SUNBURST attackers may use malicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll to establish persistence and exfiltrate data. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate SUNBURST-related compromises early.
KQL Query
let excludeProcs = dynamic([@"\SolarWinds\Orion\APM\APMServiceControl.exe", @"\SolarWinds\Orion\ExportToPDFCmd.Exe", @"\SolarWinds.Credentials\SolarWinds.Credentials.Orion.WebApi.exe", @"\SolarWinds\Orion\Topology\SolarWinds.Orion.Topology.Calculator.exe", @"\SolarWinds\Orion\Database-Maint.exe", @"\SolarWinds.Orion.ApiPoller.Service\SolarWinds.Orion.ApiPoller.Service.exe", @"\Windows\SysWOW64\WerFault.exe"]);
DeviceProcessEvents
| where InitiatingProcessFileName =~ "solarwinds.businesslayerhost.exe"
| where not(FolderPath has_any (excludeProcs))
| extend
timestamp = TimeGenerated,
InitiatingProcessAccountUPNSuffix = tostring(split(InitiatingProcessAccountUpn, "@")[1]),
Algorithm = "MD5"
id: 4a3073ac-7383-48a9-90a8-eb6716183a54
name: SUNBURST suspicious SolarWinds child processes
description: |
Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor
References:
- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f
severity: Medium
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Execution
- Persistence
tags:
- Solorigate
- NOBELIUM
query: |
let excludeProcs = dynamic([@"\SolarWinds\Orion\APM\APMServiceControl.exe", @"\SolarWinds\Orion\ExportToPDFCmd.Exe", @"\SolarWinds.Credentials\SolarWinds.Credentials.Orion.WebApi.exe", @"\SolarWinds\Orion\Topology\SolarWinds.Orion.Topology.Calculator.exe", @"\SolarWinds\Orion\Database-Maint.exe", @"\SolarWinds.Orion.ApiPoller.Service\SolarWinds.Orion.ApiPoller.Service.exe", @"\Windows\SysWOW64\WerFault.exe"]);
DeviceProcessEvents
| where InitiatingProcessFileName =~ "solarwinds.businesslayerhost.exe"
| where not(FolderPath has_any (excludeProcs))
| extend
timestamp = TimeGenerated,
InitiatingProcessAccountUPNSuffix = tostring(split(InitiatingProcessAccountUpn, "@")[1]),
Algorithm = "MD5"
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: InitiatingProcessAccountName
- identifier: NTDomain
columnName: InitiatingProcessAccountDomain
- identifier: Sid
columnName: InitiatingProcessAccountSid
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: DeviceName
- entityType: FileHash
fieldMappings:
- identifier: Algorithm
columnName: Algorithm
- identifier: Value
columnName: MD5
version: 1.0.4
kind: Scheduled
metadata:
source:
kind: Community
author:
name: pemontto
support:
tier: Community
categories:
domains: [ "Security - Threat Protection" ]| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job execution
Description: A scheduled task runs a script that spawns a child process of SolarWinds.Orion.Core.BusinessLayer.dll as part of a routine maintenance task.
Filter/Exclusion: Check for CommandLine containing known legitimate scripts (e.g., solarwinds_orion_maintenance.ps1) or use ProcessName filtering to exclude known safe processes.
Scenario: System update or patch installation
Description: A system update or patch process (e.g., Windows Update, SCCM) triggers a child process of the SolarWinds DLL as part of a legitimate system maintenance activity.
Filter/Exclusion: Use ParentProcessName to exclude known update services (e.g., svchost.exe, wuauserv.exe) or check for CommandLine containing update-related keywords.
Scenario: Admin task using PowerShell or CMD
Description: An administrator uses PowerShell or CMD to invoke a child process of the SolarWinds DLL for configuration management or troubleshooting.
Filter/Exclusion: Filter by ProcessName to exclude known admin tools (e.g., powershell.exe, cmd.exe) or use User field to exclude non-admin users.
Scenario: Third-party tool integration
Description: A third-party monitoring or management tool (e.g., Nagios, PRTG) integrates with SolarWinds and spawns a child process of the DLL as part of its operation.
Filter/Exclusion: Use ProcessName to exclude known monitoring tools or check CommandLine for integration-specific flags or parameters.
Scenario: Log file parsing or data analysis
Description: A log analysis tool (e.g., Splunk, ELK) processes log files and spawns a child process of the SolarWinds DLL for data ingestion