Coverage for all known binaries used in this attack is covered in the 4287 V3 DATs (ENS) and 9835 V2 DATs (SWG and VSE). These DATs were released on December 14, 2020, for cloud-connected systems, and in Global Threat Intelligence (GTI).

Generic detection capabilities, previously provided by Extra.DAT, are included in the 4288 V3 DATs (ENS) and 9836 V2 DATs (SWG and VSE), released on December 15, 2020.

The detection name for threats in this attack is HackTool-Leak.c before the 4288 V3 DATs (ENS) and 9836 V2 DATs (SWG and VSE). After these DATs, the detection name for threats in this attack is Trojan-Sunburst.

At the time of publication, customers using Endpoint Protection Platform will see a Windows Defender detection for Trojan:MSIL/Solorigate.B!dha.

For enhanced detection coverage, Endpoint Protection Platform customers can update to the Endpoint Protection Platform 2011 Hotfix release, made available on December 16, 2020.

• Customers with ePolicy Orchestrator - SaaS: Confirm that Auto-Update is enabled and configured for immediate deployment.
• Customers with on-premises ePO: Check in the Endpoint Protection Platform 2011 Hotfix after you download it from the Software Center or Product Downloads site and deploy to the environment.

For additional information about this release and other Endpoint Protection Platform releases, see KB90744 - Supported platforms for Trellix Endpoint.

For customers who can't update DATs or who don't use on-access scanning or on-demand scanning, Exploit Prevention coverage can be configured using the following Expert Rules. The rule content is also available in the Sunburst_Expert_Rules.zip in the "Attachment" section of this article.

ENS Expert Rules

Rule name	Sunburst: Block creation of named pipe
Severity	High
Action	Block, Report
Rule type	Files
Rule content	Rule { Process { Include OBJECT_NAME { -v "SolarWinds.BusinessLayerHost.exe" -v "SolarWinds.BusinessLayerHostx64.exe" } } Target { Match FILE { Include OBJECT_NAME { -v "**583da945-62af-10e8-4902-a8f205c72b2e"} Include -access "CONNECT_NAMED_PIPE" ; # Prevents pipe connection } } }
Notes (optional)	This rule trigger indicates that the SolarWinds application tries to create a known malicious named pipe.

 

Rule name	Sunburst: Detect 7zip anomalous use
Severity	High
Action	Block, Report
Rule type	Processes
Rule content	Rule {               Process {                              Include OBJECT_NAME { -v "rundll32.exe" }                              Include OBJECT_NAME { -v "dllhost.exe" }                              Include GROUP_SID { -v "S-1-16-12288" }                              Include GROUP_SID { -v "S-1-16-16384" }               }               Target {                              Match PROCESS {                                                               Include OBJECT_NAME { -v "7z*" }                                            Include PROCESS_CMD_LINE { -v "*-mx9*" }                                            Include -access "CREATE"                              }               } }
Notes (optional)	This rule trigger indicates that the SolarWinds application tries to abuse 7zip application.

 

Rule name	Sunburst: Detect Registering dllhost.exe as a temp service
Severity	High
Action	Block, Report
Rule type	Registry
Rule content	Rule {         Process {                Include OBJECT_NAME { -v "**" }         }         Target {                Match VALUE {                        Include OBJECT_NAME { -v "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\dllhost.exe" }                        Include OBJECT_NAME { -v "HKLM\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\ dllhost.exe " }                        Include -access "CREATE RENAME REPLACE_KEY RESTORE_KEY"                }                Match VALUE {                        Include TARGET_OBJECT_NAME { -v "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\ dllhost.exe " }                        Include TARGET_OBJECT_NAME { -v "HKLM\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\ dllhost.exe " }                        Include -access "RENAME"                }         } }
Notes (optional)	This rule trigger indicates that an application tries to temporarily register dllhost.exe as a service on registry hive Image File Execution Option.

 

Rule name	Sunburst: Prevent loading of unsigned NetSetupSvc.dll
Severity	High
Action	Block, Report
Rule type	Files
Rule content	Rule { Process { Include OBJECT_NAME { -v "**\\svchost.exe" } } Target { Match FILE { Include OBJECT_NAME { -v "**\\windows\\syswow64\\netsetupsvc.dll" } Exclude CERT_NAME { -v "*Microsoft Corporation*" } } } }
Notes (optional)	NetSetupSVC.dll is a shared DLL that Microsoft uses for several applications such as Microsoft Accessa and Office. This rule trigger indicates that SVCHost.exe tries to load an unsigned NetSetupSVC.dll, which can indicate a breach.

Host IPS Custom Signature:
For Host IPS 8.0, coverage isn't possible due to the lack of support for using named pipe creation blocking. But, you can use a custom signature for partial coverage. False positive detections might occur, so it's recommended to regularly review any signature events. As per the ENS Expert Rule above, monitor for any activity using unsigned or non-Microsoft signed use of NetSetupSvc.dll.
 

Signature name	Sunburst: Monitoring of NetSetupSvc.dll through svchost.exe
Severity	High
Platform	Windows
Signature type	Host IPS
Severity level	<Configure to match the LOG or PREVENT threshold of your choice according to your IPS Protection policy>
Client rules	<Enable if you want for IPS Adaptive mode to auto-learn exception if Adaptive mode is enabled>
Log status	<Enable if you want to generate ePO events for signature violations>
Description	NetSetupSVC.dll is a shared DLL that Microsoft uses for several applications such as Microsoft Access and Office. This rule trigger indicates that SVCHost.exe tries to load an unsigned NetSetupSVC.dll, which can indicate a breach.
Subrules	<Click New Expert Subrule>
Subrule syntax	Rule { Class "Files" Id 7000 level 4 files {Include "*\\windows\\syswow64\\netsetupsvc.dll"} application { Include "*\\svchost.exe" } time { Include "*" } user_name { Include "*"} attributes "-v" directives "-d" "-c" "files:execute" }
	NOTE: The ID value defined above will change (after saving the policy change) to be the next available Signature ID available on your ePO server database between ID 4001 and 5999.

Customers using Application and Change Control are advised to unsolidify SolarWinds Orion Platform software if running an affected build. If rules are created to add SolarWinds as an updater, we recommend deleting them.

IPS Signature Set 10.8.16.6, released on December 15, 2020, includes coverage to detect and block the Sunburst Backdoor traffic.
 

Attack Signature	Attack ID
MEDIUM - BACKDOOR: SUNBURST Activity Detected	0x40e10a00

NOTE: The referenced content is available only to logged in ServicePortal users. To view the content, click the link and log in when prompted.