SolarWinds has revealed how monitoring products it released earlier this year may have been tampered with in a supply chain attack. In this blog post an overview of detection methods and IOC available for the detection and prevention of the SolarWinds attack.

In a security advisory published by SolarWinds, the company confirmed the supply chain attack, the threat actors compromised versions 2019.4 through 2020.2.1 of the SolarWinds Orion Platform software that was released between March and June 2020.

In this blog post an overview of multiple Microsoft products and detection options based on the IOC’s. The following topics will be described;

  • Defender for Endpoint Threat Analytics report
  • Detection with Azure Sentinel KQL
  • Microsoft cloud-delivered protection
  • Enable and monitor ASR

Domain

Microsoft takes multiple measures to prevent the hack on SolarWinds. Microsoft makes multiple actions and acquired a domain and make some prevention adjustments to Microsoft Defender.

In collaboration with several other companies, the domain avsmcloud[.]com is now owned by Microsoft. The domain which served as command and control server for the backdoor delivered to around 18.000 SolarWinds customers.

In a security advisory published by SolarWinds, the company confirmed the supply chain attack, the threat actors compromised versions 2019.4 through 2020.2.1 of the SolarWinds Orion Platform software that was released between March and June 2020.


Use indicators of Compromise for the SolarWinds attack

US DHS CISAMicrosoft, and FireEye have shared Indicators of Compromise for the SolarWinds attack. With multiple Microsoft Security/  E5 security toolings, it is possible to detect the indicators.

Command and Control

avsvmcloud[.]com

Malicious instances of SolarWinds.Orion.Core.BusinessLayer.dll

SHA256 File Version Date first seen
32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77 2019.4.5200.9083 March 2020
dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b 2020.2.100.12219 March 2020
eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed 2020.2.100.11831 March 2020
c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77 Not available March 2020
ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c 2020.4.100.478 April 2020
019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134 2020.2.5200.12394 April 2020
ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6 2020.2.5300.12432 May 2020
a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc 2019.4.5200.8890 October 2019
d3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0af 2019.4.5200.8890 October 2019

 


Azure Sentinel detections

Microsoft published multiple detections to Azure Sentinel that provide signals for post-compromise techniques. With Sentinel, it is possible to use the KQL query below for the detection logic based on the shared IOCs.

Detections:

Some useful Sentinel hunting detections:

Workbook:

Source:

Azurecloudai.blog
Kustoking.com


Microsoft Defender

Microsoft Defender providers detection for the threat components under the following detection: Trojan:MSIL/Solorigate.BR!dha

Microsoft Defender Antivirus automatically removes the threats as they detect. Make sure you have cloud-delivered protection or the latest antimalware definitions. Below the configuration for the cloud-delivered protection:

Use Microsoft Endpoint Manager to turn on cloud-delivered protection:

  1. Go to Microsoft Endpoint Manager admin center (https://endpoint.microsoft.com) and log in.
  2. Choose Endpoint security -> Antivirus
  3. Select an antivirus profile, or create a new one
  4. Select properties and expand Cloud protection
  5. Change the value; turn on cloud-delivered protection to yes
  6. Configure the cloud protection level
    1. High: Applies a strong level of detection.
    2. High plus: Uses the High level and applies additional protection measures (may impact client performance).
    3. Zero tolerance: Blocks all unknown executables.

For the Powershell cloud-delivered protection activation: 

  • Set-MpPreference -MAPSReporting Advanced
  • Set-MpPreference -SubmitSamplesConsent SendAllSamples

More information about the activation methods: Microsoft.com

Alerts with the following titles in the Microsoft Defender Security Center portal can indicate the activity on your network. All the alerts are based on the supply chain attack.

  • SolarWinds Malicious binaries associated with a supply chain attack
  • SolarWinds Compromised binaries associated with a supply chain attack
  • Network traffic to domains associated with a supply chain attack

Microsoft defender for Endpoint Threat Analytics report

Microsoft published the Analytics reports inside Microsoft Defender for Endpoint. The Analytics report providers information in three sections; overview, mitigations and analyst report. To get the Analytics report:

  1. Go to Securitycenter.microsoft.com
  2. Dashboards – Threat Analytics
  3. Open the threat Solarigate supply chain attack Direct link: https://securitycenter.microsoft.com/threatanalytics3/2b74f636-146e-48dd-94f6-5cb5132467ca/overview
  4. Open the analytics report to view the executive summary and analysis. Microsoft noticed seven SolarWinds.Orion.Core.BusinessLayer.dll DLL files.

For Advanced hunting queries, view the Analyst report. To open the analyst report; click on the button: Analyst report inside the threat analytics overview.


Enable ASR

One of the mitigations from the analyst report is to enable the attack surface education rule; Block executable files from running unless they meet a prevalence, age, or trusted list criterion to reduce the impact of the threat. This ASR rule block executable files ( such as .exe, .dll .scr from launching unless they meet prevalence or age criteria.

From the security center portal, you can find the impact of the reduction rule. For opening the user impact view:

  1. Open securitycenter.microsoft.com
  2. Go to Threat & Vulnerability management and open the security recommendations
  3. Search for the security recommendation; Block executable files from running unless they meet a prevalence, age, or trusted list criterion
  4. On the detail page, you can find the recommendation insights and user impact. The user impact is based on the sensor telemetry analysis.

Enabling the rule with Microsoft Endpoint manager

  1. Enabling the ASR rule is possible with Microsoft Endpoint manager. Open the Microsoft Endpoint manager portal
  2. Go to Endpoint Security – > Attack Surface Reduction
  3. Create a new profile based on the policy type; Attack Surface Reduction rules
  4. In the profile configuration settings, the ASR rule is listed. Of course, it is possible to run the rule first in auditing mode.

For ASR detection, multiple ASR KQL queries are available to investigate the events.

This basic KQL gives an overview of all the action types and a total number of events.

DeviceEvents
| where ActionType startswith ‘Asr’
| summarize NumberOfEvents=count() by ActionType
| sort by NumberOfEvents desc

DeviceEvents | where ActionType startswith ‘Asr’

Sources

Microsoft: Customer Guidance on Recent Nation-State Cyber Attacks

Microsoft: Important steps for customers to protect themselves from recent nation-state cyberattacks

Solarwinds: SolarWinds Security Advisory

Microsoft: SolarWinds Post-Compromise Hunting with Azure Sentinel