Suspicious SolarWinds Child Process
A suspicious SolarWinds child process was detected, which may indicate an attempt to execute malicious programs.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/12/14"
3integration = ["endpoint"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = "A suspicious SolarWinds child process was detected, which may indicate an attempt to execute malicious programs."
10false_positives = [
11 "Trusted SolarWinds child processes, verify process details such as network connections and file writes.",
12]
13from = "now-9m"
14index = ["logs-endpoint.events.process-*", "endgame-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Suspicious SolarWinds Child Process"
18references = [
19 "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html",
20 "https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20CHILD%20PROCESSES%20(METHODOLOGY).ioc",
21]
22risk_score = 47
23rule_id = "93b22c0a-06a0-4131-b830-b10d5e166ff4"
24setup = """## Setup
25
26If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
27events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
28Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
29`event.ingested` to @timestamp.
30For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
31"""
32severity = "medium"
33tags = [
34 "Domain: Endpoint",
35 "OS: Windows",
36 "Use Case: Threat Detection",
37 "Tactic: Execution",
38 "Data Source: Elastic Endgame",
39 "Data Source: Elastic Defend",
40]
41timestamp_override = "event.ingested"
42type = "eql"
43
44query = '''
45process where host.os.type == "windows" and event.type == "start" and
46 process.parent.name: ("SolarWinds.BusinessLayerHost.exe", "SolarWinds.BusinessLayerHostx64.exe") and
47 not (
48 process.name : (
49 "APMServiceControl*.exe",
50 "ExportToPDFCmd*.Exe",
51 "SolarWinds.Credentials.Orion.WebApi*.exe",
52 "SolarWinds.Orion.Topology.Calculator*.exe",
53 "Database-Maint.exe",
54 "SolarWinds.Orion.ApiPoller.Service.exe",
55 "WerFault.exe",
56 "WerMgr.exe",
57 "SolarWinds.BusinessLayerHost.exe",
58 "SolarWinds.BusinessLayerHostx64.exe",
59 "SolarWinds.Topology.Calculator.exe",
60 "SolarWinds.Topology.Calculatorx64.exe",
61 "SolarWinds.APM.RealTimeProcessPoller.exe") and
62 process.code_signature.trusted == true
63 ) and
64 not process.executable : ("?:\\Windows\\SysWOW64\\ARP.EXE", "?:\\Windows\\SysWOW64\\lodctr.exe", "?:\\Windows\\SysWOW64\\unlodctr.exe")
65'''
66
67
68[[rule.threat]]
69framework = "MITRE ATT&CK"
70[[rule.threat.technique]]
71id = "T1106"
72name = "Native API"
73reference = "https://attack.mitre.org/techniques/T1106/"
74
75
76[rule.threat.tactic]
77id = "TA0002"
78name = "Execution"
79reference = "https://attack.mitre.org/tactics/TA0002/"
80[[rule.threat]]
81framework = "MITRE ATT&CK"
82[[rule.threat.technique]]
83id = "T1195"
84name = "Supply Chain Compromise"
85reference = "https://attack.mitre.org/techniques/T1195/"
86[[rule.threat.technique.subtechnique]]
87id = "T1195.002"
88name = "Compromise Software Supply Chain"
89reference = "https://attack.mitre.org/techniques/T1195/002/"
90
91
92
93[rule.threat.tactic]
94id = "TA0001"
95name = "Initial Access"
96reference = "https://attack.mitre.org/tactics/TA0001/"
References
Related rules
- Command Shell Activity Started via RunDLL32
- Conhost Spawned By Suspicious Parent Process
- Execution of File Written or Modified by PDF Reader
- Execution via local SxS Shared Module
- Microsoft Build Engine Using an Alternate Name