "d72e33fc-6e91-42ff-ac8b-e573268c5a87"
36severity = "medium"
37tags = [
38 "Domain: Endpoint",
39 "OS: Windows",
40 "Use Case: Threat Detection",
41 "Tactic: Execution",
42 "Tactic: Initial Access",
43 "Data Source: Elastic Endgame",
44 "Data Source: Elastic Defend",
45 "Data Source: System",
46 "Data Source: Microsoft Defender for Endpoint",
47 "Data Source: Sysmon",
48 "Data Source: SentinelOne",
49 "Data Source: Crowdstrike",
50 "Resources: Investigation Guide",
51]
52timestamp_override = "event.ingested"
53type = "eql"
54
55query = '''
56process where host.os.type == "windows" and event.type == "start" and process.name: ("cmd.exe", "powershell.exe") and
57process.parent.name: (
58 "ConfigurationWizard*.exe",
59 "NetflowDatabaseMaintenance*.exe",
60 "NetFlowService*.exe",
61 "SolarWinds.Administration*.exe",
62 "SolarWinds.Collector.Service*.exe",
63 "SolarwindsDiagnostics*.exe"
64 )
65'''
66note = """## Triage and analysis
67
68> **Disclaimer**:
69> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
70
71### Investigating Command Execution via SolarWinds Process
72
73SolarWinds is a widely used IT management tool that can be targeted by adversaries to execute unauthorized commands. Attackers may exploit SolarWinds processes to launch command-line interpreters like Cmd.exe or Powershell.exe, potentially leading to system compromise. The detection rule identifies suspicious child processes initiated by specific SolarWinds executables, flagging potential misuse by correlating process start events with known SolarWinds parent processes. This helps in early detection of malicious activities leveraging SolarWinds for command execution.
74
75### Possible investigation steps
76
77- Review the alert details to identify the specific SolarWinds parent process that initiated the suspicious child process (Cmd.exe or Powershell.exe) and note the exact executable name and path.
78- Examine the timeline of events around the process start event to identify any preceding or subsequent suspicious activities, such as unusual network connections or file modifications.
79- Check the user account associated with the process execution to determine if it aligns with expected behavior or if it indicates potential compromise or misuse.
80- Investigate the command line arguments used by the child process to assess if they contain any malicious or unexpected commands.
81- Correlate the event with other security logs and alerts from data sources like Microsoft Defender for Endpoint or Sysmon to gather additional context and identify potential patterns of malicious behavior.
82- Assess the system's current state for any indicators of compromise, such as unauthorized changes to system configurations or the presence of known malware signatures.
83
84### False positive analysis
85
86- Routine administrative tasks using SolarWinds may trigger the rule when legitimate scripts are executed via Cmd.exe or Powershell.exe. Users can create exceptions for known maintenance scripts or tasks that are regularly scheduled and verified as safe.
87- Automated updates or patches initiated by SolarWinds processes might be flagged. To mitigate this, users should whitelist specific update processes or scripts that are part of the regular update cycle.
88- Monitoring or diagnostic activities performed by IT staff using SolarWinds tools can result in false positives. Establish a baseline of normal activities and exclude these from alerts by identifying and documenting regular diagnostic commands.
89- Custom scripts developed for internal use that leverage SolarWinds processes could be misidentified as threats. Ensure these scripts are reviewed and approved, then add them to an exception list to prevent unnecessary alerts.
90- Third-party integrations with SolarWinds that require command execution might be mistakenly flagged. Verify the legitimacy of these integrations and exclude their associated processes from detection rules.
91
92### Response and remediation
93
94- Immediately isolate the affected system from the network to prevent further unauthorized command execution and potential lateral movement.
95- Terminate any suspicious child processes such as Cmd.exe or Powershell.exe that were initiated by the identified SolarWinds parent processes.
96- Conduct a thorough review of the affected system's logs and configurations to identify any unauthorized changes or additional indicators of compromise.
97- Restore the system from a known good backup if any unauthorized changes or malicious activities are confirmed.
98- Update and patch the SolarWinds software and any other vulnerable applications on the affected system to mitigate known vulnerabilities.
99- Implement application whitelisting to prevent unauthorized execution of command-line interpreters from SolarWinds processes.
100- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on the broader network."""
