This week, and based on current information as of the time of publication, SolarWinds announced a cyberattack that inserted a vulnerability into the SolarWinds® Orion® Platform software builds for versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1. This vulnerability could enable an attacker to compromise the server(s) on which SolarWinds runs, and thus gain a foothold in the victim’s network. Post compromise, the attacker can conduct lateral movement, data exfiltration and other threat activity.
The United States Cybersecurity and Infrastructure Security Agency (CISA) has published Emergency Directive 21-101, advising Federal agencies to disconnect or power down all SolarWinds Orion products until further notice.
As with the 'FireEye Red Team Tools detection in QRadar’ blog, in this blog we’ll provide guidance that can help you use QRadar to respond quickly.
This blog will cover the following topics and content extensions:
- Threat Intelligence
- Snort Rules
- MD5, SHA-1 and SHA-256
- Pipe creation and Sysmon
- Endpoint content extension
- Threat Monitoring Content Extension
IBM Security X-Force researchers published a collection of IOCs, including malicious file hashes, IP addresses and URLs, connected to this on-going threat. These IOCs can easily be brought into QRadar using the Threat Intelligence App, which can be downloaded either from IBM Security App Exchange or natively via the QRadar Assistant. Threat indicators can be added to a reference set so that they can be used within building blocks, rules and searches to detect the presence of these IOCs within your environment. Public X-Force Collections, including this one, are free to existing QRadar customers.
QRadar customers who also subscribe to the IBM Security X-Force Advanced Threat Protection Feed have access to a built-in “Am I Affected?” featured with the Threat Intelligence app. This tool can be used in tandem with other forms of threat intelligence that may become available in this developing situation to help assess known IOCs. With this subscription, new X-Force collections are loaded directly into QRadar, and users can simply click ‘Scan now’ to automatically search for all IOCs associated with a collection. The query results will show you which systems and users may have been connected to this threat, assisting you to initiate investigation, remediation and response.
If you do not currently subscribe to the Advanced Threat Protection Feed, a 30-day free trial is available.
Once again, FireEye and Cisco Talos teams provided a new set of Snort rules to implement. QRadar users can easily create a new rule based on these signatures, correlate these insights with other events, or optionally be alerted directly via email. The steps to implement this are:
- Install the IBM Security QRadar Custom Properties for Snort content extension
- Create a new Event rule
Apply Sunburst - Snort Rules on events which are detected by the Local system
and when the event(s) were detected by one or more of Snort Open Source IDS
and when the event matches "Rule ID" in (77600832,77600833,77600842,77600843,77600844,77600845,77600846,77600847,77600848,77600850,77600851,77600852,77600853,77600854,77600855,77600868,
77600840,77600863,77600864,77600865,77600837,77600856,77600857,77600858,77600859,77600860,77600866,56660,56661,56662,56663,56664,56665,56666,56667,56668) AQL filter query
MD5, SHA-1 and SHA-256
We talked about it, file hashes are a great source to improve threat detection. Once again, you can have a quick implementation by enabling detection with MD5, SHA-1 and SHA-256 through three reference sets and one custom rule.
- Create three Reference Sets, one per hash type, and populate them with the Sunburst_md5, Sunburst_sha1, Sunburst_sha256 files (comma separated).
- Install content extensions containing Hash properties or create your own.
On the App Exchange, you can find MD5, SHA-1 and SHA-256 parsed for the following devices:
Carbon Black Response, Cisco AMP, McAfee ePolicy Orchestrator, Microsoft Windows Defender ATP, Microsoft Windows Security Event Log
- Create a rule that tests the Custom Properties MD5 Hash, Parent MD5, SHA1 Hash, Parent SHA1 Hash, SHA256 Hash, Parent SHA256 Hash against the new Reference Sets.
|Apply Sunburst - Tools Hash on events which are detected by the Local system
and when the event(s) were detected by one or more of Carbon Black Response, Cisco AMP, McAfee ePolicy Orchestrator, Microsoft Windows Defender ATP, Microsoft Windows Security Event Log
and when the event matches ("MD5 Hash" IS NOT NULL AND REFERENCESETCONTAINS('Sunburst - MD5', "MD5 Hash")) OR ("Parent MD5" IS NOT NULL AND REFERENCESETCONTAINS('Sunburst - MD5', "Parent MD5")) OR ("SHA1 Hash" IS NOT NULL AND REFERENCESETCONTAINS('Sunburst - SHA1', "SHA1 Hash")) OR ("Parent SHA1 Hash" IS NOT NULL AND REFERENCESETCONTAINS('Sunburst - MD5', "Parent SHA1 Hash")) OR ("SHA256 Hash" IS NOT NULL AND REFERENCESETCONTAINS('Sunburst - SHA256', "SHA256 Hash")) OR ("Parent SHA256 Hash" IS NOT NULL AND REFERENCESETCONTAINS('Sunburst - SHA256', "Parent SHA256 Hash")) AQL filter query
Pipe creation and Sysmon
In the blog published by FireEye regarding SUNBURST, there is a mention about the creation of a pipe named 583da945-62af-10e8-4902-a8f205c72b2e as one of the “delivery and installation” mechanism:
If you are collecting Sysmon logs, you have another opportunity for a quick way to detect another IOC.
