News

Elastic Security provides free and open protections for SUNBURST

Note: We have now updated our DGA model for better SUNBURST domain detection. Our model was able to detect all of the SUNBURST domains in this dataset.

Executive summary

  • Elastic Security’s malware prevention technology, used by both Elastic Endgame and the endpoint security capabilities within Elastic Security, has been updated and is not affected by attacks described in this disclosure
  • Existing Elastic Security rules (listed below) can help identify potential attacks
  • New Elastic Security rules (listed below) can help detect new threats
  • Recommended searches/threat hunts are listed below for Elastic Security (Elastic Endgame recommendations can be found on our support portal)
  • Users can leverage Elastic ML models to detect potential C2 from the SUNBURST attack
  • Users are invited to work directly with our protection engineers in our public rules repo

Background

On December 13, SolarWinds released a security advisory regarding a successful supply-chain attack on the Orion management platform. The attack affects Orion versions 2019.4 HF 5 through 2020.2.1, software products released between March and June of 2020. Likewise, on December 13, FireEye released information about a global campaign involving SolarWinds supply-chain compromise that affected some versions of Orion software.

Many details of the intrusion have not been made public, and this content may be later updated as additional information becomes known. Elastic provides this information for users in the free tier, and recommends subscription customers refer to the support portal for additional information about licensed features.

Malware protection

We have updated our MalwareScore protection, used by both Elastic Endgame and Elastic Security. This update includes blocklist entries for known bad file hashes, providing essential prevention capability to mitigate deployed SolarWinds client software containing malicious code. Users should receive this update automatically.

Free and open behavioral detections

We have reviewed public materials disclosed by SolarWinds and FireEye to ensure we have as up-to-date an understanding of tactics, techniques, and procedures (TTPs) as possible. Additionally, Elastic reviewed content published by Volexity describing post-exploitation activities observed during professional services engagements. While information about how the adversary responsible has leveraged this supply-chain compromise is limited, materials published by FireEye and Volexity indicate attempts to obtain lasting operational control by targeting directory services and other forms of authentication with a particular emphasis on information access.

The following existing behavioral detections for the Elastic Security solution may identify evidence of successful post-exploitation:

Additionally, new behavioral rules are being released for the following activities:

Elastic Security users may find value in enabling additional detection-rules in all categories, prioritizing triage and analysis of results related to SolarWinds client software.

Users should note that the detection-rules command-line interface (CLI) is required to import rules, and the import-rules function can import rules in several formats either individually or from a directory.

Threat hunting using Elastic

Users who have deployed the Elastic endpoint may find that hunts focused on the following are important leads to prioritize based on public reporting:

Disabling services via the Windows registry

EQL

registry where registry.path : "HKLM\\SYSTEM\\*ControlSet*\\Services\\*\\Start" and registry.data.strings == "4" and not (process.name : "services.exe" and user.domain: "NT AUTHORITY")

KQL

registry.path:HKLM\\System\\*ControlSet*\\Services\\*\\Start and registry.data.strings:"4" and not (process.name:"services.exe" and user.domain:"NT AUTHORITY")

Unusual descendants of the SolarWinds client

EQL

process where event.type in ("start","process_started") and process.parent.name:("SolarWinds.BusinessLayerHost.exe","SolarWinds.BusinessLayerHostx64.exe")

KQL

event.category:process and event.type:start and process.parent.name:("SolarWinds.BusinessLayerHost.exe" or "SolarWinds.BusinessLayerHostx64.exe")

Creation of executable files by the SolarWinds client

EQL

file where process.name in ("SolarWinds.BusinessLayerHost.exe", "SolarWinds.BusinessLayerHostx64.exe") and file.name : ("*.dll*", "*.exe*", "*.ps1*", "*.jpg*", "*.png*")

KQL

event.category:file and event.type:creation and file.extension:(dll or DLL or exe or EXE or ps1 or PS1 or jpg or JPG or png or PNG) and process.name:("SolarWinds.BusinessLayerHost.exe" or "SolarWinds.BusinessLayerHostx64.exe")

Unexpected network communications by the SolarWinds client

EQL

network where network.protocol == "http" and process.name: ("SolarWinds.BusinessLayerHostx64.exe", "ConfigurationWizard.exe", "NetflowDatabaseMaintenance.exe", "NetFlowService.exe", "SolarWinds.Administration.exe", "SolarWinds.BusinessLayerHost.exe", "SolarWinds.Collector.Service.exe" , "SolarwindsDiagnostics.exe") and wildcard(http.request.body.content, "POST*/swip/Upload.ashx*", "PUT*/swip/Upload.ashx*", "GET*/swip/SystemDescription*", "HEAD*/swip/SystemDescription*", "GET*/swip/Events*", "HEAD*/swip/Events*") and not wildcard(http.request.body.content, "POST*solarwinds.com*", "PUT*solarwinds.com*", "GET*solarwinds.com*", "HEAD*solarwinds.com*")

KQL

event.category:network and event.type:protocol and network.protocol:http and process.name:(ConfigurationWizard.exe or NetFlowService.exe or NetflowDatabaseMaintenance.exe or SolarWinds.Administration.exe or SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe or SolarWinds.Collector.Service.exe or SolarwindsDiagnostics.exe) and http.request.body.content:(((*/swip/Upload.ashx* and (POST* or PUT*)) or (*/swip/SystemDescription* and (GET* or HEAD*)) or (*/swip/Events* and (GET* or HEAD*))) and not *solarwinds.com*)

For our users leveraging machine learning

Machine learning is a critical capability when tracking down and detecting unknown threats. Elastic Security ships prebuilt jobs and rules that can jumpstart security teams across any organization. In this case, SUNBURST detection was not the exception. In this blog, Elastic users can find step-by-step instructions to leverage one of the latest additions to our fleet: a model that combines supervised and unsupervised learning for effectively detect Domain Generation Algorithm (DGA) activity in organizations.

Next steps

Elastic will update our malware protection signer allowlist to remove an allowlist entry for SolarWinds Worldwide, LLC. As a result, SolarWinds users may see malware alerts for software signed by SolarWinds. These may be false positives.

Elastic Security's researchers are monitoring this situation for any updates. As new information emerges, we will evaluate and create additional protections as needed.

Elastic recommends users follow all applicable guidance from SolarWinds in addition to the guidance provided in this document. Users of SolarWinds products should also review reference materials for associated network-based indicators and conduct searches to identify potential evidence of prior or ongoing compromise. Elastic users can easily search for atomic indicators without learning a new query language.