Detection rules › Kusto Query Language
SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)
Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in File Events To use this analytics rule, make sure you have deployed the ASIM normalization parsers References: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html - https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1195 Supply Chain Compromise |
| Execution | T1059 Command and Scripting Interpreter |
| Persistence | T1546 Event Triggered Execution |
| Privilege Escalation | T1546 Event Triggered Execution |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 11 | FileCreate |
| Sysmon | 23 | FileDelete (File Delete archived) |
| Sysmon | 26 | FileDeleteDetected (File Delete logged) |
| Security-Auditing | 4663 | An attempt was made to access an object. |
Stages and Predicates
Stage 1: source
imFileEvent
Stage 2: where
or
TargetFileMD5 eq "SunburstMD5"
TargetFileMD5 eq "SupernovaMD5"
Stage 3: extend
Stage 4: extend
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
TargetFileMD5 | in |
|