Adversaries are using non-browser-based C2 communication to establish persistent command and control channels, indicative of the Nobelium campaign. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threats that evade traditional network detection methods.
KQL Query
DeviceEvents
| where ActionType == "DnsQueryResponse" //DNS Query Response
and AdditionalFields has ".avsvmcloud"
id: f7dd2c5f-7bb3-4a0a-80a1-45c4d79e4c03
name: c2-lookup-from-nonbrowser[Nobelium]
description: |
This query was originally published in the threat analytics report, Solorigate supply chain attack. Please note that these attacks are currently known as the Nobelium campaign.
Microsoft detects the 2020 SolarWinds supply chain attack implant and its other components as part of a campaign by the Nobelium activity group. Nobelium is the threat actor behind the attack against SolarWinds, which was previously referred to as Solorigate.
Nobelium silently added malicious code to legitimate software updates for Orion, which is IT monitoring software provided by SolarWinds. In this way, malicious dynamic link libraries (DLLs) were distributed to SolarWinds customers.
The following query detects events when Nobelium received a DNS response after launching a lookup request to known command-and-control infrastructure.
More Nobelium-related queries can be found listed under the See also section of this document.
References:
https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceEvents
tactics:
- Command and control
tags:
- Nobelium
query: |
DeviceEvents
| where ActionType == "DnsQueryResponse" //DNS Query Response
and AdditionalFields has ".avsvmcloud"
| Sentinel Table | Notes |
|---|---|
DeviceEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using PowerShell for system maintenance
Description: A scheduled task runs a PowerShell script that performs system updates or configuration changes, which may include network-related commands that resemble C2 activity.
Filter/Exclusion: Exclude processes initiated by schtasks.exe or scripts located in the C:\Windows\System32\ directory with a .ps1 extension.
Scenario: Admin using Cobalt Strike for red team exercises
Description: Security teams use Cobalt Strike for penetration testing and may execute commands that mimic C2 traffic, such as beaconing or command execution.
Filter/Exclusion: Exclude processes with the parent process cobaltstrike.exe or those running from a known red team tooling directory (e.g., C:\RedTeam\).
Scenario: Network discovery via PowerShell in a multi-site enterprise
Description: System administrators use PowerShell to gather network information across multiple sites, which may include DNS lookups or IP scanning that resemble C2 activity.
Filter/Exclusion: Exclude processes initiated by PowerShell.exe with a command line containing Test-NetConnection, Resolve-DnsName, or Get-NetIPAddress.
Scenario: Legitimate software update via Microsoft Intune or SCCM
Description: Software updates pushed via Microsoft Intune or System Center Configuration Manager (SCCM) may include network communication that appears as C2 traffic.
Filter/Exclusion: Exclude processes with the parent process msiexec.exe or those running from the C:\Windows\Temp\ directory during scheduled update windows.
Scenario: Database backup using SQL Server Agent job
Description: A SQL Server Agent job performs a database backup that includes network communication to a remote backup server, which may be flagged as C2 activity.
**Filter/