Adversaries are using non-browser-based C2 communication to establish persistent command and control channels, indicative of the Nobelium campaign. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage compromises associated with advanced persistent threats.
KQL Query
IdentityQueryEvents
| where ActionType == "DNS query"
| where QueryTarget has "appsync-api" or QueryTarget has "avsvmcloud.com"
| project Timestamp, QueryTarget, DeviceName ,IPAddress,ReportId
id: 58899f81-6ad4-4f42-9003-5e315c43585e
name: c2-lookup-from-nonbrowser[Nobelium] (1)
description: |
This query was originally published in the threat analytics report, Solorigate supply chain attack. Please note that these attacks are currently known as the Nobelium campaign.
Microsoft detects the 2020 SolarWinds supply chain attack implant and its other components as part of a campaign by the Nobelium activity group. Nobelium is the threat actor behind the attack against SolarWinds, which was previously referred to as Solorigate.
Nobelium silently added malicious code to legitimate software updates for Orion, which is IT monitoring software provided by SolarWinds. In this way, malicious dynamic link libraries (DLLs) were distributed to SolarWinds customers.
The following query detects events when Nobelium received a DNS response after launching a lookup request to known command-and-control infrastructure.
More Nobelium-related queries can be found listed under the See also section of this document.
References:
https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- IdentityQueryEvents
tactics:
- Command and control
tags:
- Nobelium
query: |
IdentityQueryEvents
| where ActionType == "DNS query"
| where QueryTarget has "appsync-api" or QueryTarget has "avsvmcloud.com"
| project Timestamp, QueryTarget, DeviceName ,IPAddress,ReportId
| Sentinel Table | Notes |
|---|---|
IdentityQueryEvents | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job Using PowerShell for System Maintenance
Description: A scheduled task runs a PowerShell script that performs system updates or configuration changes, which may include network-related commands that resemble C2 activity.
Filter/Exclusion: process.name != "powershell.exe" OR process.parent.name != "schtasks.exe"
Scenario: Admin Task Using Windows Management Instrumentation (WMI) for Remote Management
Description: An administrator uses WMI to remotely manage servers, which can result in network connections that may be flagged as C2 activity.
Filter/Exclusion: process.name != "wmic.exe" OR process.parent.name != "services.exe"
Scenario: Legitimate Use of Microsoft Defender ATP for Threat Hunting
Description: Security analysts use Microsoft Defender ATP to perform threat hunting, which may involve querying network connections or processes that resemble C2 behavior.
Filter/Exclusion: process.name != "msdefender.exe" OR process.parent.name != "taskeng.exe"
Scenario: Internal Network Discovery via PowerShell for Network Inventory
Description: A script runs PowerShell to discover internal network devices for inventory purposes, which may trigger the rule due to network connection patterns.
Filter/Exclusion: process.name != "powershell.exe" OR process.parent.name != "explorer.exe" AND process.parent.name != "taskmgr.exe"
Scenario: Legitimate Use of Azure DevOps Pipeline for CI/CD Deployment
Description: A CI/CD pipeline uses Azure DevOps to deploy code, which may involve network calls that resemble C2 activity during artifact retrieval.
Filter/Exclusion: process.name != "azure-pipelines.exe" OR process.parent.name != "cmd.exe" AND process.parent.name != "powershell.exe"