Command Execution via SolarWinds Process

calendar May 22, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Execution Tactic: Initial Access Data Source: Elastic Endgame Data Source: Elastic Defend  ·
Share on: linkedin copy

A suspicious SolarWinds child process (Cmd.exe or Powershell.exe) was detected.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2020/12/14"
  3integration = ["endpoint", "windows", "system"]
  4maturity = "production"
  5updated_date = "2024/05/21"
  6
  7[rule]
  8author = ["Elastic"]
  9description = "A suspicious SolarWinds child process (Cmd.exe or Powershell.exe) was detected."
 10false_positives = [
 11    "Trusted SolarWinds child processes. Verify process details such as network connections and file writes.",
 12]
 13from = "now-9m"
 14index = [
 15    "winlogbeat-*",
 16    "logs-endpoint.events.process-*",
 17    "logs-windows.*",
 18    "endgame-*",
 19    "logs-system.security*",
 20]
 21language = "eql"
 22license = "Elastic License v2"
 23name = "Command Execution via SolarWinds Process"
 24references = [
 25    "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html",
 26    "https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20FILEWRITES%20(METHODOLOGY).ioc",
 27]
 28risk_score = 47
 29rule_id = "d72e33fc-6e91-42ff-ac8b-e573268c5a87"
 30setup = """## Setup
 31
 32If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
 33events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
 34Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
 35`event.ingested` to @timestamp.
 36For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
 37"""
 38severity = "medium"
 39tags = [
 40    "Domain: Endpoint",
 41    "OS: Windows",
 42    "Use Case: Threat Detection",
 43    "Tactic: Execution",
 44    "Tactic: Initial Access",
 45    "Data Source: Elastic Endgame",
 46    "Data Source: Elastic Defend",
 47]
 48timestamp_override = "event.ingested"
 49type = "eql"
 50
 51query = '''
 52process where host.os.type == "windows" and event.type == "start" and process.name: ("cmd.exe", "powershell.exe") and
 53process.parent.name: (
 54     "ConfigurationWizard*.exe",
 55     "NetflowDatabaseMaintenance*.exe",
 56     "NetFlowService*.exe",
 57     "SolarWinds.Administration*.exe",
 58     "SolarWinds.Collector.Service*.exe",
 59     "SolarwindsDiagnostics*.exe"
 60     )
 61'''
 62
 63
 64[[rule.threat]]
 65framework = "MITRE ATT&CK"
 66[[rule.threat.technique]]
 67id = "T1059"
 68name = "Command and Scripting Interpreter"
 69reference = "https://attack.mitre.org/techniques/T1059/"
 70[[rule.threat.technique.subtechnique]]
 71id = "T1059.001"
 72name = "PowerShell"
 73reference = "https://attack.mitre.org/techniques/T1059/001/"
 74
 75[[rule.threat.technique.subtechnique]]
 76id = "T1059.003"
 77name = "Windows Command Shell"
 78reference = "https://attack.mitre.org/techniques/T1059/003/"
 79
 80
 81
 82[rule.threat.tactic]
 83id = "TA0002"
 84name = "Execution"
 85reference = "https://attack.mitre.org/tactics/TA0002/"
 86[[rule.threat]]
 87framework = "MITRE ATT&CK"
 88[[rule.threat.technique]]
 89id = "T1195"
 90name = "Supply Chain Compromise"
 91reference = "https://attack.mitre.org/techniques/T1195/"
 92[[rule.threat.technique.subtechnique]]
 93id = "T1195.002"
 94name = "Compromise Software Supply Chain"
 95reference = "https://attack.mitre.org/techniques/T1195/002/"
 96
 97
 98
 99[rule.threat.tactic]
100id = "TA0001"
101name = "Initial Access"
102reference = "https://attack.mitre.org/tactics/TA0001/"

References

Related rules

to-top