- Download the IBM QRadar Custom Properties for Microsoft Windows content extension
- Create a rule that detects the pipe name mentioned in the blog
|Apply Sunburst - Pipe Name on events which are detected by the Local system
and when the event(s) were detected by one or more of Microsoft Windows Security Event Log
and when the event QID is one of the following (5001836) PipeEvent (Pipe Created)
and when the event matches PipeName (custom) is any of 583da945-62af-10e8-4902-a8f205c72b2e
Endpoint content extension
This time I will be quick with this one, but I wanted to renew my recommendation to download the latest version of the Endpoint content pack.
The pack has been built to detect lateral movement, reconnaissance tools, help to make the difference between a legitimate administration task from a suspicious one... All these behaviour have been mentioned in all the blogs you’ve read on the topic so far.
Below is the list of the rules (excluding building blocks) present in the Endpoint content extension
|Attempt to Delete Shadow Copies
||Ransomware IOCs Detected on Multiple Machines
|Cobalt Strike Behaviour Detected
||Ransomware: BadRabbit IOC in Events
|Communication with a Potential Hostile Host
||Ransomware: BadRabbit IOC in Flows
|Communication with a Potential Hostile IP Address
||Ransomware: Maze IOC in Events
|Credential Dumping Activities Discovered
||Ransomware: Maze Suspicious File Transfer
|Critical File Deleted (Unix)
||Ransomware: Petya / NotPetya IOC in Events
|Critical File Permission Changed (Unix)
||Ransomware: Petya / NotPetya IOC in Flows
|Critical Security Tool Killed (Unix)
||Ransomware: Petya / NotPetya Payload in Flows
|Critical Security Tool Stopped
||Ransomware: REvil IOC in Events
|Detection of Malicious File or Process
||Ransomware: WCry IOC in Events
|Detection of Malicious IOC
||Ransomware: WCry IOC in Flows
|Excessive Failed Access to an Administrative Share from the Same Source
||Ransomware: WCry Payload in Flows
|Excessive File Deletion and Creation
||RDP Hijacking Tool Detected
|Excessive Login Failures via RDP
||Recommended Blocked Process is Running
|Excessive Login Failures via RDP to Multiple Machines
||Reconnaissance Tool Detected
|Excessive Nslookup Usage
||Recovery Disabled in Boot Configuration Data
|File Created with Right to Left Override
||Search for Password Files using findstr (Windows)
|File Created with Space After Filename
||Search for Password Files using grep or find (Unix)
|File Decode or Download followed by Suspicious Activity
||Search for Password Files using Select-String (Windows)
|Potential Component Object Model (COM) Hijacking
||SharpHound PowerShell Detected
|Potential DLL Hijacking
||Suspicious Activity Followed by Endpoint Administration Task
|Potential Malicious Application Shimming
||Suspicious Amount of Files Deleted on the Same Machine
|Process Masquerading (Unix)
||Suspicious Amount of Files Renamed on the Same Machine (Windows)
|Process Masquerading (Windows)
||Suspicious Amount of Files Renamed/Moved on the Same Machine (Unix)
|Programming Environment Spawned by a Suspicious Process
||User Account Creation followed by Account Deletion (Unix)
|Ransomware Decryption Instructions Created
||User Account Creation followed by Account Deletion (Windows)
|Ransomware Encrypted File Extension
All these rules provide a wide spectrum of detection capabilities
Please refer to the documentation for more information on each rule. You can also refer to the Endpoint dedicated blog to have a better understanding of the implementation of some use cases.
Threat Monitoring Content Extension
The multi-task pack ! This pack is mentioned last in this blog because it is certainly going to need some tuning to be adapted to what you are looking for, but it is definitely a good help to know where to go.
As an example, thanks to your endpoint security software, you can increase the visibility on a threat spreading through the network. Indeed, this extension contains a series of rules alerting on security software.
All you have to do is to:
- Ensure your device is listed in one of BB:DeviceDefinition: AV/AM or BB:DeviceDefinition: IDS / IPS Building blocks
- Get the Threat Name parsed either by downloading one of our content extension, or creating your own extraction.
You can decide to duplicate the rules to focus the detection on SUNBURST specifically, and have a higher priority rule response (email, SNMP trap, vulnerability scan). Simply add a new filter to the original rule, catching the specific Threat Name reported by your product:
|and when the event matches Threat Name (custom) is any of Backdoor.Sunburst
Please refer to your product documentation to get more information on the relevant detection name
The above steps can enable you to easily take advantage of the publicly available IOCs and Countermeasures to detect indicators of the SUNBURST threat within your environment. All of the QRadar apps, custom properties and content extensions mentioned above are available free of charge to all QRadar customers and can be downloaded either from the IBM Security App Exchange or natively via QRadar Assistant.
As usual, we build content for you, to save you time and effort, a content that you can use as a base and adapt to your environment and your needs. Don't hesitate to give us any feedback or ideas, tell us what you need.
If you are directly impacted and in need of expert assistance, you can contact the IBM Security X-Force Incident Response team, who is available to assist 24×7, at US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.