101
102
103[[rule.threat]]
104framework = "MITRE ATT&CK"
105[[rule.threat.technique]]
106id = "T1059"
107name = "Command and Scripting Interpreter"
108reference = "https://attack.mitre.org/techniques/T1059/"
109[[rule.threat.technique.subtechnique]]
110id = "T1059.001"
111name = "PowerShell"
112reference = "https://attack.mitre.org/techniques/T1059/001/"
113
114[[rule.threat.technique.subtechnique]]
115id = "T1059.003"
116name = "Windows Command Shell"
117reference = "https://attack.mitre.org/techniques/T1059/003/"
118
119
120
121[rule.threat.tactic]
122id = "TA0002"
123name = "Execution"
124reference = "https://attack.mitre.org/tactics/TA0002/"
125[[rule.threat]]
126framework = "MITRE ATT&CK"
127[[rule.threat.technique]]
128id = "T1195"
129name = "Supply Chain Compromise"
130reference = "https://attack.mitre.org/techniques/T1195/"
131[[rule.threat.technique.subtechnique]]
132id = "T1195.002"
133name = "Compromise Software Supply Chain"
134reference = "https://attack.mitre.org/techniques/T1195/002/"
135
136
137
138[rule.threat.tactic]
139id = "TA0001"
140name = "Initial Access"
141reference = "https://attack.mitre.org/tactics/TA0001/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Command Execution via SolarWinds Process
SolarWinds is a widely used IT management tool that can be targeted by adversaries to execute unauthorized commands. Attackers may exploit SolarWinds processes to launch command-line interpreters like Cmd.exe or Powershell.exe, potentially leading to system compromise. The detection rule identifies suspicious child processes initiated by specific SolarWinds executables, flagging potential misuse by correlating process start events with known SolarWinds parent processes. This helps in early detection of malicious activities leveraging SolarWinds for command execution.
Possible investigation steps
- Review the alert details to identify the specific SolarWinds parent process that initiated the suspicious child process (Cmd.exe or Powershell.exe) and note the exact executable name and path.
- Examine the timeline of events around the process start event to identify any preceding or subsequent suspicious activities, such as unusual network connections or file modifications.
- Check the user account associated with the process execution to determine if it aligns with expected behavior or if it indicates potential compromise or misuse.
- Investigate the command line arguments used by the child process to assess if they contain any malicious or unexpected commands.
- Correlate the event with other security logs and alerts from data sources like Microsoft Defender for Endpoint or Sysmon to gather additional context and identify potential patterns of malicious behavior.
- Assess the system's current state for any indicators of compromise, such as unauthorized changes to system configurations or the presence of known malware signatures.
False positive analysis
- Routine administrative tasks using SolarWinds may trigger the rule when legitimate scripts are executed via Cmd.exe or Powershell.exe. Users can create exceptions for known maintenance scripts or tasks that are regularly scheduled and verified as safe.
- Automated updates or patches initiated by SolarWinds processes might be flagged. To mitigate this, users should whitelist specific update processes or scripts that are part of the regular update cycle.
- Monitoring or diagnostic activities performed by IT staff using SolarWinds tools can result in false positives. Establish a baseline of normal activities and exclude these from alerts by identifying and documenting regular diagnostic commands.
- Custom scripts developed for internal use that leverage SolarWinds processes could be misidentified as threats. Ensure these scripts are reviewed and approved, then add them to an exception list to prevent unnecessary alerts.
- Third-party integrations with SolarWinds that require command execution might be mistakenly flagged. Verify the legitimacy of these integrations and exclude their associated processes from detection rules.
Response and remediation
- Immediately isolate the affected system from the network to prevent further unauthorized command execution and potential lateral movement.
- Terminate any suspicious child processes such as Cmd.exe or Powershell.exe that were initiated by the identified SolarWinds parent processes.
- Conduct a thorough review of the affected system's logs and configurations to identify any unauthorized changes or additional indicators of compromise.
- Restore the system from a known good backup if any unauthorized changes or malicious activities are confirmed.
- Update and patch the SolarWinds software and any other vulnerable applications on the affected system to mitigate known vulnerabilities.
- Implement application whitelisting to prevent unauthorized execution of command-line interpreters from SolarWinds processes.
- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess the potential impact on the broader network.
References
Related rules
- Potential Foxmail Exploitation
- ScreenConnect Server Spawning Suspicious Processes
- Web Shell Detection: Script Process Child of Common Web Processes
- Suspicious MS Office Child Process
- Suspicious PDF Reader Child Process