Adversaries may use SUNBURST and SUPERNOVA backdoor hashes to establish persistent, stealthy access to compromised systems. SOC teams should proactively hunt for these hashes in Azure Sentinel to detect and mitigate advanced persistent threat (APT) activity early.
KQL Query
let SunburstMD5=dynamic(["b91ce2fa41029f6955bff20079468448","02af7cec58b9a5da1c542b5a32151ba1","2c4a910a1299cdae2a4e55988a2f102e","846e27a652a5e1bfbd0ddd38a16dc865","4f2eb62fa529c0283b28d05ddd311fae"]);
let SupernovaMD5="56ceb6d0011d87b6e4d7023d7ef85676";
imFileEvent
| where TargetFileMD5 in (SunburstMD5) or TargetFileMD5 in (SupernovaMD5)
| extend AccountName = tostring(split(User, @'\')[1]), AccountNTDomain = tostring(split(User, @'\')[0])
| extend AlgorithmType = "MD5"
id: bc5ffe2a-84d6-48fe-bc7b-1055100469bc
name: SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)
description: |
Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in File Events
To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimFileEvent)
References:
- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f
severity: High
requiredDataConnectors: []
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Execution
- Persistence
- InitialAccess
relevantTechniques:
- T1195
- T1059
- T1546
tags:
- Id: a3c144f9-8051-47d4-ac29-ffb0c312c910
version: 1.0.0
query: |
let SunburstMD5=dynamic(["b91ce2fa41029f6955bff20079468448","02af7cec58b9a5da1c542b5a32151ba1","2c4a910a1299cdae2a4e55988a2f102e","846e27a652a5e1bfbd0ddd38a16dc865","4f2eb62fa529c0283b28d05ddd311fae"]);
let SupernovaMD5="56ceb6d0011d87b6e4d7023d7ef85676";
imFileEvent
| where TargetFileMD5 in (SunburstMD5) or TargetFileMD5 in (SupernovaMD5)
| extend AccountName = tostring(split(User, @'\')[1]), AccountNTDomain = tostring(split(User, @'\')[0])
| extend AlgorithmType = "MD5"
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: User
- identifier: Name
columnName: AccountName
- identifier: NTDomain
columnName: AccountNTDomain
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: Dvc
- identifier: HostName
columnName: DvcHostname
- identifier: DnsDomain
columnName: DvcDomain
- entityType: FileHash
fieldMappings:
- identifier: Algorithm
columnName: AlgorithmType
- identifier: Value
columnName: TargetFileMD5
version: 1.0.7
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Yaron
support:
tier: Community
categories:
domains: [ "Security - Threat Intelligence" ]| Sentinel Table | Notes |
|---|---|
imFileEvent | Ensure this data connector is enabled |
Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.
Supply chain compromise can take place at any sta
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common featu
Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe t
Scenario: Legitimate software update via SolarWinds Orion
Description: A system administrator is performing a routine update of the SolarWinds Orion platform, which may include files with hashes matching known SUNBURST indicators.
Filter/Exclusion: Use a filter for process.parent_process_name = "SolarWinds.Orion.Client.exe" or process.command_line contains "update" to exclude legitimate updates.
Scenario: Scheduled backup job using a third-party tool
Description: A backup tool like Veeam or Acronis may generate file events that match the hash of a malicious file due to similar file names or structures.
Filter/Exclusion: Filter by process.name = "VeeamBackup.exe" or process.name = "AcronisTrueImage.exe" to exclude backup-related activity.
Scenario: Admin task involving file integrity monitoring (FIM)
Description: An admin is using a FIM tool like Tripwire or Microsoft Advanced Threat Analytics (ATA) to audit or modify files, which could trigger a false positive if the tool’s files match the IOC hashes.
Filter/Exclusion: Filter by process.name = "Tripwire.exe" or process.name = "Microsoft ATA.exe" to exclude FIM tool activity.
Scenario: PowerShell script execution for system maintenance
Description: A system admin runs a PowerShell script (e.g., using powershell.exe) to perform maintenance tasks, which may involve creating or modifying files that match the IOC hashes.
Filter/Exclusion: Filter by process.name = "powershell.exe" and check for process.command_line contains "maintenance" or "system cleanup" to exclude legitimate scripts.
Scenario: Deployment of a legitimate software package with similar file hashes
Description: A software deployment tool like SCCM or Ansible may deploy a package that includes a file with