How to Use Azure Sentinel to Monitor for the Solarwinds Serv-U Remote Memory Escape Vulnerability

A new SolarWinds vulnerability has been discovered, this time for the Serv-U product. See SolarWinds Trust Center Security Advisories | CVE-2021-35211 for details.

UPDATE: We’ve now also released an “official” query in response to identifying the true actor behind this exploit. The query is here: Azure-Sentinel/DEV-0322_SolarWinds_Serv-U_IOC.yaml at master · Azure/Azure-Sentinel (github.com)

The following represents a KQL query that can be utilized in Azure Sentinel with the DeviceNetworkEvents log collection enabled through the Microsoft 365 Defender (Preview) connector.

DeviceNetworkEvents log collection

KQL query:

//Based on SolarWinds IOCs:  https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211

let SolarU_IPs = pack_array("98.176.196.89", "68.235.178.32", "208,113,35,58");
DeviceNetworkEvents
| where TimeGenerated >= (7d)
| where RemotePort == 443
| where Protocol == "Tcp" and ActionType == "ConnectionSuccess"
| where RemoteIP in(SolarU_IPs)

You can always find the latest version of this query on my GitHub repo: SentinelKQL/Solarwinds_ServerU_Vuln.txt at master · rod-trent/SentinelKQL (github.com)

You can wrap this into an Azure Sentinel Hunting query, or turn it into an Analytics Rule.

=========================

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Azure Sentinel Newsletter]

Author