Command Execution via SolarWinds Process

A suspicious SolarWinds child process (Cmd.exe or Powershell.exe) was detected.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/12/14"
 3integration = ["endpoint", "windows", "system"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2024/01/16"
 8
 9[rule]
10author = ["Elastic"]
11description = "A suspicious SolarWinds child process (Cmd.exe or Powershell.exe) was detected."
12false_positives = [
13    "Trusted SolarWinds child processes. Verify process details such as network connections and file writes.",
14]
15from = "now-9m"
16index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*", "logs-system.security*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Command Execution via SolarWinds Process"
20references = [
21    "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html",
22    "https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20FILEWRITES%20(METHODOLOGY).ioc",
23]
24risk_score = 47
25rule_id = "d72e33fc-6e91-42ff-ac8b-e573268c5a87"
26setup = """
27
28If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
29events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
30Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
31`event.ingested` to @timestamp.
32For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
33"""
34severity = "medium"
35tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Initial Access", "Data Source: Elastic Endgame", "Data Source: Elastic Defend"]
36timestamp_override = "event.ingested"
37type = "eql"
38
39query = '''
40process where host.os.type == "windows" and event.type == "start" and process.name: ("cmd.exe", "powershell.exe") and
41process.parent.name: (
42     "ConfigurationWizard*.exe",
43     "NetflowDatabaseMaintenance*.exe",
44     "NetFlowService*.exe",
45     "SolarWinds.Administration*.exe",
46     "SolarWinds.Collector.Service*.exe",
47     "SolarwindsDiagnostics*.exe"
48     )
49'''
50
51
52[[rule.threat]]
53framework = "MITRE ATT&CK"
54[[rule.threat.technique]]
55id = "T1059"
56name = "Command and Scripting Interpreter"
57reference = "https://attack.mitre.org/techniques/T1059/"
58
59[[rule.threat.technique.subtechnique]]
60id = "T1059.001"
61name = "PowerShell"
62reference = "https://attack.mitre.org/techniques/T1059/001/"
63
64[[rule.threat.technique.subtechnique]]
65id = "T1059.003"
66name = "Windows Command Shell"
67reference = "https://attack.mitre.org/techniques/T1059/003/"
68
69
70[rule.threat.tactic]
71id = "TA0002"
72name = "Execution"
73reference = "https://attack.mitre.org/tactics/TA0002/"
74[[rule.threat]]
75framework = "MITRE ATT&CK"
76[[rule.threat.technique]]
77id = "T1195"
78name = "Supply Chain Compromise"
79reference = "https://attack.mitre.org/techniques/T1195/"
80[[rule.threat.technique.subtechnique]]
81id = "T1195.002"
82name = "Compromise Software Supply Chain"
83reference = "https://attack.mitre.org/techniques/T1195/002/"
84
85
86
87[rule.threat.tactic]
88id = "TA0001"
89name = "Initial Access"
90reference = "https://attack.mitre.org/tactics/TA0001/"

References

Related rules

to-top