update IOCs

This commit is contained in:
cybermonitor 2020-12-14 16:06:19 +08:00
parent a8c519fa5f
commit 07dc07725c
47 changed files with 878 additions and 0 deletions

@ -0,0 +1,8 @@
Copyright 2020 by FireEye, Inc.
The 2-Clause BSD License
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

@ -0,0 +1,21 @@
# FireEye Mandiant SunBurst Countermeasures
These rules are provided freely to the community without warranty.
In this GitHub repository you will find rules in multiple languages:
- Snort
- Yara
- IOC
- ClamAV
The rules are categorized and labeled into two release states:
- Production: rules that are expected to perform with minimal tuning.
- Supplemental: rules that are known to require further environment-specific tuning and tweaking to perform, and are often used for hunting workflows.
Please check back to this GitHub for updates to these rules.
FireEye customers can refer to the FireEye Community (community.fireeye.com) for information on how FireEye products detect these threats.
The entire risk as to quality and performance of these rules is with the users.
Please review the FireEye blog for additional details on this threat.

@ -0,0 +1,4 @@
# Copyright 2020 by FireEye, Inc.
# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
APT_HackTool_PS1_COSMICGALE_1;Engine:81-255,Target:7;0&1&2&3&4&5&6&7&8;5b746578742e656e636f64696e675d3a3a61736369692e676574627974657328226e7470617373776f7264603022293b;73797374656d5c63757272656e74636f6e74726f6c7365745c636f6e74726f6c5c6c73615c245f;5b73656375726974792e63727970746f6772617068792e6d64355d3a3a6372656174652829;5b73797374656d2e73656375726974792e7072696e636970616c2e77696e646f77736964656e746974795d3a3a67657463757272656e7428292e6e616d65;6f75742d66696c65;636f6e76657274746f2d736563757265737472696e67;0/\[byte\[\]\]@\([\x09\x20]{0,32}0xaa[\x09\x20]{0,32},[\x09\x20]{0,32}0xd3[\x09\x20]{0,32},[\x09\x20]{0,32}0xb4[\x09\x20]{0,32},[\x09\x20]{0,32}0x35[\x09\x20]{0,32},/;6/\[bitconverter\]::toint32\(\$\w{1,64}\[0x0c..0x0f\][\x09\x20]{0,32},[\x09\x20]{0,32}0\)[\x09\x20]{0,32}\+[\x09\x20]{0,32}0xcc\x3b/;7/\[byte\[\]\]\(\$\w{1,64}\.padright\(\d{1,2}\)\.substring\([\x09\x20]{0,32}0[\x09\x20]{0,32},[\x09\x20]{0,32}\d{1,2}\)\.tochararray\(\)\)/

@ -0,0 +1,29 @@
# Copyright 2020 by FireEye, Inc.
# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
alert tcp $HOME_NET any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"/swip/Events HTTP/1"; within:100; content:"Host: "; content:!".solarwinds.com"; within:100; sid:77600832; rev:1;)
alert tcp $HOME_NET any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"/swip/upd/SolarWinds.CortexPlugin.Components.xml"; distance:0; content:"Host: "; content:!".solarwinds.com"; within:100; sid:77600833; rev:1;)
alert tcp any any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"Host:"; content:".avsvmcloud.com"; distance:0; sid:77600842; rev:1;)
alert tcp $HOME_NET any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"swip/Upload.ashx HTTP/1"; within:100; content:"Host: "; content:!".solarwinds.com"; within:100; sid:77600843; rev:1;)
alert tcp $HOME_NET any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"/swip/upd/"; within:75; content:" HTTP/1."; distance:0; content:"Host: "; content:!".solarwinds.com"; within:100; sid:77600844; rev:1;)
alert tcp any any <> any 443 (msg:"Backdoor.SUNBURST"; content:"|16 03|"; depth:2; content:"avsvmcloud.com"; distance:0; sid:77600845; rev:1;)
alert tcp any any <> any 443 (msg:"Backdoor.SUNBURST"; content:"|16 03|"; depth:2; content:"|55 04 03|"; distance:0; content:"digitalcollege.org"; within:50; sid:77600846; rev:1;)
alert tcp any any <> any 443 (msg:"Backdoor.SUNBURST"; content:"|16 03|"; depth:2; content:"|55 04 03|"; distance:0; content:"freescanonline.com"; within:50; sid:77600847; rev:1;)
alert tcp any any <> any 443 (msg:"Backdoor.SUNBURST"; content:"|16 03|"; depth:2; content:"|55 04 03|"; distance:0; content:"deftsecurity.com"; within:50; sid:77600848; rev:1;)
alert tcp any any <> any 443 (msg:"Backdoor.SUNBURST"; content:"|16 03|"; depth:2; content:"|55 04 03|"; distance:0; content:"thedoccloud.com"; within:50; sid:77600849; rev:1;)
alert tcp any any <> any 443 (msg:"Backdoor.SUNBURST"; content:"|16 03|"; depth:2; content:"|55 04 03|"; distance:0; content:"virtualdataserver.com"; within:50; sid:77600850; rev:1;)
alert tcp any any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"Host:"; content:"digitalcollege.org"; within:100; sid:77600851; rev:1;)
alert tcp any any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"Host:"; content:"freescanonline.com"; within:100; sid:77600852; rev:1;)
alert tcp any any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"Host:"; content:"deftsecurity.com"; within:100; sid:77600853; rev:1;)
alert tcp any any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"Host:"; content:"thedoccloud.com"; within:100; sid:77600854; rev:1;)
alert tcp any any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"Host:"; content:"virtualdataserver.com"; within:100; sid:77600855; rev:1;)
alert tcp $HOME_NET any -> any 443 (msg:"Backdoor.BEACON"; content:"|16 03 03|"; depth:3; content:"incomeupdate.com"; sid:77600840; rev:1;)
alert tcp $HOME_NET any -> any 443 (msg:"Backdoor.BEACON"; content:"|16 03 03|"; depth:3; content:"zupertech.com"; sid:77600863; rev:1;)
alert tcp $HOME_NET any -> any 443 (msg:"Backdoor.BEACON"; content:"|16 03 03|"; depth:3; content:"databasegalore.com"; sid:77600864; rev:1;)
alert tcp $HOME_NET any -> any 443 (msg:"Backdoor.BEACON"; content:"|16 03 03|"; depth:3; content:"panhardware.com"; sid:77600865; rev:1;)
alert tcp $HOME_NET any -> any any (msg:"Backdoor.BEACON"; content:"POST"; depth:4; content:"|0d 0a 0d 0a|name=\""; content:"\"\;filename=\""; content:"\"|0a|Content-Type:"; sid:77600837; rev:1;)
alert tcp any any -> $HOME_NET any (msg:"Backdoor.BEACON"; content:"HTTP/1."; depth:7; content:"Server: nginx/1.14.0 (Ubuntu)"; distance:0; content:"Connection: close"; distance:0; content:"Cache-Control: max-age=300, must-revalidate"; distance:0; content:"X-Content-Type-Options: nosniff"; distance:0; content:"X-AspNetMvc-Version: 3.0"; distance:0; content:"X-AspNet-Version: 4.0.30319"; distance:0; content:"X-Powered-By: ASP.NET"; distance:0; content:"Content-Length: "; content:"|0d 0a|"; distance:6; within:4; sid:77600856; rev:1;)
alert tcp any any -> $HOME_NET any (msg:"Backdoor.BEACON"; flow:from_server; content:"<title>Woman-Five-How-To-Why-Your-Celebrating-Learn-Brand</title>"; sid:77600857; rev:1;)
alert tcp any any -> $HOME_NET any (msg:"Backdoor.BEACON"; flow:from_server; content:"<p>Companies-Best-Man-Vendors-Best</p>"; sid:77600858; rev:1;)
alert tcp any any -> $HOME_NET any (msg:"Backdoor.BEACON"; flow:from_server; content:"<meta name=\"msvalidate.01\" content=\"ECEE9516DDABFC7CCBBF1EACC04CAC20\">"; content:"<meta name=\"google-site-verification\" content=\"CD5EF1FCB54FE29C838ABCBBE0FA57AE\">"; sid:77600859; rev:1;)
alert tcp any any -> $HOME_NET any (msg:"Backdoor.BEACON"; flow:from_server; content:"<p>Million-Support-Years-Week-Agents</p>"; sid:77600860; rev:1;)

@ -0,0 +1,146 @@
// Copyright 2020 by FireEye, Inc.
// You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
// https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
import "pe"
rule APT_Backdoor_SUNBURST_1
{
meta:
author = "FireEye"
description = "This rule is looking for portions of the SUNBURST backdoor that are vital to how it functions. The first signature fnv_xor matches a magic byte xor that the sample performs on process, service, and driver names/paths. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
strings:
$cmd_regex_encoded = "U4qpjjbQtUzUTdONrTY2q42pVapRgooABYxQuIZmtUoA" wide
$cmd_regex_plain = { 5C 7B 5B 30 2D 39 61 2D 66 2D 5D 7B 33 36 7D 5C 7D 22 7C 22 5B 30 2D 39 61 2D 66 5D 7B 33 32 7D 22 7C 22 5B 30 2D 39 61 2D 66 5D 7B 31 36 7D }
$fake_orion_event_encoded = "U3ItS80rCaksSFWyUvIvyszPU9IBAA==" wide
$fake_orion_event_plain = { 22 45 76 65 6E 74 54 79 70 65 22 3A 22 4F 72 69 6F 6E 22 2C }
$fake_orion_eventmanager_encoded = "U3ItS80r8UvMTVWyUgKzfRPzEtNTi5R0AA==" wide
$fake_orion_eventmanager_plain = { 22 45 76 65 6E 74 4E 61 6D 65 22 3A 22 45 76 65 6E 74 4D 61 6E 61 67 65 72 22 2C }
$fake_orion_message_encoded = "U/JNLS5OTE9VslKqNqhVAgA=" wide
$fake_orion_message_plain = { 22 4D 65 73 73 61 67 65 22 3A 22 7B 30 7D 22 }
$fnv_xor = { 67 19 D8 A7 3B 90 AC 5B }
condition:
$fnv_xor and ($cmd_regex_encoded or $cmd_regex_plain) or ( ($fake_orion_event_encoded or $fake_orion_event_plain) and ($fake_orion_eventmanager_encoded or $fake_orion_eventmanager_plain) and ($fake_orion_message_encoded and $fake_orion_message_plain) )
}
rule APT_Backdoor_SUNBURST_2
{
meta:
author = "FireEye"
description = "The SUNBURST backdoor uses a domain generation algorithm (DGA) as part of C2 communications. This rule is looking for each branch of the code that checks for which HTTP method is being used. This is in one large conjunction, and all branches are then tied together via disjunction. The grouping is intentionally designed so that if any part of the DGA is re-used in another sample, this signature should match that re-used portion. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
strings:
$a = "0y3Kzy8BAA==" wide
$aa = "S8vPKynWL89PS9OvNqjVrTYEYqNa3fLUpDSgTLVxrR5IzggA" wide
$ab = "S8vPKynWL89PS9OvNqjVrTYEYqPaauNaPZCYEQA=" wide
$ac = "C88sSs1JLS4GAA==" wide
$ad = "C/UEAA==" wide
$ae = "C89MSU8tKQYA" wide
$af = "8wvwBQA=" wide
$ag = "cyzIz8nJBwA=" wide
$ah = "c87JL03xzc/LLMkvysxLBwA=" wide
$ai = "88tPSS0GAA==" wide
$aj = "C8vPKc1NLQYA" wide
$ak = "88wrSS1KS0xOLQYA" wide
$al = "c87PLcjPS80rKQYA" wide
$am = "Ky7PLNAvLUjRBwA=" wide
$an = "06vIzQEA" wide
$b = "0y3NyyxLLSpOzIlPTgQA" wide
$c = "001OBAA=" wide
$d = "0y0oysxNLKqMT04EAA==" wide
$e = "0y3JzE0tLknMLQAA" wide
$f = "003PyU9KzAEA" wide
$h = "0y1OTS4tSk1OBAA=" wide
$i = "K8jO1E8uytGvNqitNqytNqrVA/IA" wide
$j = "c8rPSQEA" wide
$k = "c8rPSfEsSczJTAYA" wide
$l = "c60oKUp0ys9JAQA=" wide
$m = "c60oKUp0ys9J8SxJzMlMBgA=" wide
$n = "8yxJzMlMBgA=" wide
$o = "88lMzygBAA==" wide
$p = "88lMzyjxLEnMyUwGAA==" wide
$q = "C0pNL81JLAIA" wide
$r = "C07NzXTKz0kBAA==" wide
$s = "C07NzXTKz0nxLEnMyUwGAA==" wide
$t = "yy9IzStOzCsGAA==" wide
$u = "y8svyQcA" wide
$v = "SytKTU3LzysBAA==" wide
$w = "C84vLUpOdc5PSQ0oygcA" wide
$x = "C84vLUpODU4tykwLKMoHAA==" wide
$y = "C84vLUpO9UjMC07MKwYA" wide
$z = "C84vLUpO9UjMC04tykwDAA==" wide
condition:
($a and $b and $c and $d and $e and $f and $h and $i) or ($j and $k and $l and $m and $n and $o and $p and $q and $r and $s and ($aa or $ab)) or ($t and $u and $v and $w and $x and $y and $z and ($aa or $ab)) or ($ac and $ad and $ae and $af and $ag and $ah and ($am or $an)) or ($ai and $aj and $ak and $al and ($am or $an))
}
rule APT_Webshell_SUPERNOVA_1
{
meta:
author = "FireEye"
description = "SUPERNOVA is a .NET web shell backdoor masquerading as a legitimate SolarWinds web service handler. SUPERNOVA inspects and responds to HTTP requests with the appropriate HTTP query strings, Cookies, and/or HTML form values (e.g. named codes, class, method, and args). This rule is looking for specific strings and attributes related to SUPERNOVA."
strings:
$compile1 = "CompileAssemblyFromSource"
$compile2 = "CreateCompiler"
$context = "ProcessRequest"
$httpmodule = "IHttpHandler" ascii
$string1 = "clazz"
$string2 = "//NetPerfMon//images//NoLogo.gif" wide
$string3 = "SolarWinds" ascii nocase wide
condition:
uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550 and filesize < 10KB and pe.imports("mscoree.dll","_CorDllMain") and $httpmodule and $context and all of ($compile*) and all of ($string*)
}
rule APT_Webshell_SUPERNOVA_2
{
meta:
author = "FireEye"
description = "This rule is looking for specific strings related to SUPERNOVA. SUPERNOVA is a .NET web shell backdoor masquerading as a legitimate SolarWinds web service handler. SUPERNOVA inspects and responds to HTTP requests with the appropriate HTTP query strings, Cookies, and/or HTML form values (e.g. named codes, class, method, and args)."
strings:
$dynamic = "DynamicRun"
$solar = "Solarwinds" nocase
$string1 = "codes"
$string2 = "clazz"
$string3 = "method"
$string4 = "args"
condition:
uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550 and filesize < 10KB and 3 of ($string*) and $dynamic and $solar
}
rule APT_HackTool_PS1_COSMICGALE_1
{
meta:
author = "FireEye"
description = "This rule detects various unique strings related to COSMICGALE. COSMICGALE is a credential theft and reconnaissance PowerShell script that collects credentials using the publicly available Get-PassHashes routine. COSMICGALE clears log files, writes acquired data to a hard coded path, and encrypts the file with a password."
strings:
$sr1 = /\[byte\[\]\]@\([\x09\x20]{0,32}0xaa[\x09\x20]{0,32},[\x09\x20]{0,32}0xd3[\x09\x20]{0,32},[\x09\x20]{0,32}0xb4[\x09\x20]{0,32},[\x09\x20]{0,32}0x35[\x09\x20]{0,32},/ ascii nocase wide
$sr2 = /\[bitconverter\]::toint32\(\$\w{1,64}\[0x0c..0x0f\][\x09\x20]{0,32},[\x09\x20]{0,32}0\)[\x09\x20]{0,32}\+[\x09\x20]{0,32}0xcc\x3b/ ascii nocase wide
$sr3 = /\[byte\[\]\]\(\$\w{1,64}\.padright\(\d{1,2}\)\.substring\([\x09\x20]{0,32}0[\x09\x20]{0,32},[\x09\x20]{0,32}\d{1,2}\)\.tochararray\(\)\)/ ascii nocase wide
$ss1 = "[text.encoding]::ascii.getbytes(\"ntpassword\x600\");" ascii nocase wide
$ss2 = "system\\currentcontrolset\\control\\lsa\\$_" ascii nocase wide
$ss3 = "[security.cryptography.md5]::create()" ascii nocase wide
$ss4 = "[system.security.principal.windowsidentity]::getcurrent().name" ascii nocase wide
$ss5 = "out-file" ascii nocase wide
$ss6 = "convertto-securestring" ascii nocase wide
condition:
all of them
}
rule APT_Dropper_Raw64_TEARDROP_1
{
meta:
author = "FireEye"
description = "This rule looks for portions of the TEARDROP backdoor that are vital to how it functions. TEARDROP is a memory only dropper that can read files and registry keys, XOR decode an embedded payload, and load the payload into memory. TEARDROP persists as a Windows service and has been observed dropping Cobalt Strike BEACON into memory."
strings:
$sb1 = { C7 44 24 ?? 80 00 00 00 [0-64] BA 00 00 00 80 [0-32] 48 8D 0D [4-32] FF 15 [4] 48 83 F8 FF [2-64] 41 B8 40 00 00 00 [0-64] FF 15 [4-5] 85 C0 7? ?? 80 3D [4] FF }
$sb2 = { 80 3D [4] D8 [2-32] 41 B8 04 00 00 00 [0-32] C7 44 24 ?? 4A 46 49 46 [0-32] E8 [4-5] 85 C0 [2-32] C6 05 [4] 6A C6 05 [4] 70 C6 05 [4] 65 C6 05 [4] 67 }
$sb3 = { BA [4] 48 89 ?? E8 [4] 41 B8 [4] 48 89 ?? 48 89 ?? E8 [4] 85 C0 7? [1-32] 8B 44 24 ?? 48 8B ?? 24 [1-16] 48 01 C8 [0-32] FF D0 }
condition:
all of them
}
rule APT_Dropper_Win64_TEARDROP_1
{
meta:
author = "FireEye"
description = "This rule is intended match specific sequences of opcode found within TEARDROP, including those that decode the embedded payload. TEARDROP is a memory only dropper that can read files and registry keys, XOR decode an embedded payload, and load the payload into memory. TEARDROP persists as a Windows service and has been observed dropping Cobalt Strike BEACON into memory."
strings:
$loc_4218FE24A5 = { 48 89 C8 45 0F B6 4C 0A 30 }
$loc_4218FE36CA = { 48 C1 E0 04 83 C3 01 48 01 E8 8B 48 28 8B 50 30 44 8B 40 2C 48 01 F1 4C 01 FA }
$loc_4218FE2747 = { C6 05 ?? ?? ?? ?? 6A C6 05 ?? ?? ?? ?? 70 C6 05 ?? ?? ?? ?? 65 C6 05 ?? ?? ?? ?? 67 }
$loc_5551D725A0 = { 48 89 C8 45 0F B6 4C 0A 30 48 89 CE 44 89 CF 48 F7 E3 48 C1 EA 05 48 8D 04 92 48 8D 04 42 48 C1 E0 04 48 29 C6 }
$loc_5551D726F6 = { 53 4F 46 54 57 41 52 45 ?? ?? ?? ?? 66 74 5C 43 ?? ?? ?? ?? 00 }
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}

@ -0,0 +1,84 @@
# Copyright 2020 by FireEye, Inc.
# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
The following hashes are checked against processes, services, and drivers by SUNBURST. The hash is calculated by performing a FNV-1a 64bit hash of the lowercase string then XOR by 6605813339339102567.
-------------------------------------------
fekern 6274014997237900919
sense 16335643316870329598
windefend 917638920165491138
afwserv 1368907909245890092
atrsdfw.sys 15194901817027173566
autopsy 4821863173800309721
accept 2734787258623754862
avastsvc 8146185202538899243
avastui 11818825521849580123
avgsvc 3660705254426876796
avgsvca 3890794756780010537
avgsvcx 3890769468012566366
avgui 12709986806548166638
avp 13611051401579634621
avpui 18147627057830191163
brcow_x_x_x_x.sys 12679195163651834776
brfilter.sys 1614465773938842903
cavp 17204844226884380288
cb 5984963105389676759
crexecprev.sys 18159703063075866524
cutter 12790084614253405985
cve.sys 16570804352575357627
cybkerneltracker.sys 17097380490166623672
date 16066522799090129502
dgdmk.sys 3626142665768487764
dnsd 13316211011159594063
dnspy 13825071784440082496
eamonm 15587050164583443069
eaw.sys 12718416789200275332
eelam 9559632696372799208
egui 607197993339007484
ehdrv 4931721628717906635
ekrn 3200333496547938354
epfw 17939405613729073960
fakenet 576626207276463000
feelam 15092207615430402812
ffdec 7412338704062093516
floss 18150909006539876521
fsaua 12445177985737237804
fsaus 12445232961318634374
fsbts 9333057603143916814
fsdfw 10393903804869831898
fses 3413052607651207697
fsfw 3407972863931386250
fsma 3421213182954201407
fsms 3421197789791424393
fsni 3413886037471417852
fsorsp 17978774977754553159
gdb 10336842116636872171
groundling32.sys 6943102301517884811
groundling64.sys 13544031715334011032
hexisfsmonitor.sys 397780960855462669
idaq 14256853800858727521
idr 8129411991672431889
ildasm 15997665423159927228
ilspy 10829648878147112121
ksde 17633734304611248415
ksdeui 13581776705111912829
libwamf.sys 17984632978012874803
lordpe 3656637464651387014
lragentmf.sys 2717025511528702475
peid 9531326785919727076
peview 2478231962306073784
ppee 14710585101020280896
psepfilter.sys 835151375515278827
regmon 18294908219222222902
rvsavd.sys 18392881921099771407
safe-agent.sys 11801746708619571308
scdbg 14868920869169964081
sentinelmonitor.sys 12343334044036541897
sysmon 14111374107076822891
tanium 7175363135479931834
windbg 3045986759481489935
windump 17109238199226571972
winhex 5945487981219695001
winobj 8052533790968282297
xagt 15695338751700748390
fe_avk 9384605490088500348

@ -0,0 +1,8 @@
SHA256 ,SHA1 ,MD5 ,FILENAME ,MIME ,Malware Family,Role 
d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600 ,1b476f58ca366b54f34d714ffce3fd73cc30db1a ,02af7cec58b9a5da1c542b5a32151ba1 ,CORE-2019.4.5220.20574-SolarWinds-Core-v2019.4.5220-Hotfix5.msp ,application/vnd.ms-office ,SUNBURST ,Installer 
53f8dfc65169ccda021b72a62e0c22a4db7c4077f002fa742717d41b3c40f2c7 ,47d92d49e6f7f296260da1af355f941eb25360c4 ,08e35543d6110ed11fdf558bb093d401 ,"Solarwinds Worldwide, LLC ",application/x-x509-server-cert ,Code Signing Certificate ,Legitimate SolarWinds code-signing certificate
019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134 ,2f1a5a7411d015d01aaee4535835400191645023 ,2c4a910a1299cdae2a4e55988a2f102e ,SolarWinds.Orion.Core.BusinessLayer.dll ,application/x-dosexec ,SUNBURST ,backdoor
ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6 ,d130bd75645c2433f88ac03e73395fba172ef676 ,846e27a652a5e1bfbd0ddd38a16dc865 ,SolarWinds.Orion.Core.BusinessLayer.dll ,application/x-dosexec ,SUNBURST ,backdoor
32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77 ,76640508b1e7759e548771a5359eaed353bf1eec ,b91ce2fa41029f6955bff20079468448 ,SolarWinds.Orion.Core.BusinessLayer.dll ,application/x-dosexec ,SUNBURST ,backdoor
292327e5c94afa352cc5a02ca273df543f2020d0e76368ff96c84f4e90778712 ,c2c30b3a287d82f88753c85cfb11ec9eb1466bad ,4f2eb62fa529c0283b28d05ddd311fae ,OrionImprovementBusinessLayer.2.cs ,text/plain ,SUNBURST ,Decompiled and corrected source code for SUNBURST 
c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71 ,75af292f34789a1c782ea36c7127bf6106f595e8 ,56ceb6d0011d87b6e4d7023d7ef85676 ,app_web_logoimagehandler.ashx.b6031896.dll ,application/x-dosexec ,SUPERNOVA ,Webshell
1 SHA256  SHA1  MD5  FILENAME  MIME  Malware Family Role 
2 d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600  1b476f58ca366b54f34d714ffce3fd73cc30db1a  02af7cec58b9a5da1c542b5a32151ba1  CORE-2019.4.5220.20574-SolarWinds-Core-v2019.4.5220-Hotfix5.msp  application/vnd.ms-office  SUNBURST  Installer 
3 53f8dfc65169ccda021b72a62e0c22a4db7c4077f002fa742717d41b3c40f2c7  47d92d49e6f7f296260da1af355f941eb25360c4  08e35543d6110ed11fdf558bb093d401  Solarwinds Worldwide, LLC  application/x-x509-server-cert  Code Signing Certificate  Legitimate SolarWinds code-signing certificate
4 019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134  2f1a5a7411d015d01aaee4535835400191645023  2c4a910a1299cdae2a4e55988a2f102e  SolarWinds.Orion.Core.BusinessLayer.dll  application/x-dosexec  SUNBURST  backdoor
5 ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6  d130bd75645c2433f88ac03e73395fba172ef676  846e27a652a5e1bfbd0ddd38a16dc865  SolarWinds.Orion.Core.BusinessLayer.dll  application/x-dosexec  SUNBURST  backdoor
6 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77  76640508b1e7759e548771a5359eaed353bf1eec  b91ce2fa41029f6955bff20079468448  SolarWinds.Orion.Core.BusinessLayer.dll  application/x-dosexec  SUNBURST  backdoor
7 292327e5c94afa352cc5a02ca273df543f2020d0e76368ff96c84f4e90778712  c2c30b3a287d82f88753c85cfb11ec9eb1466bad  4f2eb62fa529c0283b28d05ddd311fae  OrionImprovementBusinessLayer.2.cs  text/plain  SUNBURST  Decompiled and corrected source code for SUNBURST 
8 c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71  75af292f34789a1c782ea36c7127bf6106f595e8  56ceb6d0011d87b6e4d7023d7ef85676  app_web_logoimagehandler.ashx.b6031896.dll  application/x-dosexec  SUPERNOVA  Webshell

@ -0,0 +1,17 @@
Associated Malware,DNS Record Type ,FQDN,IP,Target,First Seen,Last Seen
SUNBURST,CNAME ,6a57jk2ba1d9keg15cbg.appsync-api.eu-west-1.avsvmcloud[.]com ,,freescanonline[.]com ,2020-06-13 09:20:41 ,2020-06-13 09:20:41 
SUNBURST,CNAME ,7sbvaemscs0mc925tb99.appsync-api.us-west-2.avsvmcloud[.]com ,,deftsecurity[.]com ,2020-06-11 22:37:33 ,2020-06-11 22:37:33 
SUNBURST,CNAME ,gq1h856599gqh538acqn.appsync-api.us-west-2.avsvmcloud[.]com ,,freescanonline[.]com ,2020-06-13 08:48:40 ,2020-06-13 08:48:41 
SUNBURST,CNAME ,ihvpgv9psvq02ffo77et.appsync-api.us-east-2.avsvmcloud[.]com ,,thedoccloud[.]com ,2020-06-20 02:54:06 ,2020-06-20 02:54:06 
SUNBURST,CNAME ,k5kcubuassl3alrf7gm3.appsync-api.eu-west-1.avsvmcloud[.]com ,,thedoccloud[.]com ,2020-07-22 17:15:57 ,2020-07-22 17:15:58 
SUNBURST,CNAME ,mhdosoksaccf9sni9icp.appsync-api.eu-west-1.avsvmcloud[.]com ,,thedoccloud[.]com ,2020-07-23 18:43:00 ,2020-07-23 18:43:00 
SUNBURST,A ,deftsecurity[.]com ,13.59.205.66 ,,2020-02-14 03:47:49 ,2020-12-13 19:28:44 
SUNBURST,A ,freescanonline[.]com ,54.193.127.66 ,,2020-02-11 11:00:04 ,2020-12-13 19:25:56 
SUNBURST,A ,thedoccloud[.]com ,54.215.192.52 ,,2020-02-09 20:03:38 ,2020-12-10 03:24:23 
SUNBURST,A ,websitetheme[.]com ,34.203.203.23 ,,2020-02-04 16:27:45 ,2020-06-25 23:58:55 
SUNBURST,A ,highdatabase[.]com ,139.99.115.204 ,,2019-12-28 00:07:06 ,2020-12-06 03:51:20 
BEACON,A ,incomeupdate[.]com,5.252.177.25,,10/4/19 17:57,10/1/20 18:45
,A,databasegalore[.]com,5.252.177.21,,3/12/20 10:49,12/13/20 21:23
,A,panhardware[.]com,204.188.205.176,,3/11/20 15:32,12/13/20 21:23
,A,zupertech[.]com,51.89.125.18,,5/14/20 3:09,12/13/20 21:31
,A,zupertech[.]com,167.114.213.199,,8/18/16 13:06,11/12/17 16:23
1 Associated Malware DNS Record Type FQDN IP Target First Seen Last Seen
2 SUNBURST CNAME  6a57jk2ba1d9keg15cbg.appsync-api.eu-west-1.avsvmcloud[.]com  freescanonline[.]com  2020-06-13 09:20:41  2020-06-13 09:20:41 
3 SUNBURST CNAME  7sbvaemscs0mc925tb99.appsync-api.us-west-2.avsvmcloud[.]com  deftsecurity[.]com  2020-06-11 22:37:33  2020-06-11 22:37:33 
4 SUNBURST CNAME  gq1h856599gqh538acqn.appsync-api.us-west-2.avsvmcloud[.]com  freescanonline[.]com  2020-06-13 08:48:40  2020-06-13 08:48:41 
5 SUNBURST CNAME  ihvpgv9psvq02ffo77et.appsync-api.us-east-2.avsvmcloud[.]com  thedoccloud[.]com  2020-06-20 02:54:06  2020-06-20 02:54:06 
6 SUNBURST CNAME  k5kcubuassl3alrf7gm3.appsync-api.eu-west-1.avsvmcloud[.]com  thedoccloud[.]com  2020-07-22 17:15:57  2020-07-22 17:15:58 
7 SUNBURST CNAME  mhdosoksaccf9sni9icp.appsync-api.eu-west-1.avsvmcloud[.]com  thedoccloud[.]com  2020-07-23 18:43:00  2020-07-23 18:43:00 
8 SUNBURST deftsecurity[.]com  13.59.205.66  2020-02-14 03:47:49  2020-12-13 19:28:44 
9 SUNBURST freescanonline[.]com  54.193.127.66  2020-02-11 11:00:04  2020-12-13 19:25:56 
10 SUNBURST thedoccloud[.]com  54.215.192.52  2020-02-09 20:03:38  2020-12-10 03:24:23 
11 SUNBURST websitetheme[.]com  34.203.203.23  2020-02-04 16:27:45  2020-06-25 23:58:55 
12 SUNBURST highdatabase[.]com  139.99.115.204  2019-12-28 00:07:06  2020-12-06 03:51:20 
13 BEACON incomeupdate[.]com 5.252.177.25 10/4/19 17:57 10/1/20 18:45
14 A databasegalore[.]com 5.252.177.21 3/12/20 10:49 12/13/20 21:23
15 A panhardware[.]com 204.188.205.176 3/11/20 15:32 12/13/20 21:23
16 A zupertech[.]com 51.89.125.18 5/14/20 3:09 12/13/20 21:31
17 A zupertech[.]com 167.114.213.199 8/18/16 13:06 11/12/17 16:23

@ -0,0 +1,4 @@
# Copyright 2020 by FireEye, Inc.
# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
alert tcp $HOME_NET any -> any 443 (msg:"Backdoor.BEACON"; content:"|16 03 03|"; depth:3; content:"incomeupdate.com"; sid:77600840; rev:1;)

@ -0,0 +1,4 @@
# Copyright 2020 by FireEye, Inc.
# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
alert tcp any any -> $HOME_NET any (msg:"Backdoor.BEACON"; flow:from_server; content:"<p>Million-Support-Years-Week-Agents</p>"; sid:77600860; rev:1;)

@ -0,0 +1,4 @@
# Copyright 2020 by FireEye, Inc.
# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
alert tcp $HOME_NET any -> any 443 (msg:"Backdoor.BEACON"; content:"|16 03 03|"; depth:3; content:"zupertech.com"; sid:77600863; rev:1;)

@ -0,0 +1,4 @@
# Copyright 2020 by FireEye, Inc.
# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
alert tcp $HOME_NET any -> any 443 (msg:"Backdoor.BEACON"; content:"|16 03 03|"; depth:3; content:"databasegalore.com"; sid:77600864; rev:1;)

@ -0,0 +1,4 @@
# Copyright 2020 by FireEye, Inc.
# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
alert tcp $HOME_NET any -> any 443 (msg:"Backdoor.BEACON"; content:"|16 03 03|"; depth:3; content:"panhardware.com"; sid:77600865; rev:1;)

@ -0,0 +1,4 @@
# Copyright 2020 by FireEye, Inc.
# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
alert tcp $HOME_NET any -> any any (msg:"Backdoor.BEACON"; content:"POST"; depth:4; content:"|0d 0a 0d 0a|name=\""; content:"\"\;filename=\""; content:"\"|0a|Content-Type:"; sid:77600837; rev:1;)

@ -0,0 +1,4 @@
# Copyright 2020 by FireEye, Inc.
# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
alert tcp any any -> $HOME_NET any (msg:"Backdoor.BEACON"; content:"HTTP/1."; depth:7; content:"Server: nginx/1.14.0 (Ubuntu)"; distance:0; content:"Connection: close"; distance:0; content:"Cache-Control: max-age=300, must-revalidate"; distance:0; content:"X-Content-Type-Options: nosniff"; distance:0; content:"X-AspNetMvc-Version: 3.0"; distance:0; content:"X-AspNet-Version: 4.0.30319"; distance:0; content:"X-Powered-By: ASP.NET"; distance:0; content:"Content-Length: "; content:"|0d 0a|"; distance:6; within:4; sid:77600856; rev:1;)

@ -0,0 +1,4 @@
# Copyright 2020 by FireEye, Inc.
# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
alert tcp any any -> $HOME_NET any (msg:"Backdoor.BEACON"; flow:from_server; content:"<title>Woman-Five-How-To-Why-Your-Celebrating-Learn-Brand</title>"; sid:77600857; rev:1;)

@ -0,0 +1,4 @@
# Copyright 2020 by FireEye, Inc.
# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
alert tcp any any -> $HOME_NET any (msg:"Backdoor.BEACON"; flow:from_server; content:"<p>Companies-Best-Man-Vendors-Best</p>"; sid:77600858; rev:1;)

@ -0,0 +1,4 @@
# Copyright 2020 by FireEye, Inc.
# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
alert tcp any any -> $HOME_NET any (msg:"Backdoor.BEACON"; flow:from_server; content:"<meta name=\"msvalidate.01\" content=\"ECEE9516DDABFC7CCBBF1EACC04CAC20\">"; content:"<meta name=\"google-site-verification\" content=\"CD5EF1FCB54FE29C838ABCBBE0FA57AE\">"; sid:77600859; rev:1;)

@ -0,0 +1,4 @@
# Copyright 2020 by FireEye, Inc.
# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
APT_HackTool_PS1_COSMICGALE_1;Engine:81-255,Target:7;0&1&2&3&4&5&6&7&8;5b746578742e656e636f64696e675d3a3a61736369692e676574627974657328226e7470617373776f7264603022293b;73797374656d5c63757272656e74636f6e74726f6c7365745c636f6e74726f6c5c6c73615c245f;5b73656375726974792e63727970746f6772617068792e6d64355d3a3a6372656174652829;5b73797374656d2e73656375726974792e7072696e636970616c2e77696e646f77736964656e746974795d3a3a67657463757272656e7428292e6e616d65;6f75742d66696c65;636f6e76657274746f2d736563757265737472696e67;0/\[byte\[\]\]@\([\x09\x20]{0,32}0xaa[\x09\x20]{0,32},[\x09\x20]{0,32}0xd3[\x09\x20]{0,32},[\x09\x20]{0,32}0xb4[\x09\x20]{0,32},[\x09\x20]{0,32}0x35[\x09\x20]{0,32},/;6/\[bitconverter\]::toint32\(\$\w{1,64}\[0x0c..0x0f\][\x09\x20]{0,32},[\x09\x20]{0,32}0\)[\x09\x20]{0,32}\+[\x09\x20]{0,32}0xcc\x3b/;7/\[byte\[\]\]\(\$\w{1,64}\.padright\(\d{1,2}\)\.substring\([\x09\x20]{0,32}0[\x09\x20]{0,32},[\x09\x20]{0,32}\d{1,2}\)\.tochararray\(\)\)/

@ -0,0 +1,22 @@
// Copyright 2020 by FireEye, Inc.
// You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
// https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
rule APT_HackTool_PS1_COSMICGALE_1
{
meta:
author = "FireEye"
description = "This rule detects various unique strings related to COSMICGALE. COSMICGALE is a credential theft and reconnaissance PowerShell script that collects credentials using the publicly available Get-PassHashes routine. COSMICGALE clears log files, writes acquired data to a hard coded path, and encrypts the file with a password."
strings:
$sr1 = /\[byte\[\]\]@\([\x09\x20]{0,32}0xaa[\x09\x20]{0,32},[\x09\x20]{0,32}0xd3[\x09\x20]{0,32},[\x09\x20]{0,32}0xb4[\x09\x20]{0,32},[\x09\x20]{0,32}0x35[\x09\x20]{0,32},/ ascii nocase wide
$sr2 = /\[bitconverter\]::toint32\(\$\w{1,64}\[0x0c..0x0f\][\x09\x20]{0,32},[\x09\x20]{0,32}0\)[\x09\x20]{0,32}\+[\x09\x20]{0,32}0xcc\x3b/ ascii nocase wide
$sr3 = /\[byte\[\]\]\(\$\w{1,64}\.padright\(\d{1,2}\)\.substring\([\x09\x20]{0,32}0[\x09\x20]{0,32},[\x09\x20]{0,32}\d{1,2}\)\.tochararray\(\)\)/ ascii nocase wide
$ss1 = "[text.encoding]::ascii.getbytes(\"ntpassword\x600\");" ascii nocase wide
$ss2 = "system\\currentcontrolset\\control\\lsa\\$_" ascii nocase wide
$ss3 = "[security.cryptography.md5]::create()" ascii nocase wide
$ss4 = "[system.security.principal.windowsidentity]::getcurrent().name" ascii nocase wide
$ss5 = "out-file" ascii nocase wide
$ss6 = "convertto-securestring" ascii nocase wide
condition:
all of them
}

@ -0,0 +1,89 @@
<?xml version="1.0" encoding="utf-8"?>
<!-- Copyright 2020 by FireEye, Inc.
You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
-->
<OpenIOC xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="281d5077-b45a-43a8-8869-7924a3c2c1a0" last-modified="2020-12-13T21:34:13Z" published-date="0001-01-01T00:00:00" xmlns="http://openioc.org/schemas/OpenIOC_1.1">
<metadata>
<short_description>SUNBURST COMPROMISE INDICATORS</short_description>
<description>This rule identifies indicators which FireEye associates with the SUNBURST backdoor. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. This is associated to MITRE ATT&amp;CK (r) Tactic: Initial Access and Technique: T1195.002</description>
<authored_by>FireEye</authored_by>
<authored_date>2020-12-12T01:00:34Z</authored_date>
<links>
<link href="https://attack.mitre.org/techniques/T1195/002/" rel="link">MITRE</link>
</links>
</metadata>
<criteria>
<Indicator operator="OR" id="46bf5cf1-c9df-41cd-bd29-68936cc75421">
<IndicatorItem id="123f4632-ad70-4672-ab56-fdcc49c68e74" condition="is" preserve-case="false" negate="false">
<Context document="fileWriteEvent" search="fileWriteEvent/md5" type="event" />
<Content type="md5">b91ce2fa41029f6955bff20079468448</Content>
</IndicatorItem>
<IndicatorItem id="3c6f60a1-e2ce-45ed-936a-79b09a43d25f" condition="contains" preserve-case="false" negate="false">
<Context document="dnsLookupEvent" search="dnsLookupEvent/hostname" type="event" />
<Content type="string">freescanonline.com</Content>
</IndicatorItem>
<IndicatorItem id="2a86b61a-1ae6-416f-b7fb-2b87c005547f" condition="contains" preserve-case="false" negate="false">
<Context document="dnsLookupEvent" search="dnsLookupEvent/hostname" type="event" />
<Content type="string">thedoccloud.com</Content>
</IndicatorItem>
<IndicatorItem id="29845534-0a9c-4917-8459-ca7578385823" condition="contains" preserve-case="false" negate="false">
<Context document="dnsLookupEvent" search="dnsLookupEvent/hostname" type="event" />
<Content type="string">deftsecurity.com</Content>
</IndicatorItem>
<IndicatorItem id="b72939a1-7f99-45bf-85c4-cba0725b9020" condition="contains" preserve-case="false" negate="false">
<Context document="urlMonitorEvent" search="urlMonitorEvent/hostname" type="event" />
<Content type="string">deftsecurity.com</Content>
</IndicatorItem>
<IndicatorItem id="69eb9481-85ee-4bf2-96d6-394fe1a364cf" condition="contains" preserve-case="false" negate="false">
<Context document="urlMonitorEvent" search="urlMonitorEvent/hostname" type="event" />
<Content type="string">thedoccloud.com</Content>
</IndicatorItem>
<IndicatorItem id="3360b703-e021-4172-a238-184565df29b9" condition="contains" preserve-case="false" negate="false">
<Context document="urlMonitorEvent" search="urlMonitorEvent/hostname" type="event" />
<Content type="string">freescanonline.com</Content>
</IndicatorItem>
<IndicatorItem id="6001b4b6-7efc-4db5-a386-0fbd8602ad14" condition="contains" preserve-case="false" negate="false">
<Context document="dnsLookupEvent" search="dnsLookupEvent/hostname" type="event" />
<Content type="string">avsvmcloud.com</Content>
</IndicatorItem>
<IndicatorItem id="9660adca-f41c-440f-bd3e-72750f9d8e30" condition="contains" preserve-case="false" negate="false">
<Context document="urlMonitorEvent" search="urlMonitorEvent/hostname" type="event" />
<Content type="string">avsvmcloud.com</Content>
</IndicatorItem>
<IndicatorItem id="7416cdc1-641b-41e5-aa1c-4661a09a98c6" condition="is" preserve-case="false" negate="false">
<Context document="fileWriteEvent" search="fileWriteEvent/md5" type="event" />
<Content type="md5">02af7cec58b9a5da1c542b5a32151ba1</Content>
</IndicatorItem>
<IndicatorItem id="b9a81581-94ae-427f-a350-b41b971207cf" condition="is" preserve-case="false" negate="false">
<Context document="fileWriteEvent" search="fileWriteEvent/md5" type="event" />
<Content type="md5">2c4a910a1299cdae2a4e55988a2f102e</Content>
</IndicatorItem>
<IndicatorItem id="79f5957b-2abf-4bab-a778-1bfba7de214d" condition="is" preserve-case="false" negate="false">
<Context document="fileWriteEvent" search="fileWriteEvent/md5" type="event" />
<Content type="md5">846e27a652a5e1bfbd0ddd38a16dc865</Content>
</IndicatorItem>
<IndicatorItem id="5010ef2c-3d91-477a-94b3-513be90c0cf2" condition="is" preserve-case="false" negate="false">
<Context document="fileWriteEvent" search="fileWriteEvent/md5" type="event" />
<Content type="md5">4f2eb62fa529c0283b28d05ddd311fae</Content>
</IndicatorItem>
<IndicatorItem id="d1357eea-3de2-4481-b962-640a187e2521" condition="contains" preserve-case="false" negate="false">
<Context document="urlMonitorEvent" search="urlMonitorEvent/hostname" type="event" />
<Content type="string">databasegalore.com</Content>
</IndicatorItem>
<IndicatorItem id="45c00aa0-c79b-41ac-a899-aec584b62b0a" condition="contains" preserve-case="false" negate="false">
<Context document="urlMonitorEvent" search="urlMonitorEvent/hostname" type="event" />
<Content type="string">panhardware.com</Content>
</IndicatorItem>
<IndicatorItem id="84f90f69-8c5b-4533-a6e4-bf94ab1bd1b6" condition="contains" preserve-case="false" negate="false">
<Context document="dnsLookupEvent" search="dnsLookupEvent/hostname" type="event" />
<Content type="string">panhardware.com</Content>
</IndicatorItem>
<IndicatorItem id="7f1a5177-2f4d-4aff-a93f-d20416cebb71" condition="contains" preserve-case="false" negate="false">
<Context document="dnsLookupEvent" search="dnsLookupEvent/hostname" type="event" />
<Content type="string">databasegalore.com</Content>
</IndicatorItem>
</Indicator>
</criteria>
<parameters />
</OpenIOC>

@ -0,0 +1,59 @@
<?xml version="1.0" encoding="utf-8"?>
<!-- Copyright 2020 by FireEye, Inc.
You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
-->
<OpenIOC xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="2bac7506-80cc-4740-bbcc-2bbe1e4a43dd" last-modified="2020-12-13T19:53:27Z" published-date="0001-01-01T00:00:00" xmlns="http://openioc.org/schemas/OpenIOC_1.1">
<metadata>
<short_description>SUNBURST SUSPICIOUS CHILD PROCESSES (METHODOLOGY)</short_description>
<description>This rule identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor. The behavior of SolarWinds.Orion.Core.BusinessLayer.dll is dependent on per-enterprise configuration, so additional tuning may be required to exclude legitimate activity in a given environment. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. This is associated to MITRE ATT&amp;CK (r) Tactic: Initial Access and Technique: T1195.002</description>
<authored_by>FireEye</authored_by>
<authored_date>2020-12-12T01:42:55Z</authored_date>
<links>
<link href="https://attack.mitre.org/techniques/T1195/002/" rel="link">MITRE</link>
</links>
</metadata>
<criteria>
<Indicator operator="OR" id="f8145695-7b14-4fc1-a77d-9d1260dd677e">
<Indicator operator="AND" id="dc96ab8b-0d7b-45a6-9ff2-45d1db09e6f2">
<IndicatorItem id="70e0822c-00b3-466f-9e9e-fc20f9b5afb8" condition="is" preserve-case="false" negate="false">
<Context document="processEvent" search="processEvent/parentProcess" type="event" />
<Content type="string">solarwinds.businesslayerhost.exe</Content>
</IndicatorItem>
<IndicatorItem id="31f1de7f-27f8-491a-8ab1-70f1f80f2553" condition="is" preserve-case="false" negate="false">
<Context document="processEvent" search="processEvent/eventType" type="event" />
<Content type="string">start</Content>
</IndicatorItem>
<IndicatorItem id="35c4033b-199f-4476-b2f7-b53aa391daf3" condition="ends-with" preserve-case="false" negate="true">
<Context document="processEvent" search="processEvent/processPath" type="event" />
<Content type="string">\SolarWinds\Orion\APM\APMServiceControl.exe</Content>
</IndicatorItem>
<IndicatorItem id="c5571421-cbda-402f-b792-79f31dae87c8" condition="ends-with" preserve-case="false" negate="true">
<Context document="processEvent" search="processEvent/processPath" type="event" />
<Content type="string">\SolarWinds\Orion\ExportToPDFCmd.Exe</Content>
</IndicatorItem>
<IndicatorItem id="030272f5-7485-4a89-bf24-3792633c342c" condition="ends-with" preserve-case="false" negate="true">
<Context document="processEvent" search="processEvent/processPath" type="event" />
<Content type="string">\SolarWinds.Credentials\SolarWinds.Credentials.Orion.WebApi.exe</Content>
</IndicatorItem>
<IndicatorItem id="588f1499-66f1-4a1e-acd3-c905a8a5f921" condition="ends-with" preserve-case="false" negate="true">
<Context document="processEvent" search="processEvent/processPath" type="event" />
<Content type="string">\SolarWinds\Orion\Topology\SolarWinds.Orion.Topology.Calculator.exe</Content>
</IndicatorItem>
<IndicatorItem id="260d72ac-f2d5-48d1-a75f-ef8f70a3db1c" condition="ends-with" preserve-case="false" negate="true">
<Context document="processEvent" search="processEvent/processPath" type="event" />
<Content type="string">\SolarWinds\Orion\Database-Maint.exe</Content>
</IndicatorItem>
<IndicatorItem id="e0b75c50-b2f3-450e-85e3-982acef5cab0" condition="ends-with" preserve-case="false" negate="true">
<Context document="processEvent" search="processEvent/processPath" type="event" />
<Content type="string">\SolarWinds.Orion.ApiPoller.Service\SolarWinds.Orion.ApiPoller.Service.exe</Content>
</IndicatorItem>
<IndicatorItem id="1bf853d6-552f-4f89-90e9-50b7ffc408c0" condition="ends-with" preserve-case="false" negate="true">
<Context document="processEvent" search="processEvent/processPath" type="event" />
<Content type="string">\Windows\SysWOW64\WerFault.exe</Content>
</IndicatorItem>
</Indicator>
</Indicator>
</criteria>
<parameters />
</OpenIOC>

@ -0,0 +1,53 @@
<?xml version="1.0" encoding="utf-8"?>
<!-- Copyright 2020 by FireEye, Inc.
You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
-->
<OpenIOC xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="c6286e1b-10bd-4046-8aff-0dbcc5b1e974" last-modified="2020-12-13T19:52:47Z" published-date="0001-01-01T00:00:00" xmlns="http://openioc.org/schemas/OpenIOC_1.1">
<metadata>
<short_description>SUNBURST SUSPICIOUS FILEWRITES (METHODOLOGY)</short_description>
<description>This rule identifies writes of specific file types associated with activity related to the SUNBURST backdoored version of the SolarWinds.Orion.Core.BusinessLayer.dll process. This rule may generate false positives depending on the configuration of SolarWinds in a given environment, and may require tuning to exclude legitimate activity. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. This is associated to MITRE ATT&amp;CK (r) Tactic: Initial Access and Technique: T1195.002</description>
<authored_by>FireEye</authored_by>
<authored_date>2020-12-12T01:51:30Z</authored_date>
<links>
<link href="https://attack.mitre.org/techniques/T1195/002/" rel="link">MITRE</link>
</links>
</metadata>
<criteria>
<Indicator operator="OR" id="7100a8ff-27da-46ff-b026-07c42c2fb119">
<Indicator operator="AND" id="548b0893-3cc5-483f-b2e3-b5bd93401894">
<IndicatorItem id="1e1c6c83-c635-4e30-9394-5a61935388c2" condition="is" preserve-case="false" negate="false">
<Context document="fileWriteEvent" search="fileWriteEvent/process" type="event" />
<Content type="string">solarwinds.businesslayerhost.exe</Content>
</IndicatorItem>
<Indicator operator="OR" id="31fe78c9-e0d7-496a-9b65-b8264e0725ee">
<IndicatorItem id="71c84163-abbf-4da5-99c3-79e465ae4c3a" condition="is" preserve-case="false" negate="false">
<Context document="fileWriteEvent" search="fileWriteEvent/fileExtension" type="event" />
<Content type="string">exe</Content>
</IndicatorItem>
<IndicatorItem id="36376524-c6c0-4062-ae48-340138d1984a" condition="is" preserve-case="false" negate="false">
<Context document="fileWriteEvent" search="fileWriteEvent/fileExtension" type="event" />
<Content type="string">dll</Content>
</IndicatorItem>
<IndicatorItem id="9d97da61-123d-4561-9610-b8143c7fa2b1" condition="is" preserve-case="false" negate="false">
<Context document="fileWriteEvent" search="fileWriteEvent/fileExtension" type="event" />
<Content type="string">ps1</Content>
</IndicatorItem>
<IndicatorItem id="2ad66922-a9a0-418a-a8e8-5a54b1f1dba1" condition="starts-with" preserve-case="true" negate="false">
<Context document="fileWriteEvent" search="fileWriteEvent/textAtLowestOffset" type="event" />
<Content type="string">MZ</Content>
</IndicatorItem>
<IndicatorItem id="def85433-ca32-464f-950c-bfabf4e523c8" condition="is" preserve-case="false" negate="false">
<Context document="fileWriteEvent" search="fileWriteEvent/fileExtension" type="event" />
<Content type="string">jpg</Content>
</IndicatorItem>
<IndicatorItem id="717188d6-0ce4-4b9b-b6a4-7163ee538690" condition="is" preserve-case="false" negate="false">
<Context document="fileWriteEvent" search="fileWriteEvent/fileExtension" type="event" />
<Content type="string">png</Content>
</IndicatorItem>
</Indicator>
</Indicator>
</Indicator>
</criteria>
<parameters />
</OpenIOC>

@ -0,0 +1,45 @@
<?xml version="1.0" encoding="utf-8"?>
<!-- Copyright 2020 by FireEye, Inc.
You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
-->
<OpenIOC xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="c90bc888-17b0-4a76-95a7-4196c38aae6c" last-modified="2020-12-13T19:23:17Z" published-date="0001-01-01T00:00:00" xmlns="http://openioc.org/schemas/OpenIOC_1.1">
<metadata>
<short_description>SUNBURST SUSPICIOUS URL HOSTNAME (METHODOLOGY)</short_description>
<description>This rule identifies URL requests mimicking SolarWinds network traffic, to non-SolarWinds domains. This rule will only match on instances where communication does not occur over SSL/TLS. These requests may be evidence of the SUNBURST backdoor. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. This is associated to MITRE ATT&amp;CK (r) Tactic: Initial Access and Technique: T1195.002</description>
<authored_by>FireEye</authored_by>
<authored_date>2020-12-12T01:54:32Z</authored_date>
<links>
<link href="https://attack.mitre.org/techniques/T1195/002/" rel="link">MITRE</link>
</links>
</metadata>
<criteria>
<Indicator operator="OR" id="33565068-0b74-4690-8032-19f295dbc2a6">
<Indicator operator="AND" id="28533f37-0b3a-42af-8e0b-c7352933e94c">
<IndicatorItem id="946dce86-3c5a-4dab-ba0c-7eb56cc18c93" condition="ends-with" preserve-case="false" negate="true">
<Context document="urlMonitorEvent" search="urlMonitorEvent/hostname" type="event" />
<Content type="string">solarwinds.com</Content>
</IndicatorItem>
<Indicator operator="OR" id="509e4f60-2537-4d8b-94aa-185034bc7dd3">
<IndicatorItem id="2b203e30-7f50-4ea4-a42f-73007a015e6a" condition="contains" preserve-case="false" negate="false">
<Context document="urlMonitorEvent" search="urlMonitorEvent/httpHeader" type="event" />
<Content type="string">/swip/Events</Content>
</IndicatorItem>
<IndicatorItem id="9b6601ec-c451-4969-9ed2-a1197c6ebe66" condition="contains" preserve-case="false" negate="false">
<Context document="urlMonitorEvent" search="urlMonitorEvent/httpHeader" type="event" />
<Content type="string">/swip/SystemDescription</Content>
</IndicatorItem>
<IndicatorItem id="b77d6ef9-1d61-4893-8f82-5211fb50e472" condition="contains" preserve-case="false" negate="false">
<Context document="urlMonitorEvent" search="urlMonitorEvent/httpHeader" type="event" />
<Content type="string">/swip/Upload.ashx</Content>
</IndicatorItem>
<IndicatorItem id="b07e683e-17c8-4883-be34-639bad15938f" condition="contains" preserve-case="false" negate="false">
<Context document="urlMonitorEvent" search="urlMonitorEvent/httpHeader" type="event" />
<Content type="string">/swip/upd</Content>
</IndicatorItem>
</Indicator>
</Indicator>
</Indicator>
</criteria>
<parameters />
</OpenIOC>

@ -0,0 +1,4 @@
# Copyright 2020 by FireEye, Inc.
# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
alert tcp $HOME_NET any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"/swip/Events HTTP/1"; within:100; content:"Host: "; content:!".solarwinds.com"; within:100; sid:77600832; rev:1;)

@ -0,0 +1,4 @@
# Copyright 2020 by FireEye, Inc.
# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
alert tcp any any <> any 443 (msg:"Backdoor.SUNBURST"; content:"|16 03|"; depth:2; content:"|55 04 03|"; distance:0; content:"thedoccloud.com"; within:50; sid:77600849; rev:1;)

@ -0,0 +1,4 @@
# Copyright 2020 by FireEye, Inc.
# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
alert tcp any any <> any 443 (msg:"Backdoor.SUNBURST"; content:"|16 03|"; depth:2; content:"|55 04 03|"; distance:0; content:"virtualdataserver.com"; within:50; sid:77600850; rev:1;)

@ -0,0 +1,4 @@
# Copyright 2020 by FireEye, Inc.
# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
alert tcp any any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"Host:"; content:"digitalcollege.org"; within:100; sid:77600851; rev:1;)

@ -0,0 +1,4 @@
# Copyright 2020 by FireEye, Inc.
# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
alert tcp any any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"Host:"; content:"freescanonline.com"; within:100; sid:77600852; rev:1;)

@ -0,0 +1,4 @@
# Copyright 2020 by FireEye, Inc.
# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
alert tcp any any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"Host:"; content:"deftsecurity.com"; within:100; sid:77600853; rev:1;)

@ -0,0 +1,4 @@
# Copyright 2020 by FireEye, Inc.
# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
alert tcp any any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"Host:"; content:"thedoccloud.com"; within:100; sid:77600854; rev:1;)

@ -0,0 +1,4 @@
# Copyright 2020 by FireEye, Inc.
# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
alert tcp any any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"Host:"; content:"virtualdataserver.com"; within:100; sid:77600855; rev:1;)

@ -0,0 +1,4 @@
# Copyright 2020 by FireEye, Inc.
# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
alert tcp $HOME_NET any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"/swip/upd/SolarWinds.CortexPlugin.Components.xml"; distance:0; content:"Host: "; content:!".solarwinds.com"; within:100; sid:77600833; rev:1;)

@ -0,0 +1,4 @@
# Copyright 2020 by FireEye, Inc.
# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
alert tcp any any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"Host:"; content:".avsvmcloud.com"; distance:0; sid:77600842; rev:1;)

@ -0,0 +1,4 @@
# Copyright 2020 by FireEye, Inc.
# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
alert tcp $HOME_NET any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"swip/Upload.ashx HTTP/1"; within:100; content:"Host: "; content:!".solarwinds.com"; within:100; sid:77600843; rev:1;)

