Suspicious SolarWinds Child Process

calendar May 22, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Execution Data Source: Elastic Endgame Data Source: Elastic Defend  ·
Share on: linkedin copy

A suspicious SolarWinds child process was detected, which may indicate an attempt to execute malicious programs.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/12/14"
 3integration = ["endpoint"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = "A suspicious SolarWinds child process was detected, which may indicate an attempt to execute malicious programs."
10false_positives = [
11    "Trusted SolarWinds child processes, verify process details such as network connections and file writes.",
12]
13from = "now-9m"
14index = ["logs-endpoint.events.process-*", "endgame-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Suspicious SolarWinds Child Process"
18references = [
19    "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html",
20    "https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20CHILD%20PROCESSES%20(METHODOLOGY).ioc",
21]
22risk_score = 47
23rule_id = "93b22c0a-06a0-4131-b830-b10d5e166ff4"
24setup = """## Setup
25
26If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
27events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
28Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
29`event.ingested` to @timestamp.
30For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
31"""
32severity = "medium"
33tags = [
34    "Domain: Endpoint",
35    "OS: Windows",
36    "Use Case: Threat Detection",
37    "Tactic: Execution",
38    "Data Source: Elastic Endgame",
39    "Data Source: Elastic Defend",
40]
41timestamp_override = "event.ingested"
42type = "eql"
43
44query = '''
45process where host.os.type == "windows" and event.type == "start" and
46 process.parent.name: ("SolarWinds.BusinessLayerHost.exe", "SolarWinds.BusinessLayerHostx64.exe") and
47 not (
48    process.name : (
49        "APMServiceControl*.exe",
50        "ExportToPDFCmd*.Exe",
51        "SolarWinds.Credentials.Orion.WebApi*.exe",
52        "SolarWinds.Orion.Topology.Calculator*.exe",
53        "Database-Maint.exe",
54        "SolarWinds.Orion.ApiPoller.Service.exe",
55        "WerFault.exe",
56        "WerMgr.exe",
57        "SolarWinds.BusinessLayerHost.exe",
58        "SolarWinds.BusinessLayerHostx64.exe",
59        "SolarWinds.Topology.Calculator.exe",
60        "SolarWinds.Topology.Calculatorx64.exe",
61        "SolarWinds.APM.RealTimeProcessPoller.exe") and
62    process.code_signature.trusted == true
63 ) and
64 not process.executable : ("?:\\Windows\\SysWOW64\\ARP.EXE", "?:\\Windows\\SysWOW64\\lodctr.exe", "?:\\Windows\\SysWOW64\\unlodctr.exe")
65'''
66
67
68[[rule.threat]]
69framework = "MITRE ATT&CK"
70[[rule.threat.technique]]
71id = "T1106"
72name = "Native API"
73reference = "https://attack.mitre.org/techniques/T1106/"
74
75
76[rule.threat.tactic]
77id = "TA0002"
78name = "Execution"
79reference = "https://attack.mitre.org/tactics/TA0002/"
80[[rule.threat]]
81framework = "MITRE ATT&CK"
82[[rule.threat.technique]]
83id = "T1195"
84name = "Supply Chain Compromise"
85reference = "https://attack.mitre.org/techniques/T1195/"
86[[rule.threat.technique.subtechnique]]
87id = "T1195.002"
88name = "Compromise Software Supply Chain"
89reference = "https://attack.mitre.org/techniques/T1195/002/"
90
91
92
93[rule.threat.tactic]
94id = "TA0001"
95name = "Initial Access"
96reference = "https://attack.mitre.org/tactics/TA0001/"

References

Related rules

to-top