A new SolarWinds vulnerability has been discovered, this time for the Serv-U product. See SolarWinds Trust Center Security Advisories | CVE-2021-35211 for details.
UPDATE: We’ve now also released an “official” query in response to identifying the true actor behind this exploit. The query is here: Azure-Sentinel/DEV-0322_SolarWinds_Serv-U_IOC.yaml at master · Azure/Azure-Sentinel (github.com)
The following represents a KQL query that can be utilized in Azure Sentinel with the DeviceNetworkEvents log collection enabled through the Microsoft 365 Defender (Preview) connector.
//Based on SolarWinds IOCs: https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211 let SolarU_IPs = pack_array("220.127.116.11", "18.104.22.168", "208,113,35,58"); DeviceNetworkEvents | where TimeGenerated >= (7d) | where RemotePort == 443 | where Protocol == "Tcp" and ActionType == "ConnectionSuccess" | where RemoteIP in(SolarU_IPs)
You can always find the latest version of this query on my GitHub repo: SentinelKQL/Solarwinds_ServerU_Vuln.txt at master · rod-trent/SentinelKQL (github.com)
You can wrap this into an Azure Sentinel Hunting query, or turn it into an Analytics Rule.
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Azure Sentinel Newsletter]