Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?

FireEye Sunburst KQL Detections

FireEye released a very interesting article regarding a third-party compromise of Solarwinds, the detections that are possible in Defender for Endpoint are listed below

Blog post

All FireEye detections

DeviceEvents
| where ActionType contains "ExploitGuardNonMicrosoftSignedBlocked"
| where InitiatingProcessFileName contains "svchost.exe" and FileName contains "NetSetupSvc.dll"
let SunburstMD5=dynamic(["b91ce2fa41029f6955bff20079468448","02af7cec58b9a5da1c542b5a32151ba1","2c4a910a1299cdae2a4e55988a2f102e","846e27a652a5e1bfbd0ddd38a16dc865","4f2eb62fa529c0283b28d05ddd311fae"]);
let SupernovaMD5="56ceb6d0011d87b6e4d7023d7ef85676";
DeviceFileEvents
| where MD5 in(SunburstMD5) or MD5 in(SupernovaMD5)
let SunburstURL=dynamic(["panhardware.com","databasegalore.com","avsvmcloud.com","freescanonline.com","thedoccloud.com","deftsecurity.com"]);
DeviceNetworkEvents
| where ActionType == "ConnectionSuccess" 
| where RemoteUrl in(SunburstURL)
DeviceProcessEvents
| where InitiatingProcessFileName =~ "solarwinds.businesslayerhost.exe"
| where not(FolderPath endswith @"\SolarWinds\Orion\APM\APMServiceControl.exe" 
		or FolderPath endswith @"\SolarWinds\Orion\ExportToPDFCmd.Exe"
		or FolderPath endswith @"\SolarWinds.Credentials\SolarWinds.Credentials.Orion.WebApi.exe"
		or FolderPath endswith @"\SolarWinds\Orion\Topology\SolarWinds.Orion.Topology.Calculator.exe"
		or FolderPath endswith @"\SolarWinds\Orion\Database-Maint.exe"
		or FolderPath endswith @"\SolarWinds.Orion.ApiPoller.Service\SolarWinds.Orion.ApiPoller.Service.exe"
		or FolderPath endswith @"\Windows\SysWOW64\WerFault.exe"
		)
DeviceFileEvents
| where InitiatingProcessFileName =~ "solarwinds.businesslayerhost.exe"
| where FileName endswith "exe" or FileName endswith "dll" or FileName endswith "ps1" or FileName endswith "jpg" or FileName endswith "png"
@fouapon

This comment has been minimized.

Copy link

@fouapon fouapon commented May 26, 2021

the rule on DeviceProcessEvents table triggered an alert for the FolderPath "C:\Windows\SysWOW64\ARP.EXE"
Could you confirm that this is not a suspicious activity?
Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment