Adversaries are leveraging Solorigate tactics to compromise endpoints, using Defender alerts to mask their presence. SOC teams should proactively hunt for these alerts in Azure Sentinel to identify and mitigate advanced persistent threats before they escalate.
KQL Query
DeviceInfo
| extend DeviceName = tolower(DeviceName)
| join (SecurityAlert
| where ProviderName =~ "MDATP"
| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)
| where ThreatName has "Solorigate"
) on $left.DeviceName == $right.CompromisedEntity
| project TimeGenerated, DisplayName, ThreatName, CompromisedEntity, PublicIP, MachineGroup, AlertSeverity, Description, LoggedOnUsers, DeviceId, TenantId
| extend HostName = tostring(split(CompromisedEntity, ".")[0]), DomainIndex = toint(indexof(CompromisedEntity, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(CompromisedEntity, DomainIndex + 1), CompromisedEntity)
| project-away DomainIndex
id: e70fa6e0-796a-4e85-9420-98b17b0bb749
name: Solorigate Defender Detections
description: |
'Surfaces any Defender Alert for Solorigate Events. In Microsoft Sentinel the SecurityAlerts table includes only the Device Name of the affected device, this query joins the DeviceInfo table to clearly connect other information such as
Device group, ip, logged on users etc. This way, the Microsoft Sentinel user can have all the pertinent device info in one view for all the the Solarigate Defender alerts.'
severity: High
requiredDataConnectors:
- connectorId: MicrosoftDefenderAdvancedThreatProtection
dataTypes:
- SecurityAlert (MDATP)
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceInfo
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1195
tags:
- Solorigate
- NOBELIUM
query: |
DeviceInfo
| extend DeviceName = tolower(DeviceName)
| join (SecurityAlert
| where ProviderName =~ "MDATP"
| extend ThreatName = tostring(parse_json(ExtendedProperties).ThreatName)
| where ThreatName has "Solorigate"
) on $left.DeviceName == $right.CompromisedEntity
| project TimeGenerated, DisplayName, ThreatName, CompromisedEntity, PublicIP, MachineGroup, AlertSeverity, Description, LoggedOnUsers, DeviceId, TenantId
| extend HostName = tostring(split(CompromisedEntity, ".")[0]), DomainIndex = toint(indexof(CompromisedEntity, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(CompromisedEntity, DomainIndex + 1), CompromisedEntity)
| project-away DomainIndex
entityMappings:
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: CompromisedEntity
- identifier: HostName
columnName: HostName
- identifier: DnsDomain
columnName: HostNameDomain
- entityType: IP
fieldMappings:
- identifier: Address
columnName: PublicIP
version: 1.0.5
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Microsoft Security Research
support:
tier: Community
categories:
domains: [ "Security - 0-day Vulnerability" ]| Sentinel Table | Notes |
|---|---|
SecurityAlert | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs a system cleanup or disk defragmentation tool on a server, which may trigger Defender alerts due to unusual process activity.
Filter/Exclusion: Exclude processes associated with known maintenance tools like defrag.exe, cleanmgr.exe, or tasks scheduled via Task Scheduler with a known name.
Scenario: Patching and Update Deployment
Description: Windows Update or Microsoft Endpoint Manager (MEM) deployment triggers Defender alerts due to temporary changes in system behavior or file modifications during patching.
Filter/Exclusion: Exclude events related to wuauclt.exe, msiexec.exe, or processes initiated by the Microsoft Endpoint Manager or Windows Update service.
Scenario: Antivirus/Defender Quarantine Action
Description: Defender quarantines a file during a scan, which may be a false positive if the file is benign but flagged as suspicious.
Filter/Exclusion: Exclude events where the file is marked as quarantined by Defender and is not associated with known malicious hashes or behaviors.
Scenario: Admin Tool Execution for Compliance
Description: An administrator runs a compliance tool like PowerShell or Group Policy to enforce security settings, which may trigger alerts due to elevated privileges or script execution.
Filter/Exclusion: Exclude processes initiated by admin accounts with known compliance tools or scripts executed via PowerShell with a known command line or script name.
Scenario: Network Security Software Integration
Description: Integration between Microsoft Defender and third-party network security tools (e.g., Palo Alto, Fortinet) may cause alerts due to communication or policy enforcement actions.
Filter/Exclusion: Exclude events related to known integration tools or processes from trusted network security vendors.