SolarWinds has revealed how monitoring products it released earlier this year may have been tampered with in a supply chain attack. In this blog post an overview of detection methods and IOC available for the detection and prevention of the SolarWinds attack.
In a security advisory published by SolarWinds, the company confirmed the supply chain attack, the threat actors compromised versions 2019.4 through 2020.2.1 of the SolarWinds Orion Platform software that was released between March and June 2020.
In this blog post an overview of multiple Microsoft products and detection options based on the IOC’s. The following topics will be described;
- Defender for Endpoint Threat Analytics report
- Detection with Azure Sentinel KQL
- Microsoft cloud-delivered protection
- Enable and monitor ASR
Domain
Microsoft takes multiple measures to prevent the hack on SolarWinds. Microsoft makes multiple actions and acquired a domain and makes some prevention adjustments to Microsoft Defender.
In collaboration with several other companies, the domain avsmcloud[.]com is now owned by Microsoft. The domain which served as command and control server for the backdoor delivered to around 18.000 SolarWinds customers.
In a security advisory published by SolarWinds, the company confirmed the supply chain attack, the threat actors compromised versions 2019.4 through 2020.2.1 of the SolarWinds Orion Platform software that was released between March and June 2020.
Use indicators of Compromise for the SolarWinds attack
US DHS CISA, Microsoft, and FireEye have shared Indicators of Compromise for the SolarWinds attack. With multiple Microsoft Security/ E5 security toolings, it is possible to detect the indicators.
Command and Control
avsvmcloud[.]com
Malicious instances of SolarWinds.Orion.Core.BusinessLayer.dll
| SHA256 | File Version | Date first seen |
| 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77 | 2019.4.5200.9083 | March 2020 |
| dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b | 2020.2.100.12219 | March 2020 |
| eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed | 2020.2.100.11831 | March 2020 |
| c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77 | Not available | March 2020 |
| ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c | 2020.4.100.478 | April 2020 |
| 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134 | 2020.2.5200.12394 | April 2020 |
| ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6 | 2020.2.5300.12432 | May 2020 |
| a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc | 2019.4.5200.8890 | October 2019 |
| d3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0af | 2019.4.5200.8890 | October 2019 |
Azure Sentinel detections
Microsoft published multiple detections to Azure Sentinel that provide signals for post-compromise techniques. With Sentinel, it is possible to use the KQL query below for the detection logic based on the shared IOCs.
- Anomalous Azure Active Directory PowerShell behavior
- Modified domain federation trust settings
- New access credential added to OAuth Application or Service Principal
Detections:
Some useful Sentinel hunting detections:
- SolarWinds TEARDROP memory-only dropper IOCs in Window’s defender Exploit Guard activity
- SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in DeviceFileEvents
- SolarWinds SUNBURST domain beacon IOCs in DeviceNetworkEvents
- Suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor
- Detecting SolarWinds SUNBURST IOC, from Microsoft Defender for Endpoint and Azure Sentinel
Workbook:
Source:
Azurecloudai.blog
Kustoking.com
Microsoft Defender
Microsoft Defender providers detection for the threat components under the following detection: Trojan:MSIL/Solorigate.BR!dha
Microsoft Defender Antivirus automatically removes the threats as they detect. Make sure you have cloud-delivered protection or the latest antimalware definitions. Below the configuration for the cloud-delivered protection:
Use Microsoft Endpoint Manager to turn on cloud-delivered protection:
- Go to Microsoft Endpoint Manager admin center (https://endpoint.microsoft.com) and log in.
- Choose Endpoint security -> Antivirus
- Select an antivirus profile, or create a new one
- Select properties and expand Cloud protection
- Change the value; turn on cloud-delivered protection to yes
- Configure the cloud protection level
- High: Applies a strong level of detection.
- High plus: Uses the High level and applies additional protection measures (may impact client performance).
- Zero tolerance: Blocks all unknown executables.
For the Powershell cloud-delivered protection activation:
- Set-MpPreference -MAPSReporting Advanced
- Set-MpPreference -SubmitSamplesConsent SendAllSamples
More information about the activation methods: Microsoft.com
Alerts with the following titles in the Microsoft Defender Security Center portal can indicate the activity on your network. All the alerts are based on the supply chain attack.
- SolarWinds Malicious binaries associated with a supply chain attack
- SolarWinds Compromised binaries associated with a supply chain attack
- Network traffic to domains associated with a supply chain attack
Microsoft defender for Endpoint Threat Analytics report
Microsoft published the Analytics reports inside Microsoft Defender for Endpoint. The Analytics report providers information in three sections; overview, mitigations and analyst report. To get the Analytics report:
- Go to Securitycenter.microsoft.com
- Dashboards – Threat Analytics
- Open the threat Solarigate supply chain attack Direct link: https://securitycenter.microsoft.com/threatanalytics3/2b74f636-146e-48dd-94f6-5cb5132467ca/overview
- Open the analytics report to view the executive summary and analysis. Microsoft noticed seven SolarWinds.Orion.Core.BusinessLayer.dll DLL files.
For Advanced hunting queries, view the Analyst report. To open the analyst report; click on the button: Analyst report inside the threat analytics overview.
Enable ASR
One of the mitigations from the analyst report is to enable the attack surface education rule; Block executable files from running unless they meet a prevalence, age, or trusted list criterion to reduce the impact of the threat. This ASR rule block executable files ( such as .exe, .dll .scr from launching unless they meet prevalence or age criteria.
From the security center portal, you can find the impact of the reduction rule. For opening the user impact view:
- Open securitycenter.microsoft.com
- Go to Threat & Vulnerability management and open the security recommendations
- Search for the security recommendation; Block executable files from running unless they meet a prevalence, age, or trusted list criterion
- On the detail page, you can find the recommendation insights and user impact. The user impact is based on the sensor telemetry analysis.
Enabling the rule with Microsoft Endpoint manager
- Enabling the ASR rule is possible with Microsoft Endpoint manager. Open the Microsoft Endpoint manager portal
- Go to Endpoint Security – > Attack Surface Reduction
- Create a new profile based on the policy type; Attack Surface Reduction rules
- In the profile configuration settings, the ASR rule is listed. Of course, it is possible to run the rule first in auditing mode.
For ASR detection, multiple ASR KQL queries are available to investigate the events.
This basic KQL gives an overview of all the action types and a total number of events.
Sources
Microsoft: Customer Guidance on Recent Nation-State Cyber Attacks
Microsoft: Important steps for customers to protect themselves from recent nation-state cyberattacks
Solarwinds: SolarWinds Security Advisory
Microsoft: SolarWinds Post-Compromise Hunting with Azure Sentinel
