Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?

FireEye Sunburst SPL Detections

FireEye released a very interesting article regarding a third-party compromise of Solarwinds, the detections that are possible with Sysmon are listed below

Blog post

All FireEye detections

index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=7 ParentImage="C:\\Windows\System32\\svchost.exe" and ImageLoaded="*NetSetupSvc.dll"
index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 
MD5 in ("b91ce2fa41029f6955bff20079468448","02af7cec58b9a5da1c542b5a32151ba1","2c4a910a1299cdae2a4e55988a2f102e","846e27a652a5e1bfbd0ddd38a16dc865","4f2eb62fa529c0283b28d05ddd311fae","56ceb6d0011d87b6e4d7023d7ef85676") 
index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=22 
QueryName in ("panhardware.com","databasegalore.com","avsvmcloud.com","freescanonline.com","thedoccloud.com","deftsecurity.com")
index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 ParentImage="*\\solarwinds.businesslayerhost.exe" NOT
(Image in ("*\\SolarWinds\\Orion\\ExportToPDFCmd.Exe","*\\SolarWinds.Credentials\\SolarWinds.Credentials.Orion.WebApi.exe","*\\SolarWinds\Orion\\Topology\\SolarWinds.Orion.Topology.Calculator.exe","*\\SolarWinds\\Orion\\Database-Maint.exe","*\\SolarWinds.Orion.ApiPoller.Service\\SolarWinds.Orion.ApiPoller.Service.exe","*\\Windows\\SysWOW64\\WerFault.exe"))
index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11 
Image="*\\solarwinds.businesslayerhost.exe" 
TargetFilename in ("*exe","*ps1","*jpg","*png","*dll")``` 
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment