update IOCs

2020/2020.12.13.SolarWinds_Supply_Chain_SUNBURST_Backdoor/IOCs/sunburst_countermeasures/LICENSE.txt

@@ -0,0 +1,8 @@
+Copyright 2020 by FireEye, Inc.
+
+The 2-Clause BSD License
+
+Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
+2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

2020/2020.12.13.SolarWinds_Supply_Chain_SUNBURST_Backdoor/IOCs/sunburst_countermeasures/README.md

@@ -0,0 +1,21 @@
+# FireEye Mandiant SunBurst Countermeasures
+
+These rules are provided freely to the community without warranty.
+
+In this GitHub repository you will find rules in multiple languages:
+- Snort
+- Yara
+- IOC
+- ClamAV
+
+The rules are categorized and labeled into two release states:
+- Production: rules that are expected to perform with minimal tuning.
+- Supplemental: rules that are known to require further environment-specific tuning and tweaking to perform, and are often used for hunting workflows.
+
+Please check back to this GitHub for updates to these rules.
+
+FireEye customers can refer to the FireEye Community (community.fireeye.com) for information on how FireEye products detect these threats.
+ 
+The entire risk as to quality and performance of these rules is with the users.
+
+Please review the FireEye blog for additional details on this threat. 

2020/2020.12.13.SolarWinds_Supply_Chain_SUNBURST_Backdoor/IOCs/sunburst_countermeasures/all-clam.ldb

@@ -0,0 +1,4 @@
+# Copyright 2020 by FireEye, Inc.
+# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
+# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
+APT_HackTool_PS1_COSMICGALE_1;Engine:81-255,Target:7;0&1&2&3&4&5&6&7&8;5b746578742e656e636f64696e675d3a3a61736369692e676574627974657328226e7470617373776f7264603022293b;73797374656d5c63757272656e74636f6e74726f6c7365745c636f6e74726f6c5c6c73615c245f;5b73656375726974792e63727970746f6772617068792e6d64355d3a3a6372656174652829;5b73797374656d2e73656375726974792e7072696e636970616c2e77696e646f77736964656e746974795d3a3a67657463757272656e7428292e6e616d65;6f75742d66696c65;636f6e76657274746f2d736563757265737472696e67;0/\[byte\[\]\]@\([\x09\x20]{0,32}0xaa[\x09\x20]{0,32},[\x09\x20]{0,32}0xd3[\x09\x20]{0,32},[\x09\x20]{0,32}0xb4[\x09\x20]{0,32},[\x09\x20]{0,32}0x35[\x09\x20]{0,32},/;6/\[bitconverter\]::toint32\(\$\w{1,64}\[0x0c..0x0f\][\x09\x20]{0,32},[\x09\x20]{0,32}0\)[\x09\x20]{0,32}\+[\x09\x20]{0,32}0xcc\x3b/;7/\[byte\[\]\]\(\$\w{1,64}\.padright\(\d{1,2}\)\.substring\([\x09\x20]{0,32}0[\x09\x20]{0,32},[\x09\x20]{0,32}\d{1,2}\)\.tochararray\(\)\)/

2020/2020.12.13.SolarWinds_Supply_Chain_SUNBURST_Backdoor/IOCs/sunburst_countermeasures/all-snort.rules

@@ -0,0 +1,29 @@
+# Copyright 2020 by FireEye, Inc.
+# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
+# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
+alert tcp $HOME_NET any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"/swip/Events HTTP/1"; within:100; content:"Host: "; content:!".solarwinds.com"; within:100; sid:77600832; rev:1;)
+alert tcp $HOME_NET any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"/swip/upd/SolarWinds.CortexPlugin.Components.xml"; distance:0; content:"Host: "; content:!".solarwinds.com"; within:100; sid:77600833; rev:1;)
+alert tcp any any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"Host:"; content:".avsvmcloud.com"; distance:0; sid:77600842; rev:1;)
+alert tcp $HOME_NET any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"swip/Upload.ashx HTTP/1"; within:100; content:"Host: "; content:!".solarwinds.com"; within:100; sid:77600843; rev:1;)
+alert tcp $HOME_NET any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"/swip/upd/"; within:75; content:" HTTP/1."; distance:0; content:"Host: "; content:!".solarwinds.com"; within:100; sid:77600844; rev:1;)
+alert tcp any any <> any 443 (msg:"Backdoor.SUNBURST"; content:"|16 03|"; depth:2; content:"avsvmcloud.com"; distance:0; sid:77600845; rev:1;)
+alert tcp any any <> any 443 (msg:"Backdoor.SUNBURST"; content:"|16 03|"; depth:2; content:"|55 04 03|"; distance:0; content:"digitalcollege.org"; within:50; sid:77600846; rev:1;)
+alert tcp any any <> any 443 (msg:"Backdoor.SUNBURST"; content:"|16 03|"; depth:2; content:"|55 04 03|"; distance:0; content:"freescanonline.com"; within:50; sid:77600847; rev:1;)
+alert tcp any any <> any 443 (msg:"Backdoor.SUNBURST"; content:"|16 03|"; depth:2; content:"|55 04 03|"; distance:0; content:"deftsecurity.com"; within:50; sid:77600848; rev:1;)
+alert tcp any any <> any 443 (msg:"Backdoor.SUNBURST"; content:"|16 03|"; depth:2; content:"|55 04 03|"; distance:0; content:"thedoccloud.com"; within:50; sid:77600849; rev:1;)
+alert tcp any any <> any 443 (msg:"Backdoor.SUNBURST"; content:"|16 03|"; depth:2; content:"|55 04 03|"; distance:0; content:"virtualdataserver.com"; within:50; sid:77600850; rev:1;)
+alert tcp any any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"Host:"; content:"digitalcollege.org"; within:100; sid:77600851; rev:1;)
+alert tcp any any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"Host:"; content:"freescanonline.com"; within:100; sid:77600852; rev:1;)
+alert tcp any any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"Host:"; content:"deftsecurity.com"; within:100; sid:77600853; rev:1;)
+alert tcp any any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"Host:"; content:"thedoccloud.com"; within:100; sid:77600854; rev:1;)
+alert tcp any any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"Host:"; content:"virtualdataserver.com"; within:100; sid:77600855; rev:1;)
+alert tcp $HOME_NET any -> any 443 (msg:"Backdoor.BEACON"; content:"|16 03 03|"; depth:3; content:"incomeupdate.com"; sid:77600840; rev:1;)
+alert tcp $HOME_NET any -> any 443 (msg:"Backdoor.BEACON"; content:"|16 03 03|"; depth:3; content:"zupertech.com"; sid:77600863; rev:1;)
+alert tcp $HOME_NET any -> any 443 (msg:"Backdoor.BEACON"; content:"|16 03 03|"; depth:3; content:"databasegalore.com"; sid:77600864; rev:1;)
+alert tcp $HOME_NET any -> any 443 (msg:"Backdoor.BEACON"; content:"|16 03 03|"; depth:3; content:"panhardware.com"; sid:77600865; rev:1;)
+alert tcp $HOME_NET any -> any any (msg:"Backdoor.BEACON"; content:"POST"; depth:4; content:"|0d 0a 0d 0a|name=\""; content:"\"\;filename=\""; content:"\"|0a|Content-Type:"; sid:77600837; rev:1;)
+alert tcp any any -> $HOME_NET any (msg:"Backdoor.BEACON"; content:"HTTP/1."; depth:7; content:"Server: nginx/1.14.0 (Ubuntu)"; distance:0; content:"Connection: close"; distance:0; content:"Cache-Control: max-age=300, must-revalidate"; distance:0; content:"X-Content-Type-Options: nosniff"; distance:0; content:"X-AspNetMvc-Version: 3.0"; distance:0; content:"X-AspNet-Version: 4.0.30319"; distance:0; content:"X-Powered-By: ASP.NET"; distance:0; content:"Content-Length: "; content:"|0d 0a|"; distance:6; within:4; sid:77600856; rev:1;)
+alert tcp any any -> $HOME_NET any (msg:"Backdoor.BEACON"; flow:from_server; content:"<title>Woman-Five-How-To-Why-Your-Celebrating-Learn-Brand</title>"; sid:77600857; rev:1;)
+alert tcp any any -> $HOME_NET any (msg:"Backdoor.BEACON"; flow:from_server; content:"<p>Companies-Best-Man-Vendors-Best</p>"; sid:77600858; rev:1;)
+alert tcp any any -> $HOME_NET any (msg:"Backdoor.BEACON"; flow:from_server; content:"<meta name=\"msvalidate.01\" content=\"ECEE9516DDABFC7CCBBF1EACC04CAC20\">"; content:"<meta name=\"google-site-verification\" content=\"CD5EF1FCB54FE29C838ABCBBE0FA57AE\">"; sid:77600859; rev:1;)
+alert tcp any any -> $HOME_NET any (msg:"Backdoor.BEACON"; flow:from_server; content:"<p>Million-Support-Years-Week-Agents</p>"; sid:77600860; rev:1;)

2020/2020.12.13.SolarWinds_Supply_Chain_SUNBURST_Backdoor/IOCs/sunburst_countermeasures/all-yara.yar

@@ -0,0 +1,146 @@
+// Copyright 2020 by FireEye, Inc.
+// You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
+// https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
+import "pe"
+
+rule APT_Backdoor_SUNBURST_1
+{
+    meta:
+        author = "FireEye"
+        description = "This rule is looking for portions of the SUNBURST backdoor that are vital to how it functions. The first signature fnv_xor matches a magic byte xor that the sample performs on process, service, and driver names/paths. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
+    strings:
+        $cmd_regex_encoded = "U4qpjjbQtUzUTdONrTY2q42pVapRgooABYxQuIZmtUoA" wide
+        $cmd_regex_plain = { 5C 7B 5B 30 2D 39 61 2D 66 2D 5D 7B 33 36 7D 5C 7D 22 7C 22 5B 30 2D 39 61 2D 66 5D 7B 33 32 7D 22 7C 22 5B 30 2D 39 61 2D 66 5D 7B 31 36 7D }
+        $fake_orion_event_encoded = "U3ItS80rCaksSFWyUvIvyszPU9IBAA==" wide
+        $fake_orion_event_plain = { 22 45 76 65 6E 74 54 79 70 65 22 3A 22 4F 72 69 6F 6E 22 2C }
+        $fake_orion_eventmanager_encoded = "U3ItS80r8UvMTVWyUgKzfRPzEtNTi5R0AA==" wide
+        $fake_orion_eventmanager_plain = { 22 45 76 65 6E 74 4E 61 6D 65 22 3A 22 45 76 65 6E 74 4D 61 6E 61 67 65 72 22 2C }
+        $fake_orion_message_encoded = "U/JNLS5OTE9VslKqNqhVAgA=" wide
+        $fake_orion_message_plain = { 22 4D 65 73 73 61 67 65 22 3A 22 7B 30 7D 22 }
+        $fnv_xor = { 67 19 D8 A7 3B 90 AC 5B }
+    condition:
+        $fnv_xor and ($cmd_regex_encoded or $cmd_regex_plain) or ( ($fake_orion_event_encoded or $fake_orion_event_plain) and ($fake_orion_eventmanager_encoded or $fake_orion_eventmanager_plain) and ($fake_orion_message_encoded and $fake_orion_message_plain) )
+}
+rule APT_Backdoor_SUNBURST_2
+{
+    meta:
+        author = "FireEye"
+        description = "The SUNBURST backdoor uses a domain generation algorithm (DGA) as part of C2 communications. This rule is looking for each branch of the code that checks for which HTTP method is being used. This is in one large conjunction, and all branches are then tied together via disjunction. The grouping is intentionally designed so that if any part of the DGA is re-used in another sample, this signature should match that re-used portion. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
+    strings:
+        $a = "0y3Kzy8BAA==" wide
+        $aa = "S8vPKynWL89PS9OvNqjVrTYEYqNa3fLUpDSgTLVxrR5IzggA" wide
+        $ab = "S8vPKynWL89PS9OvNqjVrTYEYqPaauNaPZCYEQA=" wide
+        $ac = "C88sSs1JLS4GAA==" wide
+        $ad = "C/UEAA==" wide
+        $ae = "C89MSU8tKQYA" wide
+        $af = "8wvwBQA=" wide
+        $ag = "cyzIz8nJBwA=" wide
+        $ah = "c87JL03xzc/LLMkvysxLBwA=" wide
+        $ai = "88tPSS0GAA==" wide
+        $aj = "C8vPKc1NLQYA" wide
+        $ak = "88wrSS1KS0xOLQYA" wide
+        $al = "c87PLcjPS80rKQYA" wide
+        $am = "Ky7PLNAvLUjRBwA=" wide
+        $an = "06vIzQEA" wide
+        $b = "0y3NyyxLLSpOzIlPTgQA" wide
+        $c = "001OBAA=" wide
+        $d = "0y0oysxNLKqMT04EAA==" wide
+        $e = "0y3JzE0tLknMLQAA" wide
+        $f = "003PyU9KzAEA" wide
+        $h = "0y1OTS4tSk1OBAA=" wide
+        $i = "K8jO1E8uytGvNqitNqytNqrVA/IA" wide
+        $j = "c8rPSQEA" wide
+        $k = "c8rPSfEsSczJTAYA" wide
+        $l = "c60oKUp0ys9JAQA=" wide
+        $m = "c60oKUp0ys9J8SxJzMlMBgA=" wide
+        $n = "8yxJzMlMBgA=" wide
+        $o = "88lMzygBAA==" wide
+        $p = "88lMzyjxLEnMyUwGAA==" wide
+        $q = "C0pNL81JLAIA" wide
+        $r = "C07NzXTKz0kBAA==" wide
+        $s = "C07NzXTKz0nxLEnMyUwGAA==" wide
+        $t = "yy9IzStOzCsGAA==" wide
+        $u = "y8svyQcA" wide
+        $v = "SytKTU3LzysBAA==" wide
+        $w = "C84vLUpOdc5PSQ0oygcA" wide
+        $x = "C84vLUpODU4tykwLKMoHAA==" wide
+        $y = "C84vLUpO9UjMC07MKwYA" wide
+        $z = "C84vLUpO9UjMC04tykwDAA==" wide
+    condition:
+        ($a and $b and $c and $d and $e and $f and $h and $i) or ($j and $k and $l and $m and $n and $o and $p and $q and $r and $s and ($aa or $ab)) or ($t and $u and $v and $w and $x and $y and $z and ($aa or $ab)) or ($ac and $ad and $ae and $af and $ag and $ah and ($am or $an)) or ($ai and $aj and $ak and $al and ($am or $an))
+}
+rule APT_Webshell_SUPERNOVA_1
+{
+    meta:
+        author = "FireEye"
+        description = "SUPERNOVA is a .NET web shell backdoor masquerading as a legitimate SolarWinds web service handler. SUPERNOVA inspects and responds to HTTP requests with the appropriate HTTP query strings, Cookies, and/or HTML form values (e.g. named codes, class, method, and args). This rule is looking for specific strings and attributes related to SUPERNOVA."
+    strings:
+        $compile1 = "CompileAssemblyFromSource"
+        $compile2 = "CreateCompiler"
+        $context = "ProcessRequest"
+        $httpmodule = "IHttpHandler" ascii
+        $string1 = "clazz"
+        $string2 = "//NetPerfMon//images//NoLogo.gif" wide
+        $string3 = "SolarWinds" ascii nocase wide
+    condition:
+        uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550 and filesize < 10KB and pe.imports("mscoree.dll","_CorDllMain") and $httpmodule and $context and all of ($compile*) and all of ($string*)
+}
+rule APT_Webshell_SUPERNOVA_2
+{
+    meta:
+        author = "FireEye"
+        description = "This rule is looking for specific strings related to SUPERNOVA. SUPERNOVA is a .NET web shell backdoor masquerading as a legitimate SolarWinds web service handler. SUPERNOVA inspects and responds to HTTP requests with the appropriate HTTP query strings, Cookies, and/or HTML form values (e.g. named codes, class, method, and args)."
+    strings:
+        $dynamic = "DynamicRun"
+        $solar = "Solarwinds" nocase
+        $string1 = "codes"
+        $string2 = "clazz"
+        $string3 = "method"
+        $string4 = "args"
+    condition:
+        uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550 and filesize < 10KB and 3 of ($string*) and $dynamic and $solar
+}
+rule APT_HackTool_PS1_COSMICGALE_1
+{
+    meta:
+        author = "FireEye"
+        description = "This rule detects various unique strings related to COSMICGALE. COSMICGALE is a credential theft and reconnaissance PowerShell script that collects credentials using the publicly available Get-PassHashes routine. COSMICGALE clears log files, writes acquired data to a hard coded path, and encrypts the file with a password."
+    strings:
+        $sr1 = /\[byte\[\]\]@\([\x09\x20]{0,32}0xaa[\x09\x20]{0,32},[\x09\x20]{0,32}0xd3[\x09\x20]{0,32},[\x09\x20]{0,32}0xb4[\x09\x20]{0,32},[\x09\x20]{0,32}0x35[\x09\x20]{0,32},/ ascii nocase wide
+        $sr2 = /\[bitconverter\]::toint32\(\$\w{1,64}\[0x0c..0x0f\][\x09\x20]{0,32},[\x09\x20]{0,32}0\)[\x09\x20]{0,32}\+[\x09\x20]{0,32}0xcc\x3b/ ascii nocase wide
+        $sr3 = /\[byte\[\]\]\(\$\w{1,64}\.padright\(\d{1,2}\)\.substring\([\x09\x20]{0,32}0[\x09\x20]{0,32},[\x09\x20]{0,32}\d{1,2}\)\.tochararray\(\)\)/ ascii nocase wide
+        $ss1 = "[text.encoding]::ascii.getbytes(\"ntpassword\x600\");" ascii nocase wide
+        $ss2 = "system\\currentcontrolset\\control\\lsa\\$_" ascii nocase wide
+        $ss3 = "[security.cryptography.md5]::create()" ascii nocase wide
+        $ss4 = "[system.security.principal.windowsidentity]::getcurrent().name" ascii nocase wide
+        $ss5 = "out-file" ascii nocase wide
+        $ss6 = "convertto-securestring" ascii nocase wide
+    condition:
+        all of them
+}
+rule APT_Dropper_Raw64_TEARDROP_1
+{
+    meta:
+        author = "FireEye"
+        description = "This rule looks for portions of the TEARDROP backdoor that are vital to how it functions. TEARDROP is a memory only dropper that can read files and registry keys, XOR decode an embedded payload, and load the payload into memory. TEARDROP persists as a Windows service and has been observed dropping Cobalt Strike BEACON into memory."
+    strings:
+        $sb1 = { C7 44 24 ?? 80 00 00 00 [0-64] BA 00 00 00 80 [0-32] 48 8D 0D [4-32] FF 15 [4] 48 83 F8 FF [2-64] 41 B8 40 00 00 00 [0-64] FF 15 [4-5] 85 C0 7? ?? 80 3D [4] FF }
+        $sb2 = { 80 3D [4] D8 [2-32] 41 B8 04 00 00 00 [0-32] C7 44 24 ?? 4A 46 49 46 [0-32] E8 [4-5] 85 C0 [2-32] C6 05 [4] 6A C6 05 [4] 70 C6 05 [4] 65 C6 05 [4] 67 }
+        $sb3 = { BA [4] 48 89 ?? E8 [4] 41 B8 [4] 48 89 ?? 48 89 ?? E8 [4] 85 C0 7? [1-32] 8B 44 24 ?? 48 8B ?? 24 [1-16] 48 01 C8 [0-32] FF D0 }
+    condition:
+        all of them
+}
+rule APT_Dropper_Win64_TEARDROP_1
+{
+    meta:
+        author = "FireEye"
+        description = "This rule is intended match specific sequences of opcode found within TEARDROP, including those that decode the embedded payload. TEARDROP is a memory only dropper that can read files and registry keys, XOR decode an embedded payload, and load the payload into memory. TEARDROP persists as a Windows service and has been observed dropping Cobalt Strike BEACON into memory."
+    strings:
+        $loc_4218FE24A5 = { 48 89 C8 45 0F B6 4C 0A 30 }
+        $loc_4218FE36CA = { 48 C1 E0 04 83 C3 01 48 01 E8 8B 48 28 8B 50 30 44 8B 40 2C 48 01 F1 4C 01 FA }
+        $loc_4218FE2747 = { C6 05 ?? ?? ?? ?? 6A C6 05 ?? ?? ?? ?? 70 C6 05 ?? ?? ?? ?? 65 C6 05 ?? ?? ?? ?? 67 }
+        $loc_5551D725A0 = { 48 89 C8 45 0F B6 4C 0A 30 48 89 CE 44 89 CF 48 F7 E3 48 C1 EA 05 48 8D 04 92 48 8D 04 42 48 C1 E0 04 48 29 C6 }
+        $loc_5551D726F6 = { 53 4F 46 54 57 41 52 45 ?? ?? ?? ?? 66 74 5C 43 ?? ?? ?? ?? 00 }
+    condition:
+        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
+}

2020/2020.12.13.SolarWinds_Supply_Chain_SUNBURST_Backdoor/IOCs/sunburst_countermeasures/fnv1a_xor_hashes.txt

@@ -0,0 +1,84 @@
+# Copyright 2020 by FireEye, Inc.
+# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
+# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
+
+The following hashes are checked against processes, services, and drivers by SUNBURST. The hash is calculated by performing a FNV-1a 64bit hash of the lowercase string then XOR by 6605813339339102567.
+-------------------------------------------
+fekern 6274014997237900919 
+sense 16335643316870329598 
+windefend 917638920165491138 
+afwserv 1368907909245890092 
+atrsdfw.sys 15194901817027173566 
+autopsy 4821863173800309721 
+accept 2734787258623754862 
+avastsvc 8146185202538899243 
+avastui 11818825521849580123 
+avgsvc 3660705254426876796 
+avgsvca 3890794756780010537 
+avgsvcx 3890769468012566366 
+avgui 12709986806548166638 
+avp 13611051401579634621 
+avpui 18147627057830191163 
+brcow_x_x_x_x.sys 12679195163651834776 
+brfilter.sys 1614465773938842903 
+cavp 17204844226884380288 
+cb 5984963105389676759 
+crexecprev.sys 18159703063075866524 
+cutter 12790084614253405985 
+cve.sys 16570804352575357627 
+cybkerneltracker.sys 17097380490166623672 
+date 16066522799090129502 
+dgdmk.sys 3626142665768487764 
+dnsd 13316211011159594063 
+dnspy 13825071784440082496 
+eamonm 15587050164583443069 
+eaw.sys 12718416789200275332 
+eelam 9559632696372799208 
+egui 607197993339007484 
+ehdrv 4931721628717906635 
+ekrn 3200333496547938354 
+epfw 17939405613729073960 
+fakenet 576626207276463000 
+feelam 15092207615430402812 
+ffdec 7412338704062093516 
+floss 18150909006539876521 
+fsaua 12445177985737237804 
+fsaus 12445232961318634374 
+fsbts 9333057603143916814 
+fsdfw 10393903804869831898 
+fses 3413052607651207697 
+fsfw 3407972863931386250 
+fsma 3421213182954201407 
+fsms 3421197789791424393 
+fsni 3413886037471417852 
+fsorsp 17978774977754553159 
+gdb 10336842116636872171 
+groundling32.sys 6943102301517884811 
+groundling64.sys 13544031715334011032 
+hexisfsmonitor.sys 397780960855462669 
+idaq 14256853800858727521 
+idr 8129411991672431889 
+ildasm 15997665423159927228 
+ilspy 10829648878147112121 
+ksde 17633734304611248415 
+ksdeui 13581776705111912829 
+libwamf.sys 17984632978012874803 
+lordpe 3656637464651387014 
+lragentmf.sys 2717025511528702475 
+peid 9531326785919727076 
+peview 2478231962306073784 
+ppee 14710585101020280896 
+psepfilter.sys 835151375515278827 
+regmon 18294908219222222902 
+rvsavd.sys 18392881921099771407 
+safe-agent.sys 11801746708619571308 
+scdbg 14868920869169964081 
+sentinelmonitor.sys 12343334044036541897 
+sysmon 14111374107076822891 
+tanium 7175363135479931834 
+windbg 3045986759481489935 
+windump 17109238199226571972 
+winhex 5945487981219695001 
+winobj 8052533790968282297 
+xagt 15695338751700748390 
+fe_avk 9384605490088500348 

2020/2020.12.13.SolarWinds_Supply_Chain_SUNBURST_Backdoor/IOCs/sunburst_countermeasures/indicator_release/Indicator_Release_Hashes.csv

@@ -0,0 +1,8 @@
+SHA256 ,SHA1 ,MD5 ,FILENAME ,MIME ,Malware Family,Role 
+d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600 ,1b476f58ca366b54f34d714ffce3fd73cc30db1a ,02af7cec58b9a5da1c542b5a32151ba1 ,CORE-2019.4.5220.20574-SolarWinds-Core-v2019.4.5220-Hotfix5.msp ,application/vnd.ms-office ,SUNBURST ,Installer 
+53f8dfc65169ccda021b72a62e0c22a4db7c4077f002fa742717d41b3c40f2c7 ,47d92d49e6f7f296260da1af355f941eb25360c4 ,08e35543d6110ed11fdf558bb093d401 ,"Solarwinds Worldwide, LLC ",application/x-x509-server-cert ,Code Signing Certificate ,Legitimate SolarWinds code-signing certificate
+019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134 ,2f1a5a7411d015d01aaee4535835400191645023 ,2c4a910a1299cdae2a4e55988a2f102e ,SolarWinds.Orion.Core.BusinessLayer.dll ,application/x-dosexec ,SUNBURST ,backdoor
+ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6 ,d130bd75645c2433f88ac03e73395fba172ef676 ,846e27a652a5e1bfbd0ddd38a16dc865 ,SolarWinds.Orion.Core.BusinessLayer.dll ,application/x-dosexec ,SUNBURST ,backdoor
+32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77 ,76640508b1e7759e548771a5359eaed353bf1eec ,b91ce2fa41029f6955bff20079468448 ,SolarWinds.Orion.Core.BusinessLayer.dll ,application/x-dosexec ,SUNBURST ,backdoor
+292327e5c94afa352cc5a02ca273df543f2020d0e76368ff96c84f4e90778712 ,c2c30b3a287d82f88753c85cfb11ec9eb1466bad ,4f2eb62fa529c0283b28d05ddd311fae ,OrionImprovementBusinessLayer.2.cs ,text/plain ,SUNBURST ,Decompiled and corrected source code for SUNBURST 
+c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71 ,75af292f34789a1c782ea36c7127bf6106f595e8 ,56ceb6d0011d87b6e4d7023d7ef85676 ,app_web_logoimagehandler.ashx.b6031896.dll ,application/x-dosexec ,SUPERNOVA ,Webshell

2020/2020.12.13.SolarWinds_Supply_Chain_SUNBURST_Backdoor/IOCs/sunburst_countermeasures/indicator_release/Indicator_Release_NBIs.csv

@@ -0,0 +1,17 @@
+Associated Malware,DNS Record Type ,FQDN,IP,Target,First Seen,Last Seen
+SUNBURST,CNAME ,6a57jk2ba1d9keg15cbg.appsync-api.eu-west-1.avsvmcloud[.]com ,,freescanonline[.]com ,2020-06-13 09:20:41 ,2020-06-13 09:20:41 
+SUNBURST,CNAME ,7sbvaemscs0mc925tb99.appsync-api.us-west-2.avsvmcloud[.]com ,,deftsecurity[.]com ,2020-06-11 22:37:33 ,2020-06-11 22:37:33 
+SUNBURST,CNAME ,gq1h856599gqh538acqn.appsync-api.us-west-2.avsvmcloud[.]com ,,freescanonline[.]com ,2020-06-13 08:48:40 ,2020-06-13 08:48:41 
+SUNBURST,CNAME ,ihvpgv9psvq02ffo77et.appsync-api.us-east-2.avsvmcloud[.]com ,,thedoccloud[.]com ,2020-06-20 02:54:06 ,2020-06-20 02:54:06 
+SUNBURST,CNAME ,k5kcubuassl3alrf7gm3.appsync-api.eu-west-1.avsvmcloud[.]com ,,thedoccloud[.]com ,2020-07-22 17:15:57 ,2020-07-22 17:15:58 
+SUNBURST,CNAME ,mhdosoksaccf9sni9icp.appsync-api.eu-west-1.avsvmcloud[.]com ,,thedoccloud[.]com ,2020-07-23 18:43:00 ,2020-07-23 18:43:00 
+SUNBURST,A ,deftsecurity[.]com ,13.59.205.66 ,,2020-02-14 03:47:49 ,2020-12-13 19:28:44 
+SUNBURST,A ,freescanonline[.]com ,54.193.127.66 ,,2020-02-11 11:00:04 ,2020-12-13 19:25:56 
+SUNBURST,A ,thedoccloud[.]com ,54.215.192.52 ,,2020-02-09 20:03:38 ,2020-12-10 03:24:23 
+SUNBURST,A ,websitetheme[.]com ,34.203.203.23 ,,2020-02-04 16:27:45 ,2020-06-25 23:58:55 
+SUNBURST,A ,highdatabase[.]com ,139.99.115.204 ,,2019-12-28 00:07:06 ,2020-12-06 03:51:20 
+BEACON,A ,incomeupdate[.]com,5.252.177.25,,10/4/19 17:57,10/1/20 18:45
+,A,databasegalore[.]com,5.252.177.21,,3/12/20 10:49,12/13/20 21:23
+,A,panhardware[.]com,204.188.205.176,,3/11/20 15:32,12/13/20 21:23
+,A,zupertech[.]com,51.89.125.18,,5/14/20 3:09,12/13/20 21:31
+,A,zupertech[.]com,167.114.213.199,,8/18/16 13:06,11/12/17 16:23

2020/2020.12.13.SolarWinds_Supply_Chain_SUNBURST_Backdoor/IOCs/sunburst_countermeasures/rules/BEACON/snort/Backdoor.BEACON_1.rules

@@ -0,0 +1,4 @@
+# Copyright 2020 by FireEye, Inc.
+# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
+# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
+alert tcp $HOME_NET any -> any 443 (msg:"Backdoor.BEACON"; content:"|16 03 03|"; depth:3; content:"incomeupdate.com"; sid:77600840; rev:1;)

2020/2020.12.13.SolarWinds_Supply_Chain_SUNBURST_Backdoor/IOCs/sunburst_countermeasures/rules/BEACON/snort/Backdoor.BEACON_10.rules

@@ -0,0 +1,4 @@
+# Copyright 2020 by FireEye, Inc.
+# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
+# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
+alert tcp any any -> $HOME_NET any (msg:"Backdoor.BEACON"; flow:from_server; content:"<p>Million-Support-Years-Week-Agents</p>"; sid:77600860; rev:1;)

2020/2020.12.13.SolarWinds_Supply_Chain_SUNBURST_Backdoor/IOCs/sunburst_countermeasures/rules/BEACON/snort/Backdoor.BEACON_2.rules

@@ -0,0 +1,4 @@
+# Copyright 2020 by FireEye, Inc.
+# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
+# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
+alert tcp $HOME_NET any -> any 443 (msg:"Backdoor.BEACON"; content:"|16 03 03|"; depth:3; content:"zupertech.com"; sid:77600863; rev:1;)

2020/2020.12.13.SolarWinds_Supply_Chain_SUNBURST_Backdoor/IOCs/sunburst_countermeasures/rules/BEACON/snort/Backdoor.BEACON_3.rules

@@ -0,0 +1,4 @@
+# Copyright 2020 by FireEye, Inc.
+# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
+# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
+alert tcp $HOME_NET any -> any 443 (msg:"Backdoor.BEACON"; content:"|16 03 03|"; depth:3; content:"databasegalore.com"; sid:77600864; rev:1;)

2020/2020.12.13.SolarWinds_Supply_Chain_SUNBURST_Backdoor/IOCs/sunburst_countermeasures/rules/BEACON/snort/Backdoor.BEACON_4.rules

@@ -0,0 +1,4 @@
+# Copyright 2020 by FireEye, Inc.
+# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
+# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
+alert tcp $HOME_NET any -> any 443 (msg:"Backdoor.BEACON"; content:"|16 03 03|"; depth:3; content:"panhardware.com"; sid:77600865; rev:1;)

2020/2020.12.13.SolarWinds_Supply_Chain_SUNBURST_Backdoor/IOCs/sunburst_countermeasures/rules/BEACON/snort/Backdoor.BEACON_5.rules

@@ -0,0 +1,4 @@
+# Copyright 2020 by FireEye, Inc.
+# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
+# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
+alert tcp $HOME_NET any -> any any (msg:"Backdoor.BEACON"; content:"POST"; depth:4; content:"|0d 0a 0d 0a|name=\""; content:"\"\;filename=\""; content:"\"|0a|Content-Type:"; sid:77600837; rev:1;)

2020/2020.12.13.SolarWinds_Supply_Chain_SUNBURST_Backdoor/IOCs/sunburst_countermeasures/rules/BEACON/snort/Backdoor.BEACON_6.rules

@@ -0,0 +1,4 @@
+# Copyright 2020 by FireEye, Inc.
+# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
+# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
+alert tcp any any -> $HOME_NET any (msg:"Backdoor.BEACON"; content:"HTTP/1."; depth:7; content:"Server: nginx/1.14.0 (Ubuntu)"; distance:0; content:"Connection: close"; distance:0; content:"Cache-Control: max-age=300, must-revalidate"; distance:0; content:"X-Content-Type-Options: nosniff"; distance:0; content:"X-AspNetMvc-Version: 3.0"; distance:0; content:"X-AspNet-Version: 4.0.30319"; distance:0; content:"X-Powered-By: ASP.NET"; distance:0; content:"Content-Length: "; content:"|0d 0a|"; distance:6; within:4; sid:77600856; rev:1;)

2020/2020.12.13.SolarWinds_Supply_Chain_SUNBURST_Backdoor/IOCs/sunburst_countermeasures/rules/BEACON/snort/Backdoor.BEACON_7.rules

@@ -0,0 +1,4 @@
+# Copyright 2020 by FireEye, Inc.
+# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
+# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
+alert tcp any any -> $HOME_NET any (msg:"Backdoor.BEACON"; flow:from_server; content:"<title>Woman-Five-How-To-Why-Your-Celebrating-Learn-Brand</title>"; sid:77600857; rev:1;)

2020/2020.12.13.SolarWinds_Supply_Chain_SUNBURST_Backdoor/IOCs/sunburst_countermeasures/rules/BEACON/snort/Backdoor.BEACON_8.rules

@@ -0,0 +1,4 @@
+# Copyright 2020 by FireEye, Inc.
+# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
+# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
+alert tcp any any -> $HOME_NET any (msg:"Backdoor.BEACON"; flow:from_server; content:"<p>Companies-Best-Man-Vendors-Best</p>"; sid:77600858; rev:1;)

2020/2020.12.13.SolarWinds_Supply_Chain_SUNBURST_Backdoor/IOCs/sunburst_countermeasures/rules/BEACON/snort/Backdoor.BEACON_9.rules

@@ -0,0 +1,4 @@
+# Copyright 2020 by FireEye, Inc.
+# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
+# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
+alert tcp any any -> $HOME_NET any (msg:"Backdoor.BEACON"; flow:from_server; content:"<meta name=\"msvalidate.01\" content=\"ECEE9516DDABFC7CCBBF1EACC04CAC20\">"; content:"<meta name=\"google-site-verification\" content=\"CD5EF1FCB54FE29C838ABCBBE0FA57AE\">"; sid:77600859; rev:1;)

2020/2020.12.13.SolarWinds_Supply_Chain_SUNBURST_Backdoor/IOCs/sunburst_countermeasures/rules/COSMICGALE/clamav/APT_HackTool_PS1_COSMICGALE_1.ldb

@@ -0,0 +1,4 @@
+# Copyright 2020 by FireEye, Inc.
+# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
+# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
+APT_HackTool_PS1_COSMICGALE_1;Engine:81-255,Target:7;0&1&2&3&4&5&6&7&8;5b746578742e656e636f64696e675d3a3a61736369692e676574627974657328226e7470617373776f7264603022293b;73797374656d5c63757272656e74636f6e74726f6c7365745c636f6e74726f6c5c6c73615c245f;5b73656375726974792e63727970746f6772617068792e6d64355d3a3a6372656174652829;5b73797374656d2e73656375726974792e7072696e636970616c2e77696e646f77736964656e746974795d3a3a67657463757272656e7428292e6e616d65;6f75742d66696c65;636f6e76657274746f2d736563757265737472696e67;0/\[byte\[\]\]@\([\x09\x20]{0,32}0xaa[\x09\x20]{0,32},[\x09\x20]{0,32}0xd3[\x09\x20]{0,32},[\x09\x20]{0,32}0xb4[\x09\x20]{0,32},[\x09\x20]{0,32}0x35[\x09\x20]{0,32},/;6/\[bitconverter\]::toint32\(\$\w{1,64}\[0x0c..0x0f\][\x09\x20]{0,32},[\x09\x20]{0,32}0\)[\x09\x20]{0,32}\+[\x09\x20]{0,32}0xcc\x3b/;7/\[byte\[\]\]\(\$\w{1,64}\.padright\(\d{1,2}\)\.substring\([\x09\x20]{0,32}0[\x09\x20]{0,32},[\x09\x20]{0,32}\d{1,2}\)\.tochararray\(\)\)/

2020/2020.12.13.SolarWinds_Supply_Chain_SUNBURST_Backdoor/IOCs/sunburst_countermeasures/rules/COSMICGALE/yara/APT_HackTool_PS1_COSMICGALE_1.yar

@@ -0,0 +1,22 @@
+// Copyright 2020 by FireEye, Inc.
+// You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
+// https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
+
+rule APT_HackTool_PS1_COSMICGALE_1
+{
+    meta:
+        author = "FireEye"
+        description = "This rule detects various unique strings related to COSMICGALE. COSMICGALE is a credential theft and reconnaissance PowerShell script that collects credentials using the publicly available Get-PassHashes routine. COSMICGALE clears log files, writes acquired data to a hard coded path, and encrypts the file with a password."
+    strings:
+        $sr1 = /\[byte\[\]\]@\([\x09\x20]{0,32}0xaa[\x09\x20]{0,32},[\x09\x20]{0,32}0xd3[\x09\x20]{0,32},[\x09\x20]{0,32}0xb4[\x09\x20]{0,32},[\x09\x20]{0,32}0x35[\x09\x20]{0,32},/ ascii nocase wide
+        $sr2 = /\[bitconverter\]::toint32\(\$\w{1,64}\[0x0c..0x0f\][\x09\x20]{0,32},[\x09\x20]{0,32}0\)[\x09\x20]{0,32}\+[\x09\x20]{0,32}0xcc\x3b/ ascii nocase wide
+        $sr3 = /\[byte\[\]\]\(\$\w{1,64}\.padright\(\d{1,2}\)\.substring\([\x09\x20]{0,32}0[\x09\x20]{0,32},[\x09\x20]{0,32}\d{1,2}\)\.tochararray\(\)\)/ ascii nocase wide
+        $ss1 = "[text.encoding]::ascii.getbytes(\"ntpassword\x600\");" ascii nocase wide
+        $ss2 = "system\\currentcontrolset\\control\\lsa\\$_" ascii nocase wide
+        $ss3 = "[security.cryptography.md5]::create()" ascii nocase wide
+        $ss4 = "[system.security.principal.windowsidentity]::getcurrent().name" ascii nocase wide
+        $ss5 = "out-file" ascii nocase wide
+        $ss6 = "convertto-securestring" ascii nocase wide
+    condition:
+        all of them
+}

2020/2020.12.13.SolarWinds_Supply_Chain_SUNBURST_Backdoor/IOCs/sunburst_countermeasures/rules/SUNBURST/hxioc/SOLARWINDS COMPROMISE INDICATORS.ioc

@@ -0,0 +1,89 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright 2020 by FireEye, Inc.
+     You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
+     https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
+-->
+<OpenIOC xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="281d5077-b45a-43a8-8869-7924a3c2c1a0" last-modified="2020-12-13T21:34:13Z" published-date="0001-01-01T00:00:00" xmlns="http://openioc.org/schemas/OpenIOC_1.1">
+  <metadata>
+    <short_description>SUNBURST COMPROMISE INDICATORS</short_description>
+    <description>This rule identifies indicators which FireEye associates with the SUNBURST backdoor. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. This is associated to MITRE ATT&amp;CK (r) Tactic: Initial Access and Technique: T1195.002</description>
+    <authored_by>FireEye</authored_by>
+    <authored_date>2020-12-12T01:00:34Z</authored_date>
+    <links>
+      <link href="https://attack.mitre.org/techniques/T1195/002/" rel="link">MITRE</link>
+    </links>
+  </metadata>
+  <criteria>
+    <Indicator operator="OR" id="46bf5cf1-c9df-41cd-bd29-68936cc75421">
+      <IndicatorItem id="123f4632-ad70-4672-ab56-fdcc49c68e74" condition="is" preserve-case="false" negate="false">
+        <Context document="fileWriteEvent" search="fileWriteEvent/md5" type="event" />
+        <Content type="md5">b91ce2fa41029f6955bff20079468448</Content>
+      </IndicatorItem>
+      <IndicatorItem id="3c6f60a1-e2ce-45ed-936a-79b09a43d25f" condition="contains" preserve-case="false" negate="false">
+        <Context document="dnsLookupEvent" search="dnsLookupEvent/hostname" type="event" />
+        <Content type="string">freescanonline.com</Content>
+      </IndicatorItem>
+      <IndicatorItem id="2a86b61a-1ae6-416f-b7fb-2b87c005547f" condition="contains" preserve-case="false" negate="false">
+        <Context document="dnsLookupEvent" search="dnsLookupEvent/hostname" type="event" />
+        <Content type="string">thedoccloud.com</Content>
+      </IndicatorItem>
+      <IndicatorItem id="29845534-0a9c-4917-8459-ca7578385823" condition="contains" preserve-case="false" negate="false">
+        <Context document="dnsLookupEvent" search="dnsLookupEvent/hostname" type="event" />
+        <Content type="string">deftsecurity.com</Content>
+      </IndicatorItem>
+      <IndicatorItem id="b72939a1-7f99-45bf-85c4-cba0725b9020" condition="contains" preserve-case="false" negate="false">
+        <Context document="urlMonitorEvent" search="urlMonitorEvent/hostname" type="event" />
+        <Content type="string">deftsecurity.com</Content>
+      </IndicatorItem>
+      <IndicatorItem id="69eb9481-85ee-4bf2-96d6-394fe1a364cf" condition="contains" preserve-case="false" negate="false">
+        <Context document="urlMonitorEvent" search="urlMonitorEvent/hostname" type="event" />
+        <Content type="string">thedoccloud.com</Content>
+      </IndicatorItem>
+      <IndicatorItem id="3360b703-e021-4172-a238-184565df29b9" condition="contains" preserve-case="false" negate="false">
+        <Context document="urlMonitorEvent" search="urlMonitorEvent/hostname" type="event" />
+        <Content type="string">freescanonline.com</Content>
+      </IndicatorItem>
+      <IndicatorItem id="6001b4b6-7efc-4db5-a386-0fbd8602ad14" condition="contains" preserve-case="false" negate="false">
+        <Context document="dnsLookupEvent" search="dnsLookupEvent/hostname" type="event" />
+        <Content type="string">avsvmcloud.com</Content>
+      </IndicatorItem>
+      <IndicatorItem id="9660adca-f41c-440f-bd3e-72750f9d8e30" condition="contains" preserve-case="false" negate="false">
+        <Context document="urlMonitorEvent" search="urlMonitorEvent/hostname" type="event" />
+        <Content type="string">avsvmcloud.com</Content>
+      </IndicatorItem>
+      <IndicatorItem id="7416cdc1-641b-41e5-aa1c-4661a09a98c6" condition="is" preserve-case="false" negate="false">
+        <Context document="fileWriteEvent" search="fileWriteEvent/md5" type="event" />
+        <Content type="md5">02af7cec58b9a5da1c542b5a32151ba1</Content>
+      </IndicatorItem>
+      <IndicatorItem id="b9a81581-94ae-427f-a350-b41b971207cf" condition="is" preserve-case="false" negate="false">
+        <Context document="fileWriteEvent" search="fileWriteEvent/md5" type="event" />
+        <Content type="md5">2c4a910a1299cdae2a4e55988a2f102e</Content>
+      </IndicatorItem>
+      <IndicatorItem id="79f5957b-2abf-4bab-a778-1bfba7de214d" condition="is" preserve-case="false" negate="false">
+        <Context document="fileWriteEvent" search="fileWriteEvent/md5" type="event" />
+        <Content type="md5">846e27a652a5e1bfbd0ddd38a16dc865</Content>
+      </IndicatorItem>
+      <IndicatorItem id="5010ef2c-3d91-477a-94b3-513be90c0cf2" condition="is" preserve-case="false" negate="false">
+        <Context document="fileWriteEvent" search="fileWriteEvent/md5" type="event" />
+        <Content type="md5">4f2eb62fa529c0283b28d05ddd311fae</Content>
+      </IndicatorItem>
+      <IndicatorItem id="d1357eea-3de2-4481-b962-640a187e2521" condition="contains" preserve-case="false" negate="false">
+        <Context document="urlMonitorEvent" search="urlMonitorEvent/hostname" type="event" />
+        <Content type="string">databasegalore.com</Content>
+      </IndicatorItem>
+      <IndicatorItem id="45c00aa0-c79b-41ac-a899-aec584b62b0a" condition="contains" preserve-case="false" negate="false">
+        <Context document="urlMonitorEvent" search="urlMonitorEvent/hostname" type="event" />
+        <Content type="string">panhardware.com</Content>
+      </IndicatorItem>
+      <IndicatorItem id="84f90f69-8c5b-4533-a6e4-bf94ab1bd1b6" condition="contains" preserve-case="false" negate="false">
+        <Context document="dnsLookupEvent" search="dnsLookupEvent/hostname" type="event" />
+        <Content type="string">panhardware.com</Content>
+      </IndicatorItem>
+      <IndicatorItem id="7f1a5177-2f4d-4aff-a93f-d20416cebb71" condition="contains" preserve-case="false" negate="false">
+        <Context document="dnsLookupEvent" search="dnsLookupEvent/hostname" type="event" />
+        <Content type="string">databasegalore.com</Content>
+      </IndicatorItem>
+    </Indicator>
+  </criteria>
+  <parameters />
+</OpenIOC>

2020/2020.12.13.SolarWinds_Supply_Chain_SUNBURST_Backdoor/IOCs/sunburst_countermeasures/rules/SUNBURST/hxioc/SOLARWINDS SUSPICIOUS CHILD PROCESSES (METHODOLOGY).ioc

@@ -0,0 +1,59 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright 2020 by FireEye, Inc.
+     You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
+     https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
+-->
+<OpenIOC xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="2bac7506-80cc-4740-bbcc-2bbe1e4a43dd" last-modified="2020-12-13T19:53:27Z" published-date="0001-01-01T00:00:00" xmlns="http://openioc.org/schemas/OpenIOC_1.1">
+  <metadata>
+    <short_description>SUNBURST SUSPICIOUS CHILD PROCESSES (METHODOLOGY)</short_description>
+    <description>This rule identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor. The behavior of SolarWinds.Orion.Core.BusinessLayer.dll is dependent on per-enterprise configuration, so additional tuning may be required to exclude legitimate activity in a given environment. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. This is associated to MITRE ATT&amp;CK (r) Tactic: Initial Access and Technique: T1195.002</description>
+    <authored_by>FireEye</authored_by>
+    <authored_date>2020-12-12T01:42:55Z</authored_date>
+    <links>
+      <link href="https://attack.mitre.org/techniques/T1195/002/" rel="link">MITRE</link>
+    </links>
+  </metadata>
+  <criteria>
+    <Indicator operator="OR" id="f8145695-7b14-4fc1-a77d-9d1260dd677e">
+      <Indicator operator="AND" id="dc96ab8b-0d7b-45a6-9ff2-45d1db09e6f2">
+        <IndicatorItem id="70e0822c-00b3-466f-9e9e-fc20f9b5afb8" condition="is" preserve-case="false" negate="false">
+          <Context document="processEvent" search="processEvent/parentProcess" type="event" />
+          <Content type="string">solarwinds.businesslayerhost.exe</Content>
+        </IndicatorItem>
+        <IndicatorItem id="31f1de7f-27f8-491a-8ab1-70f1f80f2553" condition="is" preserve-case="false" negate="false">
+          <Context document="processEvent" search="processEvent/eventType" type="event" />
+          <Content type="string">start</Content>
+        </IndicatorItem>
+        <IndicatorItem id="35c4033b-199f-4476-b2f7-b53aa391daf3" condition="ends-with" preserve-case="false" negate="true">
+          <Context document="processEvent" search="processEvent/processPath" type="event" />
+          <Content type="string">\SolarWinds\Orion\APM\APMServiceControl.exe</Content>
+        </IndicatorItem>
+        <IndicatorItem id="c5571421-cbda-402f-b792-79f31dae87c8" condition="ends-with" preserve-case="false" negate="true">
+          <Context document="processEvent" search="processEvent/processPath" type="event" />
+          <Content type="string">\SolarWinds\Orion\ExportToPDFCmd.Exe</Content>
+        </IndicatorItem>
+        <IndicatorItem id="030272f5-7485-4a89-bf24-3792633c342c" condition="ends-with" preserve-case="false" negate="true">
+          <Context document="processEvent" search="processEvent/processPath" type="event" />
+          <Content type="string">\SolarWinds.Credentials\SolarWinds.Credentials.Orion.WebApi.exe</Content>
+        </IndicatorItem>
+        <IndicatorItem id="588f1499-66f1-4a1e-acd3-c905a8a5f921" condition="ends-with" preserve-case="false" negate="true">
+          <Context document="processEvent" search="processEvent/processPath" type="event" />
+          <Content type="string">\SolarWinds\Orion\Topology\SolarWinds.Orion.Topology.Calculator.exe</Content>
+        </IndicatorItem>
+        <IndicatorItem id="260d72ac-f2d5-48d1-a75f-ef8f70a3db1c" condition="ends-with" preserve-case="false" negate="true">
+          <Context document="processEvent" search="processEvent/processPath" type="event" />
+          <Content type="string">\SolarWinds\Orion\Database-Maint.exe</Content>
+        </IndicatorItem>
+        <IndicatorItem id="e0b75c50-b2f3-450e-85e3-982acef5cab0" condition="ends-with" preserve-case="false" negate="true">
+          <Context document="processEvent" search="processEvent/processPath" type="event" />
+          <Content type="string">\SolarWinds.Orion.ApiPoller.Service\SolarWinds.Orion.ApiPoller.Service.exe</Content>
+        </IndicatorItem>
+        <IndicatorItem id="1bf853d6-552f-4f89-90e9-50b7ffc408c0" condition="ends-with" preserve-case="false" negate="true">
+          <Context document="processEvent" search="processEvent/processPath" type="event" />
+          <Content type="string">\Windows\SysWOW64\WerFault.exe</Content>
+        </IndicatorItem>
+      </Indicator>
+    </Indicator>
+  </criteria>
+  <parameters />
+</OpenIOC>

2020/2020.12.13.SolarWinds_Supply_Chain_SUNBURST_Backdoor/IOCs/sunburst_countermeasures/rules/SUNBURST/hxioc/SOLARWINDS SUSPICIOUS FILEWRITES (METHODOLOGY).ioc

@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright 2020 by FireEye, Inc.
+     You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
+     https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
+-->
+<OpenIOC xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="c6286e1b-10bd-4046-8aff-0dbcc5b1e974" last-modified="2020-12-13T19:52:47Z" published-date="0001-01-01T00:00:00" xmlns="http://openioc.org/schemas/OpenIOC_1.1">
+  <metadata>
+    <short_description>SUNBURST SUSPICIOUS FILEWRITES (METHODOLOGY)</short_description>
+    <description>This rule identifies writes of specific file types associated with activity related to the SUNBURST backdoored version of the SolarWinds.Orion.Core.BusinessLayer.dll process. This rule may generate false positives depending on the configuration of SolarWinds in a given environment, and may require tuning to exclude legitimate activity. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. This is associated to MITRE ATT&amp;CK (r) Tactic: Initial Access and Technique: T1195.002</description>
+    <authored_by>FireEye</authored_by>
+    <authored_date>2020-12-12T01:51:30Z</authored_date>
+    <links>
+      <link href="https://attack.mitre.org/techniques/T1195/002/" rel="link">MITRE</link>
+    </links>
+  </metadata>
+  <criteria>
+    <Indicator operator="OR" id="7100a8ff-27da-46ff-b026-07c42c2fb119">
+      <Indicator operator="AND" id="548b0893-3cc5-483f-b2e3-b5bd93401894">
+        <IndicatorItem id="1e1c6c83-c635-4e30-9394-5a61935388c2" condition="is" preserve-case="false" negate="false">
+          <Context document="fileWriteEvent" search="fileWriteEvent/process" type="event" />
+          <Content type="string">solarwinds.businesslayerhost.exe</Content>
+        </IndicatorItem>
+        <Indicator operator="OR" id="31fe78c9-e0d7-496a-9b65-b8264e0725ee">
+          <IndicatorItem id="71c84163-abbf-4da5-99c3-79e465ae4c3a" condition="is" preserve-case="false" negate="false">
+            <Context document="fileWriteEvent" search="fileWriteEvent/fileExtension" type="event" />
+            <Content type="string">exe</Content>
+          </IndicatorItem>
+          <IndicatorItem id="36376524-c6c0-4062-ae48-340138d1984a" condition="is" preserve-case="false" negate="false">
+            <Context document="fileWriteEvent" search="fileWriteEvent/fileExtension" type="event" />
+            <Content type="string">dll</Content>
+          </IndicatorItem>
+          <IndicatorItem id="9d97da61-123d-4561-9610-b8143c7fa2b1" condition="is" preserve-case="false" negate="false">
+            <Context document="fileWriteEvent" search="fileWriteEvent/fileExtension" type="event" />
+            <Content type="string">ps1</Content>
+          </IndicatorItem>
+          <IndicatorItem id="2ad66922-a9a0-418a-a8e8-5a54b1f1dba1" condition="starts-with" preserve-case="true" negate="false">
+            <Context document="fileWriteEvent" search="fileWriteEvent/textAtLowestOffset" type="event" />
+            <Content type="string">MZ</Content>
+          </IndicatorItem>
+          <IndicatorItem id="def85433-ca32-464f-950c-bfabf4e523c8" condition="is" preserve-case="false" negate="false">
+            <Context document="fileWriteEvent" search="fileWriteEvent/fileExtension" type="event" />
+            <Content type="string">jpg</Content>
+          </IndicatorItem>
+          <IndicatorItem id="717188d6-0ce4-4b9b-b6a4-7163ee538690" condition="is" preserve-case="false" negate="false">
+            <Context document="fileWriteEvent" search="fileWriteEvent/fileExtension" type="event" />
+            <Content type="string">png</Content>
+          </IndicatorItem>
+        </Indicator>
+      </Indicator>
+    </Indicator>
+  </criteria>
+  <parameters />
+</OpenIOC>

2020/2020.12.13.SolarWinds_Supply_Chain_SUNBURST_Backdoor/IOCs/sunburst_countermeasures/rules/SUNBURST/hxioc/SOLARWINDS SUSPICIOUS URL HOSTNAME (METHODOLOGY).ioc

@@ -0,0 +1,45 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Copyright 2020 by FireEye, Inc.
+     You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
+     https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
+-->
+<OpenIOC xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="c90bc888-17b0-4a76-95a7-4196c38aae6c" last-modified="2020-12-13T19:23:17Z" published-date="0001-01-01T00:00:00" xmlns="http://openioc.org/schemas/OpenIOC_1.1">
+  <metadata>
+    <short_description>SUNBURST SUSPICIOUS URL HOSTNAME (METHODOLOGY)</short_description>
+    <description>This rule identifies URL requests mimicking SolarWinds network traffic, to non-SolarWinds domains. This rule will only match on instances where communication does not occur over SSL/TLS. These requests may be evidence of the SUNBURST backdoor. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. This is associated to MITRE ATT&amp;CK (r) Tactic: Initial Access and Technique: T1195.002</description>
+    <authored_by>FireEye</authored_by>
+    <authored_date>2020-12-12T01:54:32Z</authored_date>
+    <links>
+      <link href="https://attack.mitre.org/techniques/T1195/002/" rel="link">MITRE</link>
+    </links>
+  </metadata>
+  <criteria>
+    <Indicator operator="OR" id="33565068-0b74-4690-8032-19f295dbc2a6">
+      <Indicator operator="AND" id="28533f37-0b3a-42af-8e0b-c7352933e94c">
+        <IndicatorItem id="946dce86-3c5a-4dab-ba0c-7eb56cc18c93" condition="ends-with" preserve-case="false" negate="true">
+          <Context document="urlMonitorEvent" search="urlMonitorEvent/hostname" type="event" />
+          <Content type="string">solarwinds.com</Content>
+        </IndicatorItem>
+        <Indicator operator="OR" id="509e4f60-2537-4d8b-94aa-185034bc7dd3">
+          <IndicatorItem id="2b203e30-7f50-4ea4-a42f-73007a015e6a" condition="contains" preserve-case="false" negate="false">
+            <Context document="urlMonitorEvent" search="urlMonitorEvent/httpHeader" type="event" />
+            <Content type="string">/swip/Events</Content>
+          </IndicatorItem>
+          <IndicatorItem id="9b6601ec-c451-4969-9ed2-a1197c6ebe66" condition="contains" preserve-case="false" negate="false">
+            <Context document="urlMonitorEvent" search="urlMonitorEvent/httpHeader" type="event" />
+            <Content type="string">/swip/SystemDescription</Content>
+          </IndicatorItem>
+          <IndicatorItem id="b77d6ef9-1d61-4893-8f82-5211fb50e472" condition="contains" preserve-case="false" negate="false">
+            <Context document="urlMonitorEvent" search="urlMonitorEvent/httpHeader" type="event" />
+            <Content type="string">/swip/Upload.ashx</Content>
+          </IndicatorItem>
+          <IndicatorItem id="b07e683e-17c8-4883-be34-639bad15938f" condition="contains" preserve-case="false" negate="false">
+            <Context document="urlMonitorEvent" search="urlMonitorEvent/httpHeader" type="event" />
+            <Content type="string">/swip/upd</Content>
+          </IndicatorItem>
+        </Indicator>
+      </Indicator>
+    </Indicator>
+  </criteria>
+  <parameters />
+</OpenIOC>

2020/2020.12.13.SolarWinds_Supply_Chain_SUNBURST_Backdoor/IOCs/sunburst_countermeasures/rules/SUNBURST/snort/Backdoor.SUNBURST_1.rules

@@ -0,0 +1,4 @@
+# Copyright 2020 by FireEye, Inc.
+# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
+# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
+alert tcp $HOME_NET any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"/swip/Events HTTP/1"; within:100; content:"Host: "; content:!".solarwinds.com"; within:100; sid:77600832; rev:1;)

2020/2020.12.13.SolarWinds_Supply_Chain_SUNBURST_Backdoor/IOCs/sunburst_countermeasures/rules/SUNBURST/snort/Backdoor.SUNBURST_10.rules

@@ -0,0 +1,4 @@
+# Copyright 2020 by FireEye, Inc.
+# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
+# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
+alert tcp any any <> any 443 (msg:"Backdoor.SUNBURST"; content:"|16 03|"; depth:2; content:"|55 04 03|"; distance:0; content:"thedoccloud.com"; within:50; sid:77600849; rev:1;)

2020/2020.12.13.SolarWinds_Supply_Chain_SUNBURST_Backdoor/IOCs/sunburst_countermeasures/rules/SUNBURST/snort/Backdoor.SUNBURST_11.rules

@@ -0,0 +1,4 @@
+# Copyright 2020 by FireEye, Inc.
+# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
+# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
+alert tcp any any <> any 443 (msg:"Backdoor.SUNBURST"; content:"|16 03|"; depth:2; content:"|55 04 03|"; distance:0; content:"virtualdataserver.com"; within:50; sid:77600850; rev:1;)

2020/2020.12.13.SolarWinds_Supply_Chain_SUNBURST_Backdoor/IOCs/sunburst_countermeasures/rules/SUNBURST/snort/Backdoor.SUNBURST_12.rules

@@ -0,0 +1,4 @@
+# Copyright 2020 by FireEye, Inc.
+# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
+# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
+alert tcp any any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"Host:"; content:"digitalcollege.org"; within:100; sid:77600851; rev:1;)

2020/2020.12.13.SolarWinds_Supply_Chain_SUNBURST_Backdoor/IOCs/sunburst_countermeasures/rules/SUNBURST/snort/Backdoor.SUNBURST_13.rules

@@ -0,0 +1,4 @@
+# Copyright 2020 by FireEye, Inc.
+# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
+# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
+alert tcp any any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"Host:"; content:"freescanonline.com"; within:100; sid:77600852; rev:1;)

2020/2020.12.13.SolarWinds_Supply_Chain_SUNBURST_Backdoor/IOCs/sunburst_countermeasures/rules/SUNBURST/snort/Backdoor.SUNBURST_14.rules

@@ -0,0 +1,4 @@
+# Copyright 2020 by FireEye, Inc.
+# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
+# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
+alert tcp any any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"Host:"; content:"deftsecurity.com"; within:100; sid:77600853; rev:1;)

2020/2020.12.13.SolarWinds_Supply_Chain_SUNBURST_Backdoor/IOCs/sunburst_countermeasures/rules/SUNBURST/snort/Backdoor.SUNBURST_15.rules

@@ -0,0 +1,4 @@
+# Copyright 2020 by FireEye, Inc.
+# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
+# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
+alert tcp any any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"Host:"; content:"thedoccloud.com"; within:100; sid:77600854; rev:1;)

2020/2020.12.13.SolarWinds_Supply_Chain_SUNBURST_Backdoor/IOCs/sunburst_countermeasures/rules/SUNBURST/snort/Backdoor.SUNBURST_16.rules

@@ -0,0 +1,4 @@
+# Copyright 2020 by FireEye, Inc.
+# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
+# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
+alert tcp any any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"Host:"; content:"virtualdataserver.com"; within:100; sid:77600855; rev:1;)

2020/2020.12.13.SolarWinds_Supply_Chain_SUNBURST_Backdoor/IOCs/sunburst_countermeasures/rules/SUNBURST/snort/Backdoor.SUNBURST_2.rules

@@ -0,0 +1,4 @@
+# Copyright 2020 by FireEye, Inc.
+# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
+# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
+alert tcp $HOME_NET any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"/swip/upd/SolarWinds.CortexPlugin.Components.xml"; distance:0; content:"Host: "; content:!".solarwinds.com"; within:100; sid:77600833; rev:1;)

2020/2020.12.13.SolarWinds_Supply_Chain_SUNBURST_Backdoor/IOCs/sunburst_countermeasures/rules/SUNBURST/snort/Backdoor.SUNBURST_3.rules

@@ -0,0 +1,4 @@
+# Copyright 2020 by FireEye, Inc.
+# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
+# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
+alert tcp any any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"Host:"; content:".avsvmcloud.com"; distance:0; sid:77600842; rev:1;)

2020/2020.12.13.SolarWinds_Supply_Chain_SUNBURST_Backdoor/IOCs/sunburst_countermeasures/rules/SUNBURST/snort/Backdoor.SUNBURST_4.rules

@@ -0,0 +1,4 @@
+# Copyright 2020 by FireEye, Inc.
+# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
+# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
+alert tcp $HOME_NET any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"swip/Upload.ashx HTTP/1"; within:100; content:"Host: "; content:!".solarwinds.com"; within:100; sid:77600843; rev:1;)

2020/2020.12.13.SolarWinds_Supply_Chain_SUNBURST_Backdoor/IOCs/sunburst_countermeasures/rules/SUNBURST/snort/Backdoor.SUNBURST_5.rules

@@ -0,0 +1,4 @@
+# Copyright 2020 by FireEye, Inc.
+# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
+# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
+alert tcp $HOME_NET any -> any any (msg:"Backdoor.SUNBURST"; content:"T "; offset:2; depth:3; content:"/swip/upd/"; within:75; content:" HTTP/1."; distance:0; content:"Host: "; content:!".solarwinds.com"; within:100; sid:77600844; rev:1;)

2020/2020.12.13.SolarWinds_Supply_Chain_SUNBURST_Backdoor/IOCs/sunburst_countermeasures/rules/SUNBURST/snort/Backdoor.SUNBURST_6.rules

@@ -0,0 +1,4 @@
+# Copyright 2020 by FireEye, Inc.
+# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
+# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
+alert tcp any any <> any 443 (msg:"Backdoor.SUNBURST"; content:"|16 03|"; depth:2; content:"avsvmcloud.com"; distance:0; sid:77600845; rev:1;)

2020/2020.12.13.SolarWinds_Supply_Chain_SUNBURST_Backdoor/IOCs/sunburst_countermeasures/rules/SUNBURST/snort/Backdoor.SUNBURST_7.rules

@@ -0,0 +1,4 @@
+# Copyright 2020 by FireEye, Inc.
+# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
+# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
+alert tcp any any <> any 443 (msg:"Backdoor.SUNBURST"; content:"|16 03|"; depth:2; content:"|55 04 03|"; distance:0; content:"digitalcollege.org"; within:50; sid:77600846; rev:1;)

2020/2020.12.13.SolarWinds_Supply_Chain_SUNBURST_Backdoor/IOCs/sunburst_countermeasures/rules/SUNBURST/snort/Backdoor.SUNBURST_8.rules

@@ -0,0 +1,4 @@
+# Copyright 2020 by FireEye, Inc.
+# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
+# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
+alert tcp any any <> any 443 (msg:"Backdoor.SUNBURST"; content:"|16 03|"; depth:2; content:"|55 04 03|"; distance:0; content:"freescanonline.com"; within:50; sid:77600847; rev:1;)

2020/2020.12.13.SolarWinds_Supply_Chain_SUNBURST_Backdoor/IOCs/sunburst_countermeasures/rules/SUNBURST/snort/Backdoor.SUNBURST_9.rules

@@ -0,0 +1,4 @@
+# Copyright 2020 by FireEye, Inc.
+# You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
+# https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
+alert tcp any any <> any 443 (msg:"Backdoor.SUNBURST"; content:"|16 03|"; depth:2; content:"|55 04 03|"; distance:0; content:"deftsecurity.com"; within:50; sid:77600848; rev:1;)

2020/2020.12.13.SolarWinds_Supply_Chain_SUNBURST_Backdoor/IOCs/sunburst_countermeasures/rules/SUNBURST/yara/APT_Backdoor_SUNBURST_1.yar

@@ -0,0 +1,21 @@
+// Copyright 2020 by FireEye, Inc.
+// You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
+// https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
+rule APT_Backdoor_SUNBURST_1
+{
+    meta:
+        author = "FireEye"
+        description = "This rule is looking for portions of the SUNBURST backdoor that are vital to how it functions. The first signature fnv_xor matches a magic byte xor that the sample performs on process, service, and driver names/paths. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
+    strings:
+        $cmd_regex_encoded = "U4qpjjbQtUzUTdONrTY2q42pVapRgooABYxQuIZmtUoA" wide
+        $cmd_regex_plain = { 5C 7B 5B 30 2D 39 61 2D 66 2D 5D 7B 33 36 7D 5C 7D 22 7C 22 5B 30 2D 39 61 2D 66 5D 7B 33 32 7D 22 7C 22 5B 30 2D 39 61 2D 66 5D 7B 31 36 7D }
+        $fake_orion_event_encoded = "U3ItS80rCaksSFWyUvIvyszPU9IBAA==" wide
+        $fake_orion_event_plain = { 22 45 76 65 6E 74 54 79 70 65 22 3A 22 4F 72 69 6F 6E 22 2C }
+        $fake_orion_eventmanager_encoded = "U3ItS80r8UvMTVWyUgKzfRPzEtNTi5R0AA==" wide
+        $fake_orion_eventmanager_plain = { 22 45 76 65 6E 74 4E 61 6D 65 22 3A 22 45 76 65 6E 74 4D 61 6E 61 67 65 72 22 2C }
+        $fake_orion_message_encoded = "U/JNLS5OTE9VslKqNqhVAgA=" wide
+        $fake_orion_message_plain = { 22 4D 65 73 73 61 67 65 22 3A 22 7B 30 7D 22 }
+        $fnv_xor = { 67 19 D8 A7 3B 90 AC 5B }
+    condition:
+        $fnv_xor and ($cmd_regex_encoded or $cmd_regex_plain) or ( ($fake_orion_event_encoded or $fake_orion_event_plain) and ($fake_orion_eventmanager_encoded or $fake_orion_eventmanager_plain) and ($fake_orion_message_encoded and $fake_orion_message_plain) )
+}

