Command Execution via SolarWinds Process
A suspicious SolarWinds child process (Cmd.exe or Powershell.exe) was detected.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/12/14"
3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
4maturity = "production"
5updated_date = "2024/10/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = "A suspicious SolarWinds child process (Cmd.exe or Powershell.exe) was detected."
12false_positives = [
13 "Trusted SolarWinds child processes. Verify process details such as network connections and file writes.",
14]
15from = "now-9m"
16index = [
17 "winlogbeat-*",
18 "logs-endpoint.events.process-*",
19 "logs-windows.forwarded*",
20 "logs-windows.sysmon_operational-*",
21 "endgame-*",
22 "logs-system.security*",
23 "logs-m365_defender.event-*",
24 "logs-sentinel_one_cloud_funnel.*",
25]
26language = "eql"
27license = "Elastic License v2"
28name = "Command Execution via SolarWinds Process"
29references = [
30 "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html",
31 "https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20FILEWRITES%20(METHODOLOGY).ioc",
32]
33risk_score = 47
34rule_id = "d72e33fc-6e91-42ff-ac8b-e573268c5a87"
35severity = "medium"
36tags = [
37 "Domain: Endpoint",
38 "OS: Windows",
39 "Use Case: Threat Detection",
40 "Tactic: Execution",
41 "Tactic: Initial Access",
42 "Data Source: Elastic Endgame",
43 "Data Source: Elastic Defend",
44 "Data Source: System",
45 "Data Source: Microsoft Defender for Endpoint",
46 "Data Source: Sysmon",
47 "Data Source: SentinelOne",
48]
49timestamp_override = "event.ingested"
50type = "eql"
51
52query = '''
53process where host.os.type == "windows" and event.type == "start" and process.name: ("cmd.exe", "powershell.exe") and
54process.parent.name: (
55 "ConfigurationWizard*.exe",
56 "NetflowDatabaseMaintenance*.exe",
57 "NetFlowService*.exe",
58 "SolarWinds.Administration*.exe",
59 "SolarWinds.Collector.Service*.exe",
60 "SolarwindsDiagnostics*.exe"
61 )
62'''
63
64
65[[rule.threat]]
66framework = "MITRE ATT&CK"
67[[rule.threat.technique]]
68id = "T1059"
69name = "Command and Scripting Interpreter"
70reference = "https://attack.mitre.org/techniques/T1059/"
71[[rule.threat.technique.subtechnique]]
72id = "T1059.001"
73name = "PowerShell"
74reference = "https://attack.mitre.org/techniques/T1059/001/"
75
76[[rule.threat.technique.subtechnique]]
77id = "T1059.003"
78name = "Windows Command Shell"
79reference = "https://attack.mitre.org/techniques/T1059/003/"
80
81
82
83[rule.threat.tactic]
84id = "TA0002"
85name = "Execution"
86reference = "https://attack.mitre.org/tactics/TA0002/"
87[[rule.threat]]
88framework = "MITRE ATT&CK"
89[[rule.threat.technique]]
90id = "T1195"
91name = "Supply Chain Compromise"
92reference = "https://attack.mitre.org/techniques/T1195/"
93[[rule.threat.technique.subtechnique]]
94id = "T1195.002"
95name = "Compromise Software Supply Chain"
96reference = "https://attack.mitre.org/techniques/T1195/002/"
97
98
99
100[rule.threat.tactic]
101id = "TA0001"
102name = "Initial Access"
103reference = "https://attack.mitre.org/tactics/TA0001/"
References
Related rules
- Potential Foxmail Exploitation
- ScreenConnect Server Spawning Suspicious Processes
- Suspicious MS Office Child Process
- Web Shell Detection: Script Process Child of Common Web Processes
- Clearing Windows Console History