Detection rules › Kusto Query Language
SUNBURST and SUPERNOVA backdoor hashes
Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in DeviceFileEvents References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html - https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1195 Supply Chain Compromise |
| Execution | T1059 Command and Scripting Interpreter |
| Persistence | T1546 Event Triggered Execution |
| Privilege Escalation | T1546 Event Triggered Execution |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 11 | FileCreate |
| Security-Auditing | 4663 | An attempt was made to access an object. |
| Defender-DeviceFileEvents | 9002000 | File activity (any) |
Stages and Predicates
Stage 1: source
DeviceFileEvents
Stage 2: where
or
MD5 eq "SunburstMD5"
MD5 eq "SupernovaMD5"
Stage 3: extend
Stage 4: extend
Stage 5: extend
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
MD5 | in |
|