In addition to observing the other indicators mentioned in this directory there are other indicators to hunt for that may help to
- Also indicate a compromise
- Provide additional insight into the scope
The presence of this file may indicate a compromise [1][2]
file-path*: “c:\windows\syswow64\netsetupsvc.dll"
pid: 17900
ISC.SANS.EDU:SolarWinds Breach
TEARDROP is an in memory dropper that is believed to execute an augmented Cobalt Strike BEACON. It will read from a fake jpg and decodes embedded payload with roiling XOR algorithm to load in memory embedder payload.
FireEye has two yara rules to detect TEARDROP [2]
- read from file: 'gracious_truth.jpg'
- check HKU\SOFTWARE\Microsoft\CTF
FireEye noted in their port the existence of a consistent named pipe. If you are collecting these logs you can search for that named pipe 583da945-62af-10e8-4902-a8f205c72b2e.
If you are using Splunk + Sysmon, the search would be:
index=$SYSMON_INDEX$ sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode IN (17,18) PipeName=583da945-62af-10e8-4902-a8f205c72b2e
Many resources exist to detect malware beacons. This beacon will be augmented in manner. I would recommend checking out RomanEmelyanov's CobaltStrikeForensic repo and ICS SANS: Quick Tip: Cobalt Strike Beacon Analysis. [3][4]
In addition, if you employee snort, or a technology that can use snort rules, FireEye has also provided signatures to detect this traffic: in the fireeye\sunburst_countermeasures. [5]
After reviewing provided snort alerts release by FireEye [2], we noticed that there are some trigs that might still be good to examine for those without a Snort installation but access to Web logs.
url contains
/swip/upd/SolarWinds.CortexPlugin.Components.xml
swip/Upload.ashx
/swip/upd/
This section has been moved to threat_to_microsoft_cloud.md
Validity is tracking this threat as Dark Halo and believes that they have worked multiple incidents for this in late 2019 and 2020. They believe the attacker is familiar with exploiting Exchange to perform their domain recon and lateral movement.
Consider adding alert mechanisms to EDR solutions that can track use of the Exchange Management Shell PowerShell cmdlets.
UNC2452 has been noted to use C2 infrastructure that matches victims hostnames. Consider using services like [RiskIQ/]Passive Total](https://community.riskiq.com/login) or Shodan.io to search for internal hostnames. This could reveal infrastructure used against your company. [2]
As noted in the README.ME, I am pulling form a lot of different resources to create sunburst-hunting/indicators/uniq-hostnames.csv You can use RedDrip7's project to decode to see if your domains are on the list. The list of resources we are pulling from includes Passive Total, @bambenek's work, and partner lists.
**update: Now that many have posted publicly lists of targeted internal names, I am also publishing the output list.
A list of identified organizations can be found here
A list of decoded internal names can be found here
:~$ cat /$github_dir$/sunburst-hunting/indicators/uniq-hos
tnames.txt | python decode.py | grep -E "domain1.com|domain2.org"
##Resources
[1] ISC.SANS.EDU:SolarWinds Breach
[2] FireEye SolarWinds Supply Chain Blog
[4] ICS SANS: Quick Tip: Cobalt Strike Beacon Analysis