Command Execution via SolarWinds Process
A suspicious SolarWinds child process (Cmd.exe or Powershell.exe) was detected.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/12/14"
3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
4maturity = "production"
5updated_date = "2024/10/31"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = "A suspicious SolarWinds child process (Cmd.exe or Powershell.exe) was detected."
12false_positives = [
13 "Trusted SolarWinds child processes. Verify process details such as network connections and file writes.",
14]
15from = "now-9m"
16index = [
17 "winlogbeat-*",
18 "logs-endpoint.events.process-*",
19 "logs-windows.forwarded*",
20 "logs-windows.sysmon_operational-*",
21 "endgame-*",
22 "logs-system.security*",
23 "logs-m365_defender.event-*",
24 "logs-sentinel_one_cloud_funnel.*",
25 "logs-crowdstrike.fdr*",
26]
27language = "eql"
28license = "Elastic License v2"
29name = "Command Execution via SolarWinds Process"
30references = [
31 "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html",
32 "https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20FILEWRITES%20(METHODOLOGY).ioc",
33]
34risk_score = 47
35rule_id = "d72e33fc-6e91-42ff-ac8b-e573268c5a87"
36severity = "medium"
37tags = [
38 "Domain: Endpoint",
39 "OS: Windows",
40 "Use Case: Threat Detection",
41 "Tactic: Execution",
42 "Tactic: Initial Access",
43 "Data Source: Elastic Endgame",
44 "Data Source: Elastic Defend",
45 "Data Source: System",
46 "Data Source: Microsoft Defender for Endpoint",
47 "Data Source: Sysmon",
48 "Data Source: SentinelOne",
49 "Data Source: Crowdstrike",
50]
51timestamp_override = "event.ingested"
52type = "eql"
53
54query = '''
55process where host.os.type == "windows" and event.type == "start" and process.name: ("cmd.exe", "powershell.exe") and
56process.parent.name: (
57 "ConfigurationWizard*.exe",
58 "NetflowDatabaseMaintenance*.exe",
59 "NetFlowService*.exe",
60 "SolarWinds.Administration*.exe",
61 "SolarWinds.Collector.Service*.exe",
62 "SolarwindsDiagnostics*.exe"
63 )
64'''
65
66
67[[rule.threat]]
68framework = "MITRE ATT&CK"
69[[rule.threat.technique]]
70id = "T1059"
71name = "Command and Scripting Interpreter"
72reference = "https://attack.mitre.org/techniques/T1059/"
73[[rule.threat.technique.subtechnique]]
74id = "T1059.001"
75name = "PowerShell"
76reference = "https://attack.mitre.org/techniques/T1059/001/"
77
78[[rule.threat.technique.subtechnique]]
79id = "T1059.003"
80name = "Windows Command Shell"
81reference = "https://attack.mitre.org/techniques/T1059/003/"
82
83
84
85[rule.threat.tactic]
86id = "TA0002"
87name = "Execution"
88reference = "https://attack.mitre.org/tactics/TA0002/"
89[[rule.threat]]
90framework = "MITRE ATT&CK"
91[[rule.threat.technique]]
92id = "T1195"
93name = "Supply Chain Compromise"
94reference = "https://attack.mitre.org/techniques/T1195/"
95[[rule.threat.technique.subtechnique]]
96id = "T1195.002"
97name = "Compromise Software Supply Chain"
98reference = "https://attack.mitre.org/techniques/T1195/002/"
99
100
101
102[rule.threat.tactic]
103id = "TA0001"
104name = "Initial Access"
105reference = "https://attack.mitre.org/tactics/TA0001/"
References
-
A highly evasive attacker leverages a supply chain attack trojanizing SolarWinds Orion business software updates in order to distribute SUNBURST malware.
Read More -
Contribute to mandiant/sunburst_countermeasures development by creating an account on GitHub.
Read More
Related rules
- Potential Foxmail Exploitation
- Suspicious PDF Reader Child Process
- Enumeration Command Spawned via WMIPrvSE
- Process Activity via Compiled HTML File
- Suspicious Cmd Execution via WMI