Detection rules › Splunk
Sunburst Correlation DLL and Network Event
The following analytic identifies the loading of the malicious SolarWinds.Orion.Core.BusinessLayer.dll by SolarWinds.BusinessLayerHost.exe and subsequent DNS queries to avsvmcloud.com. It uses Sysmon EventID 7 for DLL loading and Event ID 22 for DNS queries, correlating these events within a 12-14 day period. This activity is significant as it indicates potential Sunburst malware infection, a known supply chain attack. If confirmed malicious, this could lead to unauthorized network access, data exfiltration, and further compromise of the affected systems.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1203 Exploitation for Client Execution |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 7 | Image loaded |
| Sysmon | 22 | DNSEvent (DNS query) |
Stages and Predicates
Stage 1: search
search ((EventCode=22 QueryName="*avsvmcloud.com") OR (EventCode=7 ImageLoaded="*SolarWinds.Orion.Core.BusinessLayer.dll"))
Stage 2: eventstats
eventstats dc(EventCode) AS dc_events
Stage 3: where
where dc_events=2
Stage 4: stats
stats BY Image, ImageLoaded, dest, loaded_file, loaded_file_path, original_file_name, process_exec, process_guid, process_hash, process_id, process_name, process_path, service_dll_signature_exists, service_dll_signature_verified, signature, signature_id, user_id, vendor_product
Stage 5: search
search
Stage 6: search
search
Stage 7: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventCode | eq |
|
ImageLoaded | eq |
|
QueryName | eq |
|
dc_events | eq |
|