@ -0,0 +1,4 @@
# Copyright 2020 by FireEye, Inc.
# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
alert tcp $HOME_NET any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"/swip/upd/"; within:75; content:" HTTP/1."; distance:0; content:"Host: "; content:!".solarwinds.com"; within:100; sid:77600844; rev:1;)

@ -0,0 +1,4 @@
# Copyright 2020 by FireEye, Inc.
# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
alert tcp any any <> any 443 (msg:"Backdoor.SUNBURST"; content:"|16 03|"; depth:2; content:"avsvmcloud.com"; distance:0; sid:77600845; rev:1;)

@ -0,0 +1,4 @@
# Copyright 2020 by FireEye, Inc.
# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
alert tcp any any <> any 443 (msg:"Backdoor.SUNBURST"; content:"|16 03|"; depth:2; content:"|55 04 03|"; distance:0; content:"digitalcollege.org"; within:50; sid:77600846; rev:1;)

@ -0,0 +1,4 @@
# Copyright 2020 by FireEye, Inc.
# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
alert tcp any any <> any 443 (msg:"Backdoor.SUNBURST"; content:"|16 03|"; depth:2; content:"|55 04 03|"; distance:0; content:"freescanonline.com"; within:50; sid:77600847; rev:1;)

@ -0,0 +1,4 @@
# Copyright 2020 by FireEye, Inc.
# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
alert tcp any any <> any 443 (msg:"Backdoor.SUNBURST"; content:"|16 03|"; depth:2; content:"|55 04 03|"; distance:0; content:"deftsecurity.com"; within:50; sid:77600848; rev:1;)

@ -0,0 +1,21 @@
// Copyright 2020 by FireEye, Inc.
// You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
// https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
rule APT_Backdoor_SUNBURST_1
{
meta:
author = "FireEye"
description = "This rule is looking for portions of the SUNBURST backdoor that are vital to how it functions. The first signature fnv_xor matches a magic byte xor that the sample performs on process, service, and driver names/paths. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
strings:
$cmd_regex_encoded = "U4qpjjbQtUzUTdONrTY2q42pVapRgooABYxQuIZmtUoA" wide
$cmd_regex_plain = { 5C 7B 5B 30 2D 39 61 2D 66 2D 5D 7B 33 36 7D 5C 7D 22 7C 22 5B 30 2D 39 61 2D 66 5D 7B 33 32 7D 22 7C 22 5B 30 2D 39 61 2D 66 5D 7B 31 36 7D }
$fake_orion_event_encoded = "U3ItS80rCaksSFWyUvIvyszPU9IBAA==" wide
$fake_orion_event_plain = { 22 45 76 65 6E 74 54 79 70 65 22 3A 22 4F 72 69 6F 6E 22 2C }
$fake_orion_eventmanager_encoded = "U3ItS80r8UvMTVWyUgKzfRPzEtNTi5R0AA==" wide
$fake_orion_eventmanager_plain = { 22 45 76 65 6E 74 4E 61 6D 65 22 3A 22 45 76 65 6E 74 4D 61 6E 61 67 65 72 22 2C }
$fake_orion_message_encoded = "U/JNLS5OTE9VslKqNqhVAgA=" wide
$fake_orion_message_plain = { 22 4D 65 73 73 61 67 65 22 3A 22 7B 30 7D 22 }
$fnv_xor = { 67 19 D8 A7 3B 90 AC 5B }
condition:
$fnv_xor and ($cmd_regex_encoded or $cmd_regex_plain) or ( ($fake_orion_event_encoded or $fake_orion_event_plain) and ($fake_orion_eventmanager_encoded or $fake_orion_eventmanager_plain) and ($fake_orion_message_encoded and $fake_orion_message_plain) )
}

@ -0,0 +1,51 @@
// Copyright 2020 by FireEye, Inc.
// You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
// https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
rule APT_Backdoor_SUNBURST_2
{
meta:
author = "FireEye"
description = "The SUNBURST backdoor uses a domain generation algorithm (DGA) as part of C2 communications. This rule is looking for each branch of the code that checks for which HTTP method is being used. This is in one large conjunction, and all branches are then tied together via disjunction. The grouping is intentionally designed so that if any part of the DGA is re-used in another sample, this signature should match that re-used portion. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
strings:
$a = "0y3Kzy8BAA==" wide
$aa = "S8vPKynWL89PS9OvNqjVrTYEYqNa3fLUpDSgTLVxrR5IzggA" wide
$ab = "S8vPKynWL89PS9OvNqjVrTYEYqPaauNaPZCYEQA=" wide
$ac = "C88sSs1JLS4GAA==" wide
$ad = "C/UEAA==" wide
$ae = "C89MSU8tKQYA" wide
$af = "8wvwBQA=" wide
$ag = "cyzIz8nJBwA=" wide
$ah = "c87JL03xzc/LLMkvysxLBwA=" wide
$ai = "88tPSS0GAA==" wide
$aj = "C8vPKc1NLQYA" wide
$ak = "88wrSS1KS0xOLQYA" wide
$al = "c87PLcjPS80rKQYA" wide
$am = "Ky7PLNAvLUjRBwA=" wide
$an = "06vIzQEA" wide
$b = "0y3NyyxLLSpOzIlPTgQA" wide
$c = "001OBAA=" wide
$d = "0y0oysxNLKqMT04EAA==" wide
$e = "0y3JzE0tLknMLQAA" wide
$f = "003PyU9KzAEA" wide
$h = "0y1OTS4tSk1OBAA=" wide
$i = "K8jO1E8uytGvNqitNqytNqrVA/IA" wide
$j = "c8rPSQEA" wide
$k = "c8rPSfEsSczJTAYA" wide
$l = "c60oKUp0ys9JAQA=" wide
$m = "c60oKUp0ys9J8SxJzMlMBgA=" wide
$n = "8yxJzMlMBgA=" wide
$o = "88lMzygBAA==" wide
$p = "88lMzyjxLEnMyUwGAA==" wide
$q = "C0pNL81JLAIA" wide
$r = "C07NzXTKz0kBAA==" wide
$s = "C07NzXTKz0nxLEnMyUwGAA==" wide
$t = "yy9IzStOzCsGAA==" wide
$u = "y8svyQcA" wide
$v = "SytKTU3LzysBAA==" wide
$w = "C84vLUpOdc5PSQ0oygcA" wide
$x = "C84vLUpODU4tykwLKMoHAA==" wide
$y = "C84vLUpO9UjMC07MKwYA" wide
$z = "C84vLUpO9UjMC04tykwDAA==" wide
condition:
($a and $b and $c and $d and $e and $f and $h and $i) or ($j and $k and $l and $m and $n and $o and $p and $q and $r and $s and ($aa or $ab)) or ($t and $u and $v and $w and $x and $y and $z and ($aa or $ab)) or ($ac and $ad and $ae and $af and $ag and $ah and ($am or $an)) or ($ai and $aj and $ak and $al and ($am or $an))
}

@ -0,0 +1,21 @@
// Copyright 2020 by FireEye, Inc.
// You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
// https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
import "pe"
rule APT_Webshell_SUPERNOVA_1
{
meta:
author = "FireEye"
description = "SUPERNOVA is a .NET web shell backdoor masquerading as a legitimate SolarWinds web service handler. SUPERNOVA inspects and responds to HTTP requests with the appropriate HTTP query strings, Cookies, and/or HTML form values (e.g. named codes, class, method, and args). This rule is looking for specific strings and attributes related to SUPERNOVA."
strings:
$compile1 = "CompileAssemblyFromSource"
$compile2 = "CreateCompiler"
$context = "ProcessRequest"
$httpmodule = "IHttpHandler" ascii
$string1 = "clazz"
$string2 = "//NetPerfMon//images//NoLogo.gif" wide
$string3 = "SolarWinds" ascii nocase wide
condition:
uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550 and filesize < 10KB and pe.imports("mscoree.dll","_CorDllMain") and $httpmodule and $context and all of ($compile*) and all of ($string*)
}

@ -0,0 +1,19 @@
// Copyright 2020 by FireEye, Inc.
// You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
// https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
rule APT_Webshell_SUPERNOVA_2
{
meta:
author = "FireEye"
description = "This rule is looking for specific strings related to SUPERNOVA. SUPERNOVA is a .NET web shell backdoor masquerading as a legitimate SolarWinds web service handler. SUPERNOVA inspects and responds to HTTP requests with the appropriate HTTP query strings, Cookies, and/or HTML form values (e.g. named codes, class, method, and args)."
strings:
$dynamic = "DynamicRun"
$solar = "Solarwinds" nocase
$string1 = "codes"
$string2 = "clazz"
$string3 = "method"
$string4 = "args"
condition:
uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550 and filesize < 10KB and 3 of ($string*) and $dynamic and $solar
}

@ -0,0 +1,18 @@
// Copyright 2020 by FireEye, Inc.
// You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
// https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
rule APT_Dropper_Win64_TEARDROP_1
{
meta:
author = "FireEye"
description = "This rule is intended match specific sequences of opcode found within TEARDROP, including those that decode the embedded payload. TEARDROP is a memory only dropper that can read files and registry keys, XOR decode an embedded payload, and load the payload into memory. TEARDROP persists as a Windows service and has been observed dropping Cobalt Strike BEACON into memory."
strings:
$loc_4218FE24A5 = { 48 89 C8 45 0F B6 4C 0A 30 }
$loc_4218FE36CA = { 48 C1 E0 04 83 C3 01 48 01 E8 8B 48 28 8B 50 30 44 8B 40 2C 48 01 F1 4C 01 FA }
$loc_4218FE2747 = { C6 05 ?? ?? ?? ?? 6A C6 05 ?? ?? ?? ?? 70 C6 05 ?? ?? ?? ?? 65 C6 05 ?? ?? ?? ?? 67 }
$loc_5551D725A0 = { 48 89 C8 45 0F B6 4C 0A 30 48 89 CE 44 89 CF 48 F7 E3 48 C1 EA 05 48 8D 04 92 48 8D 04 42 48 C1 E0 04 48 29 C6 }
$loc_5551D726F6 = { 53 4F 46 54 57 41 52 45 ?? ?? ?? ?? 66 74 5C 43 ?? ?? ?? ?? 00 }
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
}

@ -0,0 +1,16 @@
// Copyright 2020 by FireEye, Inc.
// You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
// https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
rule APT_Dropper_Raw64_TEARDROP_1
{
meta:
author = "FireEye"
description = "This rule looks for portions of the TEARDROP backdoor that are vital to how it functions. TEARDROP is a memory only dropper that can read files and registry keys, XOR decode an embedded payload, and load the payload into memory. TEARDROP persists as a Windows service and has been observed dropping Cobalt Strike BEACON into memory."
strings:
$sb1 = { C7 44 24 ?? 80 00 00 00 [0-64] BA 00 00 00 80 [0-32] 48 8D 0D [4-32] FF 15 [4] 48 83 F8 FF [2-64] 41 B8 40 00 00 00 [0-64] FF 15 [4-5] 85 C0 7? ?? 80 3D [4] FF }
$sb2 = { 80 3D [4] D8 [2-32] 41 B8 04 00 00 00 [0-32] C7 44 24 ?? 4A 46 49 46 [0-32] E8 [4-5] 85 C0 [2-32] C6 05 [4] 6A C6 05 [4] 70 C6 05 [4] 65 C6 05 [4] 67 }
$sb3 = { BA [4] 48 89 ?? E8 [4] 41 B8 [4] 48 89 ?? 48 89 ?? E8 [4] 85 C0 7? [1-32] 8B 44 24 ?? 48 8B ?? 24 [1-16] 48 01 C8 [0-32] FF D0 }
condition:
all of them
}

@ -0,0 +1,39 @@
family,name,type,SID,status,desc
SUNBURST,APT_Backdoor_SUNBURST_1,yara,N/A,production,"This rule looks for portions of the SUNBURST backdoor that are vital to how it functions. The first signature fnv_xor matches a magic byte xor that the sample performs on process, service, and driver names/paths. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
SUNBURST,APT_Backdoor_SUNBURST_2,yara,N/A,production,"The SUNBURST backdoor uses a domain generation algorithm (DGA) as part of C2 communications. This rule looks for each branch of the code that checks for which HTTP method is being used. This is in one large conjunction, and all branches are then tied together via disjunction. The grouping is intentionally designed so that if any part of the DGA is re-used in another sample, this signature should match that re-used portion. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
SUNBURST,Backdoor.SUNBURST,snort/nx,77600832,production,"This rule looks for network requests that are masquerading as the Solar Winds Improvement Program (SWIP) network protocol to non-SolarWinds domains. These network requests are used by the SUNBURST backdoor to provide a sense of legitimacy to the backdoored DLL. This communication should occur over SSL/TLS however these rules will apply in environments with SSL/TLS Inspection. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
SUNBURST,Backdoor.SUNBURST,snort/nx,77600833,production,"This rule looks for network requests that are masquerading as the Solar Winds Improvement Program (SWIP) network protocol to non-SolarWinds domains. These network requests are used by the SUNBURST backdoor to provide a sense of legitimacy to the backdoored DLL. This communication should occur over SSL/TLS however these rules will apply in environments with SSL/TLS Inspection. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
SUNBURST,Backdoor.SUNBURST,snort/nx,77600842,production,"This rule looks for HTTP network connections associated with the SUNBURST related avsvmcloud[.]com domain. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
SUNBURST,Backdoor.SUNBURST,snort/nx,77600843,production,"This rule looks for network requests that are masquerading as the Solar Winds Improvement Program (SWIP) network protocol to non-SolarWinds domains. These network requests are used by the SUNBURST backdoor to provide a sense of legitimacy to the backdoored DLL. This communication should occur over SSL/TLS however these rules will apply in environments with SSL/TLS Inspection. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
SUNBURST,Backdoor.SUNBURST,snort/nx,77600844,production,"This rule looks for network requests that are masquerading as the Solar Winds Improvement Program (SWIP) network protocol to non-SolarWinds domains. These network requests are used by the SUNBURST backdoor to provide a sense of legitimacy to the backdoored DLL. This communication should occur over SSL/TLS however these rules will apply in environments with SSL/TLS Inspection. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
SUNBURST,Backdoor.SUNBURST,snort/nx,77600845,production,"This rule looks for SSL/TLS network connections associated with the SUNBURST related avsvmcloud[.]com domain. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
SUNBURST,Backdoor.SUNBURST,snort/nx,77600846,production,"This rule looks for SSL/TLS network connections associated with the SUNBURST related digitalcollege[.]org domain. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
SUNBURST,Backdoor.SUNBURST,snort/nx,77600847,production,"This rule looks for SSL/TLS network connections associated with the SUNBURST related digitalcollege[.]org domain. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
SUNBURST,Backdoor.SUNBURST,snort/nx,77600848,production,"This rule looks for SSL/TLS network connections associated with the SUNBURST related deftsecurity[.]com domain. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
SUNBURST,Backdoor.SUNBURST,snort/nx,77600849,production,"This rule looks for SSL/TLS network connections associated with the SUNBURST related thedoccloud[.]com domain. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
SUNBURST,Backdoor.SUNBURST,snort/nx,77600850,production,"This rule looks for SSL/TLS network connections associated with the SUNBURST related virtualdataserver[.]com domain. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
SUNBURST,Backdoor.SUNBURST,snort/nx,77600851,production,"This rule looks for HTTP network connections associated with the SUNBURST related digitalcollege[.]org domain. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
SUNBURST,Backdoor.SUNBURST,snort/nx,77600852,production,"This rule looks for HTTP network connections associated with the SUNBURST related digitalcollege[.]org domain. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
SUNBURST,Backdoor.SUNBURST,snort/nx,77600853,production,"This rule looks for HTTP network connections associated with the SUNBURST related deftsecurity[.]com domain. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
SUNBURST,Backdoor.SUNBURST,snort/nx,77600854,production,"This rule looks for HTTP network connections associated with the SUNBURST related thedoccloud[.]com domain. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
SUNBURST,Backdoor.SUNBURST,snort/nx,77600855,production,"This rule looks for HTTP network connections associated with the SUNBURST related virtualdataserver[.]com domain. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
SUNBURST,SUNBURST SUSPICIOUS FILEWRITES (METHODOLOGY),hxioc/prod,N/A,supplemental,"This rule identifies writes of specific file types associated with a SUNBURST backdoored version of the SolarWinds.Orion.Core.BusinessLayer.dll process. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
SUNBURST,SUNBURST SUSPICIOUS URL HOSTNAME (METHODOLOGY),hxioc/prod,N/A,supplemental,"This rule identifies URL requests mimicking SolarWinds network traffic, to non-SolarWinds domains. This rule will only match on instances where communication does not occur over SSL/TLS. These requests may be evidence of the SUNBURST backdoor. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
SUNBURST,SUNBURST SUSPICIOUS CHILD PROCESSES (METHODOLOGY),hxioc/prod,N/A,supplemental,"This rule identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor. The behavior of SolarWinds.Orion.Core.BusinessLayer.dll is dependent on per-enterprise configuration, so additional tuning may be required to exclude legitimate activity in a given environment. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
SUNBURST,SUNBURST COMPROMISE INDICATORS,hxioc/prod,N/A,production,"This rule identifies indicators which FireEye associates with the SUNBURST backdoor. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
SUPERNOVA,APT_Webshell_SUPERNOVA_2,yara,N/A,supplemental,"This rule looks for specific strings related to SUPERNOVA. SUPERNOVA is a .NET web shell backdoor masquerading as a legitimate SolarWinds web service handler. SUPERNOVA inspects and responds to HTTP requests with the appropriate HTTP query strings, Cookies, and/or HTML form values (e.g. named codes, class, method, and args)."
SUPERNOVA,APT_Webshell_SUPERNOVA_1,yara,N/A,production,"This rule looks for specific strings and attributes related to SUPERNOVA. SUPERNOVA is a .NET web shell backdoor masquerading as a legitimate SolarWinds web service handler. SUPERNOVA inspects and responds to HTTP requests with the appropriate HTTP query strings, Cookies, and/or HTML form values (e.g. named codes, class, method, and args)."
COSMICGALE,APT_HackTool_PS1_COSMICGALE_1,yara,N/A,production,"This rule detects various unique strings related to COSMICGALE. COSMICGALE is a credential theft and reconnaissance PowerShell script that collects credentials using the publicly available Get-PassHashes routine. COSMICGALE clears log files, writes acquired data to a hard coded path, and encrypts the file with a password."
COSMICGALE,APT_HackTool_PS1_COSMICGALE_1,clamav,N/A,production,"This rule detects various unique strings related to COSMICGALE. COSMICGALE is a credential theft and reconnaissance PowerShell script that collects credentials using the publicly available Get-PassHashes routine. COSMICGALE clears log files, writes acquired data to a hard coded path, and encrypts the file with a password."
TEARDROP,APT_Dropper_Raw64_TEARDROP_1,yara,N/A,production,"This rule looks for portions of the TEARDROP backdoor that are vital to how it functions. TEARDROP is a memory only dropper that can read files and registry keys, XOR decode an embedded payload, and load the payload into memory. TEARDROP persists as a Windows service and has been observed dropping Cobalt Strike BEACON into memory."
TEARDROP,APT_Dropper_Win64_TEARDROP_1,yara,N/A,production,"This rule is intended match specific sequences of opcode found within TEARDROP, including those that decode the embedded payload. TEARDROP is a memory only dropper that can read files and registry keys, XOR decode an embedded payload, and load the payload into memory. TEARDROP persists as a Windows service and has been observed dropping Cobalt Strike BEACON into memory."
BEACON,Backdoor.BEACON,snort/nx,77600840,production,"This rule is looking for SSL/TLS network requests associated with known bad BEACON domains during the SSL/TLS handshake. BEACON is a backdoor that is commercially available as part of the Cobalt Strike software platform. BEACON supports several capabilities, such as injecting and executing arbitrary code, uploading and downloading files, and executing shell commands."
BEACON,Backdoor.BEACON,snort/nx,77600863,production,"This rule is looking for SSL/TLS network requests associated with known bad BEACON domains during the SSL/TLS handshake. BEACON is a backdoor that is commercially available as part of the Cobalt Strike software platform. BEACON supports several capabilities, such as injecting and executing arbitrary code, uploading and downloading files, and executing shell commands."
BEACON,Backdoor.BEACON,snort/nx,77600864,production,"This rule is looking for SSL/TLS network requests associated with known bad BEACON domains during the SSL/TLS handshake. BEACON is a backdoor that is commercially available as part of the Cobalt Strike software platform. BEACON supports several capabilities, such as injecting and executing arbitrary code, uploading and downloading files, and executing shell commands."
BEACON,Backdoor.BEACON,snort/nx,77600865,production,"This rule is looking for SSL/TLS network requests associated with known bad BEACON domains during the SSL/TLS handshake. BEACON is a backdoor that is commercially available as part of the Cobalt Strike software platform. BEACON supports several capabilities, such as injecting and executing arbitrary code, uploading and downloading files, and executing shell commands."
BEACON,Backdoor.BEACON,snort/nx,77600837,production,"This rule is looking for network request content related to a specific Cobalt Strike BEACON malleable C2 profile. This network should occur over SSL/TLS, however these rules will apply in environments with SSL/TLS Inspection. BEACON is a backdoor that is commercially available as part of the Cobalt Strike software platform. BEACON supports several capabilities, such as injecting and executing arbitrary code, uploading and downloading files, and executing shell commands."
BEACON,Backdoor.BEACON,snort/nx,77600856,production,"This rule is looking for network response content related to a specific Cobalt Strike BEACON malleable C2 profile. This network should occur over SSL/TLS, however these rules will apply in environments with SSL/TLS Inspection. BEACON is a backdoor that is commercially available as part of the Cobalt Strike software platform. BEACON supports several capabilities, such as injecting and executing arbitrary code, uploading and downloading files, and executing shell commands."
BEACON,Backdoor.BEACON,snort/nx,77600857,production,"This rule is looking for network response content related to a specific Cobalt Strike BEACON malleable C2 profile. This network should occur over SSL/TLS, however these rules will apply in environments with SSL/TLS Inspection. BEACON is a backdoor that is commercially available as part of the Cobalt Strike software platform. BEACON supports several capabilities, such as injecting and executing arbitrary code, uploading and downloading files, and executing shell commands."
BEACON,Backdoor.BEACON,snort/nx,77600858,production,"This rule is looking for network response content related to a specific Cobalt Strike BEACON malleable C2 profile. This network should occur over SSL/TLS, however these rules will apply in environments with SSL/TLS Inspection. BEACON is a backdoor that is commercially available as part of the Cobalt Strike software platform. BEACON supports several capabilities, such as injecting and executing arbitrary code, uploading and downloading files, and executing shell commands."
BEACON,Backdoor.BEACON,snort/nx,77600859,production,"This rule is looking for network response content related to a specific Cobalt Strike BEACON malleable C2 profile. This network should occur over SSL/TLS, however these rules will apply in environments with SSL/TLS Inspection. BEACON is a backdoor that is commercially available as part of the Cobalt Strike software platform. BEACON supports several capabilities, such as injecting and executing arbitrary code, uploading and downloading files, and executing shell commands."
BEACON,Backdoor.BEACON,snort/nx,77600860,production,"This rule is looking for network response content related to a specific Cobalt Strike BEACON malleable C2 profile. This network should occur over SSL/TLS, however these rules will apply in environments with SSL/TLS Inspection. BEACON is a backdoor that is commercially available as part of the Cobalt Strike software platform. BEACON supports several capabilities, such as injecting and executing arbitrary code, uploading and downloading files, and executing shell commands."
1 family name type SID status desc
2 SUNBURST APT_Backdoor_SUNBURST_1 yara N/A production This rule looks for portions of the SUNBURST backdoor that are vital to how it functions. The first signature fnv_xor matches a magic byte xor that the sample performs on process, service, and driver names/paths. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services.
3 SUNBURST APT_Backdoor_SUNBURST_2 yara N/A production The SUNBURST backdoor uses a domain generation algorithm (DGA) as part of C2 communications. This rule looks for each branch of the code that checks for which HTTP method is being used. This is in one large conjunction, and all branches are then tied together via disjunction. The grouping is intentionally designed so that if any part of the DGA is re-used in another sample, this signature should match that re-used portion. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services.
4 SUNBURST Backdoor.SUNBURST snort/nx 77600832 production This rule looks for network requests that are masquerading as the Solar Winds Improvement Program (SWIP) network protocol to non-SolarWinds domains. These network requests are used by the SUNBURST backdoor to provide a sense of legitimacy to the backdoored DLL. This communication should occur over SSL/TLS however these rules will apply in environments with SSL/TLS Inspection. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services.
5 SUNBURST Backdoor.SUNBURST snort/nx 77600833 production This rule looks for network requests that are masquerading as the Solar Winds Improvement Program (SWIP) network protocol to non-SolarWinds domains. These network requests are used by the SUNBURST backdoor to provide a sense of legitimacy to the backdoored DLL. This communication should occur over SSL/TLS however these rules will apply in environments with SSL/TLS Inspection. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services.
6 SUNBURST Backdoor.SUNBURST snort/nx 77600842 production This rule looks for HTTP network connections associated with the SUNBURST related avsvmcloud[.]com domain. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services.
7 SUNBURST Backdoor.SUNBURST snort/nx 77600843 production This rule looks for network requests that are masquerading as the Solar Winds Improvement Program (SWIP) network protocol to non-SolarWinds domains. These network requests are used by the SUNBURST backdoor to provide a sense of legitimacy to the backdoored DLL. This communication should occur over SSL/TLS however these rules will apply in environments with SSL/TLS Inspection. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services.
8 SUNBURST Backdoor.SUNBURST snort/nx 77600844 production This rule looks for network requests that are masquerading as the Solar Winds Improvement Program (SWIP) network protocol to non-SolarWinds domains. These network requests are used by the SUNBURST backdoor to provide a sense of legitimacy to the backdoored DLL. This communication should occur over SSL/TLS however these rules will apply in environments with SSL/TLS Inspection. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services.
9 SUNBURST Backdoor.SUNBURST snort/nx 77600845 production This rule looks for SSL/TLS network connections associated with the SUNBURST related avsvmcloud[.]com domain. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services.
10 SUNBURST Backdoor.SUNBURST snort/nx 77600846 production This rule looks for SSL/TLS network connections associated with the SUNBURST related digitalcollege[.]org domain. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services.
11 SUNBURST Backdoor.SUNBURST snort/nx 77600847 production This rule looks for SSL/TLS network connections associated with the SUNBURST related digitalcollege[.]org domain. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services.
12 SUNBURST Backdoor.SUNBURST snort/nx 77600848 production This rule looks for SSL/TLS network connections associated with the SUNBURST related deftsecurity[.]com domain. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services.
13 SUNBURST Backdoor.SUNBURST snort/nx 77600849 production This rule looks for SSL/TLS network connections associated with the SUNBURST related thedoccloud[.]com domain. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services.
14 SUNBURST Backdoor.SUNBURST snort/nx 77600850 production This rule looks for SSL/TLS network connections associated with the SUNBURST related virtualdataserver[.]com domain. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services.
15 SUNBURST Backdoor.SUNBURST snort/nx 77600851 production This rule looks for HTTP network connections associated with the SUNBURST related digitalcollege[.]org domain. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services.
16 SUNBURST Backdoor.SUNBURST snort/nx 77600852 production This rule looks for HTTP network connections associated with the SUNBURST related digitalcollege[.]org domain. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services.
17 SUNBURST Backdoor.SUNBURST snort/nx 77600853 production This rule looks for HTTP network connections associated with the SUNBURST related deftsecurity[.]com domain. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services.
18 SUNBURST Backdoor.SUNBURST snort/nx 77600854 production This rule looks for HTTP network connections associated with the SUNBURST related thedoccloud[.]com domain. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services.
19 SUNBURST Backdoor.SUNBURST snort/nx 77600855 production This rule looks for HTTP network connections associated with the SUNBURST related virtualdataserver[.]com domain. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services.
20 SUNBURST SUNBURST SUSPICIOUS FILEWRITES (METHODOLOGY) hxioc/prod N/A supplemental This rule identifies writes of specific file types associated with a SUNBURST backdoored version of the SolarWinds.Orion.Core.BusinessLayer.dll process. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services.
21 SUNBURST SUNBURST SUSPICIOUS URL HOSTNAME (METHODOLOGY) hxioc/prod N/A supplemental This rule identifies URL requests mimicking SolarWinds network traffic, to non-SolarWinds domains. This rule will only match on instances where communication does not occur over SSL/TLS. These requests may be evidence of the SUNBURST backdoor. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services.
22 SUNBURST SUNBURST SUSPICIOUS CHILD PROCESSES (METHODOLOGY) hxioc/prod N/A supplemental This rule identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor. The behavior of SolarWinds.Orion.Core.BusinessLayer.dll is dependent on per-enterprise configuration, so additional tuning may be required to exclude legitimate activity in a given environment. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services.
23 SUNBURST SUNBURST COMPROMISE INDICATORS hxioc/prod N/A production This rule identifies indicators which FireEye associates with the SUNBURST backdoor. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services.
24 SUPERNOVA APT_Webshell_SUPERNOVA_2 yara N/A supplemental This rule looks for specific strings related to SUPERNOVA. SUPERNOVA is a .NET web shell backdoor masquerading as a legitimate SolarWinds web service handler. SUPERNOVA inspects and responds to HTTP requests with the appropriate HTTP query strings, Cookies, and/or HTML form values (e.g. named codes, class, method, and args).
25 SUPERNOVA APT_Webshell_SUPERNOVA_1 yara N/A production This rule looks for specific strings and attributes related to SUPERNOVA. SUPERNOVA is a .NET web shell backdoor masquerading as a legitimate SolarWinds web service handler. SUPERNOVA inspects and responds to HTTP requests with the appropriate HTTP query strings, Cookies, and/or HTML form values (e.g. named codes, class, method, and args).
26 COSMICGALE APT_HackTool_PS1_COSMICGALE_1 yara N/A production This rule detects various unique strings related to COSMICGALE. COSMICGALE is a credential theft and reconnaissance PowerShell script that collects credentials using the publicly available Get-PassHashes routine. COSMICGALE clears log files, writes acquired data to a hard coded path, and encrypts the file with a password.
27 COSMICGALE APT_HackTool_PS1_COSMICGALE_1 clamav N/A production This rule detects various unique strings related to COSMICGALE. COSMICGALE is a credential theft and reconnaissance PowerShell script that collects credentials using the publicly available Get-PassHashes routine. COSMICGALE clears log files, writes acquired data to a hard coded path, and encrypts the file with a password.
28 TEARDROP APT_Dropper_Raw64_TEARDROP_1 yara N/A production This rule looks for portions of the TEARDROP backdoor that are vital to how it functions. TEARDROP is a memory only dropper that can read files and registry keys, XOR decode an embedded payload, and load the payload into memory. TEARDROP persists as a Windows service and has been observed dropping Cobalt Strike BEACON into memory.
29 TEARDROP APT_Dropper_Win64_TEARDROP_1 yara N/A production This rule is intended match specific sequences of opcode found within TEARDROP, including those that decode the embedded payload. TEARDROP is a memory only dropper that can read files and registry keys, XOR decode an embedded payload, and load the payload into memory. TEARDROP persists as a Windows service and has been observed dropping Cobalt Strike BEACON into memory.
30 BEACON Backdoor.BEACON snort/nx 77600840 production This rule is looking for SSL/TLS network requests associated with known bad BEACON domains during the SSL/TLS handshake. BEACON is a backdoor that is commercially available as part of the Cobalt Strike software platform. BEACON supports several capabilities, such as injecting and executing arbitrary code, uploading and downloading files, and executing shell commands.
31 BEACON Backdoor.BEACON snort/nx 77600863 production This rule is looking for SSL/TLS network requests associated with known bad BEACON domains during the SSL/TLS handshake. BEACON is a backdoor that is commercially available as part of the Cobalt Strike software platform. BEACON supports several capabilities, such as injecting and executing arbitrary code, uploading and downloading files, and executing shell commands.
32 BEACON Backdoor.BEACON snort/nx 77600864 production This rule is looking for SSL/TLS network requests associated with known bad BEACON domains during the SSL/TLS handshake. BEACON is a backdoor that is commercially available as part of the Cobalt Strike software platform. BEACON supports several capabilities, such as injecting and executing arbitrary code, uploading and downloading files, and executing shell commands.
33 BEACON Backdoor.BEACON snort/nx 77600865 production This rule is looking for SSL/TLS network requests associated with known bad BEACON domains during the SSL/TLS handshake. BEACON is a backdoor that is commercially available as part of the Cobalt Strike software platform. BEACON supports several capabilities, such as injecting and executing arbitrary code, uploading and downloading files, and executing shell commands.
34 BEACON Backdoor.BEACON snort/nx 77600837 production This rule is looking for network request content related to a specific Cobalt Strike BEACON malleable C2 profile. This network should occur over SSL/TLS, however these rules will apply in environments with SSL/TLS Inspection. BEACON is a backdoor that is commercially available as part of the Cobalt Strike software platform. BEACON supports several capabilities, such as injecting and executing arbitrary code, uploading and downloading files, and executing shell commands.
35 BEACON Backdoor.BEACON snort/nx 77600856 production This rule is looking for network response content related to a specific Cobalt Strike BEACON malleable C2 profile. This network should occur over SSL/TLS, however these rules will apply in environments with SSL/TLS Inspection. BEACON is a backdoor that is commercially available as part of the Cobalt Strike software platform. BEACON supports several capabilities, such as injecting and executing arbitrary code, uploading and downloading files, and executing shell commands.
36 BEACON Backdoor.BEACON snort/nx 77600857 production This rule is looking for network response content related to a specific Cobalt Strike BEACON malleable C2 profile. This network should occur over SSL/TLS, however these rules will apply in environments with SSL/TLS Inspection. BEACON is a backdoor that is commercially available as part of the Cobalt Strike software platform. BEACON supports several capabilities, such as injecting and executing arbitrary code, uploading and downloading files, and executing shell commands.
37 BEACON Backdoor.BEACON snort/nx 77600858 production This rule is looking for network response content related to a specific Cobalt Strike BEACON malleable C2 profile. This network should occur over SSL/TLS, however these rules will apply in environments with SSL/TLS Inspection. BEACON is a backdoor that is commercially available as part of the Cobalt Strike software platform. BEACON supports several capabilities, such as injecting and executing arbitrary code, uploading and downloading files, and executing shell commands.
38 BEACON Backdoor.BEACON snort/nx 77600859 production This rule is looking for network response content related to a specific Cobalt Strike BEACON malleable C2 profile. This network should occur over SSL/TLS, however these rules will apply in environments with SSL/TLS Inspection. BEACON is a backdoor that is commercially available as part of the Cobalt Strike software platform. BEACON supports several capabilities, such as injecting and executing arbitrary code, uploading and downloading files, and executing shell commands.
39 BEACON Backdoor.BEACON snort/nx 77600860 production This rule is looking for network response content related to a specific Cobalt Strike BEACON malleable C2 profile. This network should occur over SSL/TLS, however these rules will apply in environments with SSL/TLS Inspection. BEACON is a backdoor that is commercially available as part of the Cobalt Strike software platform. BEACON supports several capabilities, such as injecting and executing arbitrary code, uploading and downloading files, and executing shell commands.