Suspicious SolarWinds Child Process

  1[metadata]
  2creation_date = "2020/12/14"
  3integration = ["endpoint", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = "A suspicious SolarWinds child process was detected, which may indicate an attempt to execute malicious programs."
 10false_positives = [
 11    "Trusted SolarWinds child processes, verify process details such as network connections and file writes.",
 12]
 13from = "now-9m"
 14index = ["logs-endpoint.events.process-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*"]
 15language = "eql"
 16license = "Elastic License v2"
 17name = "Suspicious SolarWinds Child Process"
 18note = """## Triage and analysis
 19
 20> **Disclaimer**:
 21> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 22
 23### Investigating Suspicious SolarWinds Child Process
 24
 25SolarWinds is a widely used IT management software that operates critical network and system monitoring functions. Adversaries may exploit its trusted processes to execute unauthorized programs, leveraging its elevated privileges to bypass security controls. The detection rule identifies unusual child processes spawned by SolarWinds' core services, excluding known legitimate operations, to flag potential malicious activity.
 26
 27### Possible investigation steps
 28
 29- Review the details of the triggered alert to identify the specific child process name and executable path that caused the alert.
 30- Check the parent process details, specifically SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe, to confirm its legitimacy and ensure it is running from the expected directory.
 31- Investigate the child process's code signature to determine if it is trusted or if there are any anomalies in the signature that could indicate tampering.
 32- Analyze the historical activity of the suspicious child process on the host to identify any patterns or previous instances of execution that could provide context.
 33- Correlate the suspicious process activity with other security events or logs from the same host to identify any related malicious behavior or indicators of compromise.
 34- Consult threat intelligence sources to determine if the suspicious process or executable path is associated with known malware or adversary techniques.
 35
 36### False positive analysis
 37
 38- Legitimate SolarWinds updates or patches may trigger the rule. Ensure that the process code signature is verified as trusted and matches known update signatures.
 39- Custom scripts or tools integrated with SolarWinds for automation purposes might be flagged. Review these processes and add them to the exclusion list if they are verified as safe and necessary for operations.
 40- Third-party plugins or extensions that interact with SolarWinds could be misidentified. Validate these plugins and consider excluding them if they are from a trusted source and essential for functionality.
 41- Scheduled tasks or maintenance activities that involve SolarWinds processes may appear suspicious. Confirm these tasks are part of regular operations and exclude them if they are consistent with expected behavior.
 42- Temporary diagnostic or troubleshooting tools used by IT staff might be detected. Ensure these tools are authorized and add them to the exclusion list if they are frequently used and pose no threat.
 43
 44### Response and remediation
 45
 46- Immediately isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.
 47- Terminate any suspicious child processes identified that are not part of the known legitimate operations list, ensuring that no malicious programs continue to execute.
 48- Conduct a thorough review of the affected system's recent activity logs to identify any additional indicators of compromise or unauthorized changes.
 49- Restore the affected system from a known good backup to ensure that any potential malware or unauthorized changes are removed.
 50- Update all SolarWinds software and related components to the latest versions to patch any known vulnerabilities that could be exploited.
 51- Implement enhanced monitoring on the affected system and similar environments to detect any recurrence of suspicious activity, focusing on unusual child processes spawned by SolarWinds services.
 52- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if broader organizational impacts need to be addressed."""
 53references = [
 54    "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html",
 55    "https://github.com/mandiant/sunburst_countermeasures/blob/main/rules/SUNBURST/hxioc/SUNBURST%20SUSPICIOUS%20CHILD%20PROCESSES%20(METHODOLOGY).ioc",
 56]
 57risk_score = 47
 58rule_id = "93b22c0a-06a0-4131-b830-b10d5e166ff4"
 59severity = "medium"
 60tags = [
 61    "Domain: Endpoint",
 62    "OS: Windows",
 63    "Use Case: Threat Detection",
 64    "Tactic: Execution",
 65    "Data Source: Elastic Endgame",
 66    "Data Source: Elastic Defend",
 67    "Data Source: SentinelOne",
 68    "Resources: Investigation Guide",
 69]
 70timestamp_override = "event.ingested"
 71type = "eql"
 72
 73query = '''
 74process where host.os.type == "windows" and event.type == "start" and
 75 process.parent.name: ("SolarWinds.BusinessLayerHost.exe", "SolarWinds.BusinessLayerHostx64.exe") and
 76 not (
 77    process.name : (
 78        "APMServiceControl*.exe",
 79        "ExportToPDFCmd*.Exe",
 80        "SolarWinds.Credentials.Orion.WebApi*.exe",
 81        "SolarWinds.Orion.Topology.Calculator*.exe",
 82        "Database-Maint.exe",
 83        "SolarWinds.Orion.ApiPoller.Service.exe",
 84        "WerFault.exe",
 85        "WerMgr.exe",
 86        "SolarWinds.BusinessLayerHost.exe",
 87        "SolarWinds.BusinessLayerHostx64.exe",
 88        "SolarWinds.Topology.Calculator.exe",
 89        "SolarWinds.Topology.Calculatorx64.exe",
 90        "SolarWinds.APM.RealTimeProcessPoller.exe") and
 91    process.code_signature.trusted == true
 92 ) and
 93 not process.executable : ("?:\\Windows\\SysWOW64\\ARP.EXE", "?:\\Windows\\SysWOW64\\lodctr.exe", "?:\\Windows\\SysWOW64\\unlodctr.exe")
 94'''
 95
 96
 97[[rule.threat]]
 98framework = "MITRE ATT&CK"
 99[[rule.threat.technique]]
100id = "T1106"
101name = "Native API"
102reference = "https://attack.mitre.org/techniques/T1106/"
103
104
105[rule.threat.tactic]
106id = "TA0002"
107name = "Execution"
108reference = "https://attack.mitre.org/tactics/TA0002/"
109[[rule.threat]]
110framework = "MITRE ATT&CK"
111[[rule.threat.technique]]
112id = "T1195"
113name = "Supply Chain Compromise"
114reference = "https://attack.mitre.org/techniques/T1195/"
115[[rule.threat.technique.subtechnique]]
116id = "T1195.002"
117name = "Compromise Software Supply Chain"
118reference = "https://attack.mitre.org/techniques/T1195/002/"
119
120
121
122[rule.threat.tactic]
123id = "TA0001"
124name = "Initial Access"
125reference = "https://attack.mitre.org/tactics/TA0001/"