A new SolarWinds vulnerability has been discovered, this time for the Serv-U product. See SolarWinds Trust Center Security Advisories | CVE-2021-35211 for details.
UPDATE: We’ve now also released an “official” query in response to identifying the true actor behind this exploit. The query is here: Azure-Sentinel/DEV-0322_SolarWinds_Serv-U_IOC.yaml at master · Azure/Azure-Sentinel (github.com)
The following represents a KQL query that can be utilized in Azure Sentinel with the DeviceNetworkEvents log collection enabled through the Microsoft 365 Defender (Preview) connector.
KQL query:
//Based on SolarWinds IOCs: https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211
let SolarU_IPs = pack_array("98.176.196.89", "68.235.178.32", "208,113,35,58");
DeviceNetworkEvents
| where TimeGenerated >= (7d)
| where RemotePort == 443
| where Protocol == "Tcp" and ActionType == "ConnectionSuccess"
| where RemoteIP in(SolarU_IPs)You can always find the latest version of this query on my GitHub repo: SentinelKQL/Solarwinds_ServerU_Vuln.txt at master · rod-trent/SentinelKQL (github.com)
You can wrap this into an Azure Sentinel Hunting query, or turn it into an Analytics Rule.
=========================
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Azure Sentinel Newsletter]
