SUNBURST attackers may use malicious child processes spawned from SolarWinds.Orion.Core.BusinessLayer.dll to establish persistence and exfiltrate data. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate SUNBURST-related compromises early.
KQL Query
let excludeProcs = dynamic([@"\SolarWinds\Orion\APM\APMServiceControl.exe", @"\SolarWinds\Orion\ExportToPDFCmd.Exe", @"\SolarWinds.Credentials\SolarWinds.Credentials.Orion.WebApi.exe", @"\SolarWinds\Orion\Topology\SolarWinds.Orion.Topology.Calculator.exe", @"\SolarWinds\Orion\Database-Maint.exe", @"\SolarWinds.Orion.ApiPoller.Service\SolarWinds.Orion.ApiPoller.Service.exe", @"\Windows\SysWOW64\WerFault.exe"]);
imProcessCreate
| where Process hassuffix 'solarwinds.businesslayerhost.exe'
| where not(Process has_any (excludeProcs))
| extend AccountName = tostring(split(ActorUsername, @'\')[1]), AccountNTDomain = tostring(split(ActorUsername, @'\')[0])
| extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)
| project-away DomainIndex
id: 631d02df-ab51-46c1-8d72-32d0cfec0720
name: SUNBURST suspicious SolarWinds child processes (Normalized Process Events)
description: |
Identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor
References:
- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f
To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimProcessEvent)'
severity: Medium
requiredDataConnectors: []
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Execution
- Persistence
relevantTechniques:
- T1059
- T1543
tags:
- Id: 4a3073ac-7383-48a9-90a8-eb6716183a54
version: 1.0.0
- Schema: ASIMProcessEvent
SchemaVersion: 0.1.0
- Solorigate
- NOBELIUM
query: |
let excludeProcs = dynamic([@"\SolarWinds\Orion\APM\APMServiceControl.exe", @"\SolarWinds\Orion\ExportToPDFCmd.Exe", @"\SolarWinds.Credentials\SolarWinds.Credentials.Orion.WebApi.exe", @"\SolarWinds\Orion\Topology\SolarWinds.Orion.Topology.Calculator.exe", @"\SolarWinds\Orion\Database-Maint.exe", @"\SolarWinds.Orion.ApiPoller.Service\SolarWinds.Orion.ApiPoller.Service.exe", @"\Windows\SysWOW64\WerFault.exe"]);
imProcessCreate
| where Process hassuffix 'solarwinds.businesslayerhost.exe'
| where not(Process has_any (excludeProcs))
| extend AccountName = tostring(split(ActorUsername, @'\')[1]), AccountNTDomain = tostring(split(ActorUsername, @'\')[0])
| extend HostName = tostring(split(Dvc, ".")[0]), DomainIndex = toint(indexof(Dvc, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Dvc, DomainIndex + 1), Dvc)
| project-away DomainIndex
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: ActorUsername
- identifier: Name
columnName: AccountName
- identifier: NTDomain
columnName: AccountNTDomain
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: Dvc
- identifier: HostName
columnName: HostName
- identifier: DnsDomain
columnName: HostNameDomain
- entityType: FileHash
fieldMappings:
- identifier: Algorithm
columnName: AlgorithmType
- identifier: Value
columnName: TargetFileMD5
version: 1.1.6
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Yuval Naor
support:
tier: Community
categories:
domains: [ "Security - 0-day Vulnerability" ]| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common featu
Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform backgroun
Scenario: A legitimate system update or patching tool (e.g., Windows Update, Microsoft Endpoint Configuration Manager) spawns a child process of SolarWinds.Orion.Core.BusinessLayer.dll as part of a scheduled maintenance task.
Filter/Exclusion: Exclude processes with parent process names like svchost.exe, wuauserv.exe, or msiexec.exe and check for known update-related command lines.
Scenario: A system administrator uses a legitimate tool like Process Explorer or Procmon to analyze or debug SolarWinds.Orion.Core.BusinessLayer.dll during routine troubleshooting.
Filter/Exclusion: Exclude processes with parent process names like explorer.exe, taskmgr.exe, or procmon.exe and check for manual interaction or debug flags.
Scenario: A scheduled job (e.g., via Task Scheduler or PowerShell) runs a legitimate script that interacts with SolarWinds components, causing a child process to be spawned.
Filter/Exclusion: Exclude processes with parent process names like schtasks.exe, powershell.exe, or cmd.exe and check for known job names or script paths.
Scenario: A third-party monitoring or logging tool (e.g., Splunk, Logstash) is configured to monitor SolarWinds processes and inadvertently spawns a child process of the DLL.
Filter/Exclusion: Exclude processes with parent process names like splunkd.exe, logstash.exe, or nginx.exe and verify the tool’s configuration and known behavior.
Scenario: A legitimate application or service (e.g., Microsoft SQL Server, IIS) interacts with SolarWinds components, resulting in a child process being spawned as part of normal operations.
Filter/Exclusion: Exclude processes with parent process names like sqlservr.exe, w3wp.exe, or `i