2020/2020.12.13.SolarWinds_Supply_Chain_SUNBURST_Backdoor/IOCs/sunburst_countermeasures/rules/SUNBURST/yara/APT_Backdoor_SUNBURST_2.yar

@@ -0,0 +1,51 @@
+// Copyright 2020 by FireEye, Inc.
+// You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
+// https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
+rule APT_Backdoor_SUNBURST_2
+{
+    meta:
+        author = "FireEye"
+        description = "The SUNBURST backdoor uses a domain generation algorithm (DGA) as part of C2 communications. This rule is looking for each branch of the code that checks for which HTTP method is being used. This is in one large conjunction, and all branches are then tied together via disjunction. The grouping is intentionally designed so that if any part of the DGA is re-used in another sample, this signature should match that re-used portion. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
+    strings:
+        $a = "0y3Kzy8BAA==" wide
+        $aa = "S8vPKynWL89PS9OvNqjVrTYEYqNa3fLUpDSgTLVxrR5IzggA" wide
+        $ab = "S8vPKynWL89PS9OvNqjVrTYEYqPaauNaPZCYEQA=" wide
+        $ac = "C88sSs1JLS4GAA==" wide
+        $ad = "C/UEAA==" wide
+        $ae = "C89MSU8tKQYA" wide
+        $af = "8wvwBQA=" wide
+        $ag = "cyzIz8nJBwA=" wide
+        $ah = "c87JL03xzc/LLMkvysxLBwA=" wide
+        $ai = "88tPSS0GAA==" wide
+        $aj = "C8vPKc1NLQYA" wide
+        $ak = "88wrSS1KS0xOLQYA" wide
+        $al = "c87PLcjPS80rKQYA" wide
+        $am = "Ky7PLNAvLUjRBwA=" wide
+        $an = "06vIzQEA" wide
+        $b = "0y3NyyxLLSpOzIlPTgQA" wide
+        $c = "001OBAA=" wide
+        $d = "0y0oysxNLKqMT04EAA==" wide
+        $e = "0y3JzE0tLknMLQAA" wide
+        $f = "003PyU9KzAEA" wide
+        $h = "0y1OTS4tSk1OBAA=" wide
+        $i = "K8jO1E8uytGvNqitNqytNqrVA/IA" wide
+        $j = "c8rPSQEA" wide
+        $k = "c8rPSfEsSczJTAYA" wide
+        $l = "c60oKUp0ys9JAQA=" wide
+        $m = "c60oKUp0ys9J8SxJzMlMBgA=" wide
+        $n = "8yxJzMlMBgA=" wide
+        $o = "88lMzygBAA==" wide
+        $p = "88lMzyjxLEnMyUwGAA==" wide
+        $q = "C0pNL81JLAIA" wide
+        $r = "C07NzXTKz0kBAA==" wide
+        $s = "C07NzXTKz0nxLEnMyUwGAA==" wide
+        $t = "yy9IzStOzCsGAA==" wide
+        $u = "y8svyQcA" wide
+        $v = "SytKTU3LzysBAA==" wide
+        $w = "C84vLUpOdc5PSQ0oygcA" wide
+        $x = "C84vLUpODU4tykwLKMoHAA==" wide
+        $y = "C84vLUpO9UjMC07MKwYA" wide
+        $z = "C84vLUpO9UjMC04tykwDAA==" wide
+    condition:
+        ($a and $b and $c and $d and $e and $f and $h and $i) or ($j and $k and $l and $m and $n and $o and $p and $q and $r and $s and ($aa or $ab)) or ($t and $u and $v and $w and $x and $y and $z and ($aa or $ab)) or ($ac and $ad and $ae and $af and $ag and $ah and ($am or $an)) or ($ai and $aj and $ak and $al and ($am or $an))
+}

2020/2020.12.13.SolarWinds_Supply_Chain_SUNBURST_Backdoor/IOCs/sunburst_countermeasures/rules/SUPERNOVA/APT_Webshell_SUPERNOVA_1.yar

@@ -0,0 +1,21 @@
+// Copyright 2020 by FireEye, Inc.
+// You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
+// https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
+import "pe"
+
+rule APT_Webshell_SUPERNOVA_1
+{
+    meta:
+        author = "FireEye"
+        description = "SUPERNOVA is a .NET web shell backdoor masquerading as a legitimate SolarWinds web service handler. SUPERNOVA inspects and responds to HTTP requests with the appropriate HTTP query strings, Cookies, and/or HTML form values (e.g. named codes, class, method, and args). This rule is looking for specific strings and attributes related to SUPERNOVA."
+    strings:
+        $compile1 = "CompileAssemblyFromSource"
+        $compile2 = "CreateCompiler"
+        $context = "ProcessRequest"
+        $httpmodule = "IHttpHandler" ascii
+        $string1 = "clazz"
+        $string2 = "//NetPerfMon//images//NoLogo.gif" wide
+        $string3 = "SolarWinds" ascii nocase wide
+    condition:
+        uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550 and filesize < 10KB and pe.imports("mscoree.dll","_CorDllMain") and $httpmodule and $context and all of ($compile*) and all of ($string*)
+}

2020/2020.12.13.SolarWinds_Supply_Chain_SUNBURST_Backdoor/IOCs/sunburst_countermeasures/rules/SUPERNOVA/APT_Webshell_SUPERNOVA_2.yar

@@ -0,0 +1,19 @@
+// Copyright 2020 by FireEye, Inc.
+// You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
+// https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
+
+rule APT_Webshell_SUPERNOVA_2
+{
+    meta:
+        author = "FireEye"
+        description = "This rule is looking for specific strings related to SUPERNOVA. SUPERNOVA is a .NET web shell backdoor masquerading as a legitimate SolarWinds web service handler. SUPERNOVA inspects and responds to HTTP requests with the appropriate HTTP query strings, Cookies, and/or HTML form values (e.g. named codes, class, method, and args)."
+    strings:
+        $dynamic = "DynamicRun"
+        $solar = "Solarwinds" nocase
+        $string1 = "codes"
+        $string2 = "clazz"
+        $string3 = "method"
+        $string4 = "args"
+    condition:
+        uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550 and filesize < 10KB and 3 of ($string*) and $dynamic and $solar
+}

2020/2020.12.13.SolarWinds_Supply_Chain_SUNBURST_Backdoor/IOCs/sunburst_countermeasures/rules/TEARDROP/yara/APT_Dropper_Win64_TEARDROP_1.yar

@@ -0,0 +1,18 @@
+// Copyright 2020 by FireEye, Inc.
+// You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
+// https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
+
+rule APT_Dropper_Win64_TEARDROP_1
+{
+    meta:
+        author = "FireEye"
+        description = "This rule is intended match specific sequences of opcode found within TEARDROP, including those that decode the embedded payload. TEARDROP is a memory only dropper that can read files and registry keys, XOR decode an embedded payload, and load the payload into memory. TEARDROP persists as a Windows service and has been observed dropping Cobalt Strike BEACON into memory."
+    strings:
+        $loc_4218FE24A5 = { 48 89 C8 45 0F B6 4C 0A 30 }
+        $loc_4218FE36CA = { 48 C1 E0 04 83 C3 01 48 01 E8 8B 48 28 8B 50 30 44 8B 40 2C 48 01 F1 4C 01 FA }
+        $loc_4218FE2747 = { C6 05 ?? ?? ?? ?? 6A C6 05 ?? ?? ?? ?? 70 C6 05 ?? ?? ?? ?? 65 C6 05 ?? ?? ?? ?? 67 }
+        $loc_5551D725A0 = { 48 89 C8 45 0F B6 4C 0A 30 48 89 CE 44 89 CF 48 F7 E3 48 C1 EA 05 48 8D 04 92 48 8D 04 42 48 C1 E0 04 48 29 C6 }
+        $loc_5551D726F6 = { 53 4F 46 54 57 41 52 45 ?? ?? ?? ?? 66 74 5C 43 ?? ?? ?? ?? 00 }
+    condition:
+        (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and any of them
+}

2020/2020.12.13.SolarWinds_Supply_Chain_SUNBURST_Backdoor/IOCs/sunburst_countermeasures/rules/TEARDROP/yara/APT_Loader_Raw64_TEARDROP_1.yar

@@ -0,0 +1,16 @@
+// Copyright 2020 by FireEye, Inc.
+// You may not use this file except in compliance with the license. The license should have been received with this file. You may obtain a copy of the license at:
+// https://github.com/fireeye/sunburst_countermeasures/blob/main/LICENSE.txt
+
+rule APT_Dropper_Raw64_TEARDROP_1
+{
+    meta:
+        author = "FireEye"
+        description = "This rule looks for portions of the TEARDROP backdoor that are vital to how it functions. TEARDROP is a memory only dropper that can read files and registry keys, XOR decode an embedded payload, and load the payload into memory. TEARDROP persists as a Windows service and has been observed dropping Cobalt Strike BEACON into memory."
+    strings:
+        $sb1 = { C7 44 24 ?? 80 00 00 00 [0-64] BA 00 00 00 80 [0-32] 48 8D 0D [4-32] FF 15 [4] 48 83 F8 FF [2-64] 41 B8 40 00 00 00 [0-64] FF 15 [4-5] 85 C0 7? ?? 80 3D [4] FF }
+        $sb2 = { 80 3D [4] D8 [2-32] 41 B8 04 00 00 00 [0-32] C7 44 24 ?? 4A 46 49 46 [0-32] E8 [4-5] 85 C0 [2-32] C6 05 [4] 6A C6 05 [4] 70 C6 05 [4] 65 C6 05 [4] 67 }
+        $sb3 = { BA [4] 48 89 ?? E8 [4] 41 B8 [4] 48 89 ?? 48 89 ?? E8 [4] 85 C0 7? [1-32] 8B 44 24 ?? 48 8B ?? 24 [1-16] 48 01 C8 [0-32] FF D0 }
+    condition:
+        all of them
+}

2020/2020.12.13.SolarWinds_Supply_Chain_SUNBURST_Backdoor/IOCs/sunburst_countermeasures/signature_table_of_contents.csv

@@ -0,0 +1,39 @@
+family,name,type,SID,status,desc
+SUNBURST,APT_Backdoor_SUNBURST_1,yara,N/A,production,"This rule looks for portions of the SUNBURST backdoor that are vital to how it functions. The first signature fnv_xor matches a magic byte xor that the sample performs on process, service, and driver names/paths. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
+SUNBURST,APT_Backdoor_SUNBURST_2,yara,N/A,production,"The SUNBURST backdoor uses a domain generation algorithm (DGA) as part of C2 communications. This rule looks for each branch of the code that checks for which HTTP method is being used. This is in one large conjunction, and all branches are then tied together via disjunction. The grouping is intentionally designed so that if any part of the DGA is re-used in another sample, this signature should match that re-used portion. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
+SUNBURST,Backdoor.SUNBURST,snort/nx,77600832,production,"This rule looks for network requests that are masquerading as the Solar Winds Improvement Program (SWIP) network protocol to non-SolarWinds domains. These network requests are used by the SUNBURST backdoor to provide a sense of legitimacy to the backdoored DLL. This communication should occur over SSL/TLS however these rules will apply in environments with SSL/TLS Inspection. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
+SUNBURST,Backdoor.SUNBURST,snort/nx,77600833,production,"This rule looks for network requests that are masquerading as the Solar Winds Improvement Program (SWIP) network protocol to non-SolarWinds domains. These network requests are used by the SUNBURST backdoor to provide a sense of legitimacy to the backdoored DLL. This communication should occur over SSL/TLS however these rules will apply in environments with SSL/TLS Inspection. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
+SUNBURST,Backdoor.SUNBURST,snort/nx,77600842,production,"This rule looks for HTTP network connections associated with the SUNBURST related avsvmcloud[.]com domain. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
+SUNBURST,Backdoor.SUNBURST,snort/nx,77600843,production,"This rule looks for network requests that are masquerading as the Solar Winds Improvement Program (SWIP) network protocol to non-SolarWinds domains. These network requests are used by the SUNBURST backdoor to provide a sense of legitimacy to the backdoored DLL. This communication should occur over SSL/TLS however these rules will apply in environments with SSL/TLS Inspection. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
+SUNBURST,Backdoor.SUNBURST,snort/nx,77600844,production,"This rule looks for network requests that are masquerading as the Solar Winds Improvement Program (SWIP) network protocol to non-SolarWinds domains. These network requests are used by the SUNBURST backdoor to provide a sense of legitimacy to the backdoored DLL. This communication should occur over SSL/TLS however these rules will apply in environments with SSL/TLS Inspection. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
+SUNBURST,Backdoor.SUNBURST,snort/nx,77600845,production,"This rule looks for SSL/TLS network connections associated with the SUNBURST related avsvmcloud[.]com domain. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
+SUNBURST,Backdoor.SUNBURST,snort/nx,77600846,production,"This rule looks for SSL/TLS network connections associated with the SUNBURST related digitalcollege[.]org domain. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
+SUNBURST,Backdoor.SUNBURST,snort/nx,77600847,production,"This rule looks for SSL/TLS network connections associated with the SUNBURST related digitalcollege[.]org domain. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
+SUNBURST,Backdoor.SUNBURST,snort/nx,77600848,production,"This rule looks for SSL/TLS network connections associated with the SUNBURST related deftsecurity[.]com domain. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
+SUNBURST,Backdoor.SUNBURST,snort/nx,77600849,production,"This rule looks for SSL/TLS network connections associated with the SUNBURST related thedoccloud[.]com domain. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
+SUNBURST,Backdoor.SUNBURST,snort/nx,77600850,production,"This rule looks for SSL/TLS network connections associated with the SUNBURST related virtualdataserver[.]com domain. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
+SUNBURST,Backdoor.SUNBURST,snort/nx,77600851,production,"This rule looks for HTTP network connections associated with the SUNBURST related digitalcollege[.]org domain. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
+SUNBURST,Backdoor.SUNBURST,snort/nx,77600852,production,"This rule looks for HTTP network connections associated with the SUNBURST related digitalcollege[.]org domain. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
+SUNBURST,Backdoor.SUNBURST,snort/nx,77600853,production,"This rule looks for HTTP network connections associated with the SUNBURST related deftsecurity[.]com domain. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
+SUNBURST,Backdoor.SUNBURST,snort/nx,77600854,production,"This rule looks for HTTP network connections associated with the SUNBURST related thedoccloud[.]com domain. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
+SUNBURST,Backdoor.SUNBURST,snort/nx,77600855,production,"This rule looks for HTTP network connections associated with the SUNBURST related virtualdataserver[.]com domain. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
+SUNBURST,SUNBURST SUSPICIOUS FILEWRITES (METHODOLOGY),hxioc/prod,N/A,supplemental,"This rule identifies writes of specific file types associated with a SUNBURST backdoored version of the SolarWinds.Orion.Core.BusinessLayer.dll process. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
+SUNBURST,SUNBURST SUSPICIOUS URL HOSTNAME (METHODOLOGY),hxioc/prod,N/A,supplemental,"This rule identifies URL requests mimicking SolarWinds network traffic, to non-SolarWinds domains. This rule will only match on instances where communication does not occur over SSL/TLS. These requests may be evidence of the SUNBURST backdoor. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
+SUNBURST,SUNBURST SUSPICIOUS CHILD PROCESSES (METHODOLOGY),hxioc/prod,N/A,supplemental,"This rule identifies suspicious child processes of SolarWinds.Orion.Core.BusinessLayer.dll that may be evidence of the SUNBURST backdoor. The behavior of SolarWinds.Orion.Core.BusinessLayer.dll is dependent on per-enterprise configuration, so additional tuning may be required to exclude legitimate activity in a given environment. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
+SUNBURST,SUNBURST COMPROMISE INDICATORS,hxioc/prod,N/A,production,"This rule identifies indicators which FireEye associates with the SUNBURST backdoor. SUNBURST is a backdoor that has the ability to spawn and kill processes, write and delete files, set and create registry keys, gather system information, and disable a set of forensic analysis tools and services."
+SUPERNOVA,APT_Webshell_SUPERNOVA_2,yara,N/A,supplemental,"This rule looks for specific strings related to SUPERNOVA. SUPERNOVA is a .NET web shell backdoor masquerading as a legitimate SolarWinds web service handler. SUPERNOVA inspects and responds to HTTP requests with the appropriate HTTP query strings, Cookies, and/or HTML form values (e.g. named codes, class, method, and args)."
+SUPERNOVA,APT_Webshell_SUPERNOVA_1,yara,N/A,production,"This rule looks for specific strings and attributes related to SUPERNOVA. SUPERNOVA is a .NET web shell backdoor masquerading as a legitimate SolarWinds web service handler. SUPERNOVA inspects and responds to HTTP requests with the appropriate HTTP query strings, Cookies, and/or HTML form values (e.g. named codes, class, method, and args)."
+COSMICGALE,APT_HackTool_PS1_COSMICGALE_1,yara,N/A,production,"This rule detects various unique strings related to COSMICGALE. COSMICGALE is a credential theft and reconnaissance PowerShell script that collects credentials using the publicly available Get-PassHashes routine. COSMICGALE clears log files, writes acquired data to a hard coded path, and encrypts the file with a password."
+COSMICGALE,APT_HackTool_PS1_COSMICGALE_1,clamav,N/A,production,"This rule detects various unique strings related to COSMICGALE. COSMICGALE is a credential theft and reconnaissance PowerShell script that collects credentials using the publicly available Get-PassHashes routine. COSMICGALE clears log files, writes acquired data to a hard coded path, and encrypts the file with a password."
+TEARDROP,APT_Dropper_Raw64_TEARDROP_1,yara,N/A,production,"This rule looks for portions of the TEARDROP backdoor that are vital to how it functions. TEARDROP is a memory only dropper that can read files and registry keys, XOR decode an embedded payload, and load the payload into memory. TEARDROP persists as a Windows service and has been observed dropping Cobalt Strike BEACON into memory."
+TEARDROP,APT_Dropper_Win64_TEARDROP_1,yara,N/A,production,"This rule is intended match specific sequences of opcode found within TEARDROP, including those that decode the embedded payload. TEARDROP is a memory only dropper that can read files and registry keys, XOR decode an embedded payload, and load the payload into memory. TEARDROP persists as a Windows service and has been observed dropping Cobalt Strike BEACON into memory."
+BEACON,Backdoor.BEACON,snort/nx,77600840,production,"This rule is looking for SSL/TLS network requests associated with known bad BEACON domains during the SSL/TLS handshake. BEACON is a backdoor that is commercially available as part of the Cobalt Strike software platform. BEACON supports several capabilities, such as injecting and executing arbitrary code, uploading and downloading files, and executing shell commands."
+BEACON,Backdoor.BEACON,snort/nx,77600863,production,"This rule is looking for SSL/TLS network requests associated with known bad BEACON domains during the SSL/TLS handshake. BEACON is a backdoor that is commercially available as part of the Cobalt Strike software platform. BEACON supports several capabilities, such as injecting and executing arbitrary code, uploading and downloading files, and executing shell commands."
+BEACON,Backdoor.BEACON,snort/nx,77600864,production,"This rule is looking for SSL/TLS network requests associated with known bad BEACON domains during the SSL/TLS handshake. BEACON is a backdoor that is commercially available as part of the Cobalt Strike software platform. BEACON supports several capabilities, such as injecting and executing arbitrary code, uploading and downloading files, and executing shell commands."
+BEACON,Backdoor.BEACON,snort/nx,77600865,production,"This rule is looking for SSL/TLS network requests associated with known bad BEACON domains during the SSL/TLS handshake. BEACON is a backdoor that is commercially available as part of the Cobalt Strike software platform. BEACON supports several capabilities, such as injecting and executing arbitrary code, uploading and downloading files, and executing shell commands."
+BEACON,Backdoor.BEACON,snort/nx,77600837,production,"This rule is looking for network request content related to a specific Cobalt Strike BEACON malleable C2 profile. This network should occur over SSL/TLS, however these rules will apply in environments with SSL/TLS Inspection. BEACON is a backdoor that is commercially available as part of the Cobalt Strike software platform. BEACON supports several capabilities, such as injecting and executing arbitrary code, uploading and downloading files, and executing shell commands."
+BEACON,Backdoor.BEACON,snort/nx,77600856,production,"This rule is looking for network response content related to a specific Cobalt Strike BEACON malleable C2 profile. This network should occur over SSL/TLS, however these rules will apply in environments with SSL/TLS Inspection. BEACON is a backdoor that is commercially available as part of the Cobalt Strike software platform. BEACON supports several capabilities, such as injecting and executing arbitrary code, uploading and downloading files, and executing shell commands."
+BEACON,Backdoor.BEACON,snort/nx,77600857,production,"This rule is looking for network response content related to a specific Cobalt Strike BEACON malleable C2 profile. This network should occur over SSL/TLS, however these rules will apply in environments with SSL/TLS Inspection. BEACON is a backdoor that is commercially available as part of the Cobalt Strike software platform. BEACON supports several capabilities, such as injecting and executing arbitrary code, uploading and downloading files, and executing shell commands."
+BEACON,Backdoor.BEACON,snort/nx,77600858,production,"This rule is looking for network response content related to a specific Cobalt Strike BEACON malleable C2 profile. This network should occur over SSL/TLS, however these rules will apply in environments with SSL/TLS Inspection. BEACON is a backdoor that is commercially available as part of the Cobalt Strike software platform. BEACON supports several capabilities, such as injecting and executing arbitrary code, uploading and downloading files, and executing shell commands."
+BEACON,Backdoor.BEACON,snort/nx,77600859,production,"This rule is looking for network response content related to a specific Cobalt Strike BEACON malleable C2 profile. This network should occur over SSL/TLS, however these rules will apply in environments with SSL/TLS Inspection. BEACON is a backdoor that is commercially available as part of the Cobalt Strike software platform. BEACON supports several capabilities, such as injecting and executing arbitrary code, uploading and downloading files, and executing shell commands."
+BEACON,Backdoor.BEACON,snort/nx,77600860,production,"This rule is looking for network response content related to a specific Cobalt Strike BEACON malleable C2 profile. This network should occur over SSL/TLS, however these rules will apply in environments with SSL/TLS Inspection. BEACON is a backdoor that is commercially available as part of the Cobalt Strike software platform. BEACON supports several capabilities, such as injecting and executing arbitrary code, uploading and downloading files, and executing shell commands."