FireEye Sunburst KQL Detections
FireEye released a very interesting article regarding a third-party compromise of Solarwinds, the detections that are possible in Defender for Endpoint are listed below
DeviceEvents
| where ActionType contains "ExploitGuardNonMicrosoftSignedBlocked"
| where InitiatingProcessFileName contains "svchost.exe" and FileName contains "NetSetupSvc.dll"
let SunburstMD5=dynamic(["b91ce2fa41029f6955bff20079468448","02af7cec58b9a5da1c542b5a32151ba1","2c4a910a1299cdae2a4e55988a2f102e","846e27a652a5e1bfbd0ddd38a16dc865","4f2eb62fa529c0283b28d05ddd311fae"]);
let SupernovaMD5="56ceb6d0011d87b6e4d7023d7ef85676";
DeviceFileEvents
| where MD5 in(SunburstMD5) or MD5 in(SupernovaMD5)
let SunburstURL=dynamic(["panhardware.com","databasegalore.com","avsvmcloud.com","freescanonline.com","thedoccloud.com","deftsecurity.com"]);
DeviceNetworkEvents
| where ActionType == "ConnectionSuccess"
| where RemoteUrl in(SunburstURL)
DeviceProcessEvents
| where InitiatingProcessFileName =~ "solarwinds.businesslayerhost.exe"
| where not(FolderPath endswith @"\SolarWinds\Orion\APM\APMServiceControl.exe"
or FolderPath endswith @"\SolarWinds\Orion\ExportToPDFCmd.Exe"
or FolderPath endswith @"\SolarWinds.Credentials\SolarWinds.Credentials.Orion.WebApi.exe"
or FolderPath endswith @"\SolarWinds\Orion\Topology\SolarWinds.Orion.Topology.Calculator.exe"
or FolderPath endswith @"\SolarWinds\Orion\Database-Maint.exe"
or FolderPath endswith @"\SolarWinds.Orion.ApiPoller.Service\SolarWinds.Orion.ApiPoller.Service.exe"
or FolderPath endswith @"\Windows\SysWOW64\WerFault.exe"
)
DeviceFileEvents
| where InitiatingProcessFileName =~ "solarwinds.businesslayerhost.exe"
| where FileName endswith "exe" or FileName endswith "dll" or FileName endswith "ps1" or FileName endswith "jpg" or FileName endswith "png"