Created
March 10, 2021 08:09
-
-
Save shiftybitshiftr/96be756d725f7453ec7caf083b09a04d to your computer and use it in GitHub Desktop.
collection of EDR/SIEM queries based on FireEye, Microsoft, and other IOCs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --(Known) hashes of backdoored SolarWinds.Orion.Core.BusinessLayer.dll; Ref: https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/ | |
| Sha256 in ( "32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77, dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b, eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed, c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77, ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c, 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134, ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6, a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc, d3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0af" ) | |
| --Known SUNBURST domains created by Subdomain Generation Algorithm; Ref: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html | |
| URL In Contains AnyCase "avsvmcloud.com, freescanonline.com, thedoccloud.com, deftsecurity.com, virtualdataserver.com, digitalcollege.org" | |
| OR | |
| DNSRequest In Contains AnyCase "avsvmcloud.com, freescanonline.com, thedoccloud.com, deftsecurity.com, virtualdataserver.com, digitalcollege.org" | |
| --Known BEACON domains | |
| URL In Contains AnyCase "incomeupdate.com, zupertech.com, databasegalore.com, panhardware.com" | |
| OR | |
| DNSRequest In Contains AnyCase "incomeupdate.com, zupertech.com, databasegalore.com, panhardware.com" | |
| --Windows Defender events | |
| IndicatorName containsCIS "ExploitGuardNonMicrosoftSignedBlocked" | |
| AND | |
| (ParentProcessName = "svchost.exe" AND FileFullName containsCIS "NetSetupSvc.dll") | |
| --Abnormal child process creation | |
| ParentProcessName = "solarwinds.businesslayerhost.exe" | |
| AND | |
| ProcessName Not In Contains AnyCase ("APMServiceControl.exe, ExportToPDFCmd.Exe, SolarWinds.Credentials.Orion.WebApi.exe, SolarWinds.Orion.Topology.Calculator.exe, Database-Maint.exe, SolarWinds.Orion.ApiPoller.Service.exe, WerFault.exe") | |
| --Abnormal file creation events | |
| ParentProcessName = "solarwinds.businesslayerhost.exe" | |
| AND | |
| TgtFileExtension In Contains AnyCase ("exe, dll, ps1, jpg, png") |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment