Detection rules › Kusto Query Language
SUNBURST network beacons
Identifies SolarWinds SUNBURST domain beacon IOCs in DeviceNetworkEvents References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html - https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1195 Supply Chain Compromise |
| Execution | T1059 Command and Scripting Interpreter |
| Persistence | T1546 Event Triggered Execution |
| Privilege Escalation | T1546 Event Triggered Execution |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 3 | Network connection |
| Security-Auditing | 5156 | The Windows Filtering Platform has permitted a connection. |
| Defender-DeviceNetworkEvents | 9004001 | Connection succeeded |
Stages and Predicates
Stage 1: source
DeviceNetworkEvents
Stage 2: where
ActionType eq "ConnectionSuccess"
Stage 3: where
RemoteUrl eq "SunburstURL"
Stage 4: extend
Stage 5: extend
Stage 6: extend
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
ActionType | eq |
|
RemoteUrl | in |
|