Graylog: command_and_control_sunburst_dst_ip

gistfile1.txt

rule "command_and_control_sunburst_dst_ip"
// Written by Recon InfoSec SOC Team
//
// https://github.com/fireeye/sunburst_countermeasures/blob/main/indicator_release/Indicator_Release_NBIs.csv
// https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
// https://github.com/sophos-cybersecurity/solarwinds-threathunt/blob/master/iocs.csv
when
  has_field("dst_ip_is_internal")
  AND
  to_string($message.dst_ip_is_internal) == "false"
  AND
  has_field("dst_ip")
  AND
    (
    to_string($message.dst_ip) == "13.59.205.66"
    OR
    to_string($message.dst_ip) == "54.193.127.66"
    OR
    to_string($message.dst_ip) == "54.215.192.52"
    OR
    to_string($message.dst_ip) == "34.203.203.23"
    OR
    to_string($message.dst_ip) == "139.99.115.204"
    OR
    to_string($message.dst_ip) == "5.252.177.25"
    OR
    to_string($message.dst_ip) == "5.252.177.21"
    OR
    to_string($message.dst_ip) == "204.188.205.176"
    OR
    to_string($message.dst_ip) == "51.89.125.18"
    OR
    to_string($message.dst_ip) == "167.114.213.199"
    OR
    to_string($message.dst_ip) == "98.225.248.37"
    )
 
then
  set_field("threat_detected", true);
  set_field("threat_name", "command_and_control_sunburst_dst_ip");
  set_field("threat_desc", "Detected an outbound connection to a known sunburst c2 ip");
  set_field("threat_tactic", "command_and_control");
  set_field("threat_score", 10);
end