Command Execution via SolarWinds Process
A suspicious SolarWinds child process (Cmd.exe or Powershell.exe) was detected.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/12/14"
3integration = ["endpoint", "windows", "system"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = "A suspicious SolarWinds child process (Cmd.exe or Powershell.exe) was detected."
10false_positives = [
11 "Trusted SolarWinds child processes. Verify process details such as network connections and file writes.",
12]
13from = "now-9m"
14index = [
15 "winlogbeat-*",
16 "logs-endpoint.events.process-*",
17 "logs-windows.*",
18 "endgame-*",
19 "logs-system.security*",
20]
21language = "eql"
22license = "Elastic License v2"
23name = "Command Execution via SolarWinds Process"
24references = [
25 "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html",
26 "https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20FILEWRITES%20(METHODOLOGY).ioc",
27]
28risk_score = 47
29rule_id = "d72e33fc-6e91-42ff-ac8b-e573268c5a87"
30setup = """## Setup
31
32If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
33events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
34Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
35`event.ingested` to @timestamp.
36For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
37"""
38severity = "medium"
39tags = [
40 "Domain: Endpoint",
41 "OS: Windows",
42 "Use Case: Threat Detection",
43 "Tactic: Execution",
44 "Tactic: Initial Access",
45 "Data Source: Elastic Endgame",
46 "Data Source: Elastic Defend",
47]
48timestamp_override = "event.ingested"
49type = "eql"
50
51query = '''
52process where host.os.type == "windows" and event.type == "start" and process.name: ("cmd.exe", "powershell.exe") and
53process.parent.name: (
54 "ConfigurationWizard*.exe",
55 "NetflowDatabaseMaintenance*.exe",
56 "NetFlowService*.exe",
57 "SolarWinds.Administration*.exe",
58 "SolarWinds.Collector.Service*.exe",
59 "SolarwindsDiagnostics*.exe"
60 )
61'''
62
63
64[[rule.threat]]
65framework = "MITRE ATT&CK"
66[[rule.threat.technique]]
67id = "T1059"
68name = "Command and Scripting Interpreter"
69reference = "https://attack.mitre.org/techniques/T1059/"
70[[rule.threat.technique.subtechnique]]
71id = "T1059.001"
72name = "PowerShell"
73reference = "https://attack.mitre.org/techniques/T1059/001/"
74
75[[rule.threat.technique.subtechnique]]
76id = "T1059.003"
77name = "Windows Command Shell"
78reference = "https://attack.mitre.org/techniques/T1059/003/"
79
80
81
82[rule.threat.tactic]
83id = "TA0002"
84name = "Execution"
85reference = "https://attack.mitre.org/tactics/TA0002/"
86[[rule.threat]]
87framework = "MITRE ATT&CK"
88[[rule.threat.technique]]
89id = "T1195"
90name = "Supply Chain Compromise"
91reference = "https://attack.mitre.org/techniques/T1195/"
92[[rule.threat.technique.subtechnique]]
93id = "T1195.002"
94name = "Compromise Software Supply Chain"
95reference = "https://attack.mitre.org/techniques/T1195/002/"
96
97
98
99[rule.threat.tactic]
100id = "TA0001"
101name = "Initial Access"
102reference = "https://attack.mitre.org/tactics/TA0001/"
References
Related rules
- Microsoft Exchange Worker Spawning Suspicious Processes
- ScreenConnect Server Spawning Suspicious Processes
- Suspicious Explorer Child Process
- Suspicious MS Office Child Process
- Suspicious PDF Reader Child Process