How to Use Azure Sentinel to Detect SolarWinds SUNBURST

The teams at Microsoft have been working over the past several days to put together some content for Azure Sentinel customers who may be affected by the recent SolarWinds ORION hack.

UPDATE: After this original post, the Microsoft teams delivered a more comprehensive post and is continually updating it. See that here: SolarWinds Post-Compromise Hunting with Azure Sentinel

Here’s the current list of collateral.

Detections and Hunting queries specific to the SolarWinds hack:

• SolarWinds TEARDROP memory-only dropper IOCs in Window’s defender Exploit Guard activity
• SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in DeviceFileEvents
• SolarWinds SUNBURST domain beacon IOCs in DeviceNetworkEvents
• Suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor
• Solorigate Defender Detections
• Solorigate Network Beacon
• Solorigate DNS Pattern
• Solorigate Encoded Domain in URL

Workbook for the SolarWinds hack:

• SolarWinds Post Compromise Hunting

Notebook for the SolarWinds hack:

• Guided Investigation – Solarwinds Post Compromise Activity

New and existing detections and hunting queries that will help expose similar compromise in the future:

• Hosts with new logons
• New user created and added to the built-in administrators group
• User account added to built in domain local or global group
• Tracking Privileged Account Rare Activity
• ADFS Certificate Export
• ADFS Key Export (Sysmon)
• Entropy for Processes for a given Host
• Rare processes run by Service accounts
• Uncommon processes – bottom 5%
• Modified domain federation trust settings
• New access credential added to Application or Service Principal
• Mail.Read Permissions Granted to Application
• Suspicious application consent similar to O365 Attack Toolkit
• Suspicious application consent for offline access
• Exchange workflow MailItemsAccessed operation anomaly
• Suspect Mailbox Export on IIS/OWA
• Host Exporting Mailbox and Removing Export

UPDATE: Since this blog release, Microsoft has now released the Detections as Analytics Rules automatically and directly in the Azure Sentinel console for all customers.

[Want to discuss this further? Hit me up on Twitter or LinkedIn]