Adversaries may leverage SolarWinds Inventory to execute malicious payloads by exploiting process execution through compromised SolarWinds installations. SOC teams should proactively hunt for this behavior to identify potential supply chain compromises and mitigate lateral movement risks in their Azure Sentinel environment.
KQL Query
imProcessCreate
| where Process has 'solarwinds'
| extend MachineName = DvcHostname , Process = TargetProcessName
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), MachineCount = dcount(Dvc), AccountCount = dcount(User), MachineNames = make_set(Dvc, 200),
Accounts = make_set(User, 200) by Process, EventVendor, EventProduct
id: c3f1606e-48eb-464e-a60c-d53af5a5796e
name: SolarWinds Inventory (Normalized Process Events)
description: |
'Beyond your internal software management systems, it is possible you may not have visibility into your entire footprint of SolarWinds installations. This is intended to help use process exection information to discovery any systems that have SolarWinds processes'
requiredDataConnectors: []
tactics:
- Execution
relevantTechniques:
- T1072
tags:
- Solorigate
- NOBELIUM
query: |
imProcessCreate
| where Process has 'solarwinds'
| extend MachineName = DvcHostname , Process = TargetProcessName
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), MachineCount = dcount(Dvc), AccountCount = dcount(User), MachineNames = make_set(Dvc, 200),
Accounts = make_set(User, 200) by Process, EventVendor, EventProduct
version: 1.0.0| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |
Scenario: Scheduled SolarWinds Inventory Sync Job
Description: A legitimate scheduled task runs to synchronize inventory data with the SolarWinds server.
Filter/Exclusion: process.name != "SolarWindsInventorySync.exe" or check for process.parent.name == "TaskScheduler" and process.command_line contains "sync"
Scenario: SolarWinds Agent Service Initialization
Description: The SolarWinds agent service starts during system boot or after a service restart.
Filter/Exclusion: process.name != "SolarWindsAgentService.exe" or use process.parent.name == "services.exe" and check for known service startup patterns
Scenario: Admin Performing SolarWinds Configuration Backup
Description: An administrator runs a backup script or tool to archive SolarWinds configuration data.
Filter/Exclusion: process.name != "SolarWindsBackupTool.exe" or check for process.command_line contains "backup" and process.user == "admin"
Scenario: SolarWinds Patch Deployment via SCCM
Description: A patch deployment from System Center Configuration Manager (SCCM) triggers a process related to SolarWinds.
Filter/Exclusion: process.parent.name == "ccmexec.exe" or check for process.command_line contains "SCCM" and process.user == "domain\patchadmin"
Scenario: SolarWinds Log Collection via PowerShell Script
Description: A PowerShell script is used to collect logs from SolarWinds components as part of routine monitoring.
Filter/Exclusion: process.name != "powershell.exe" or check for process.command_line contains "SolarWindsLogCollector.ps1" and process.user == "logadmin"