Adversaries are leveraging Nobelium’s C2 infrastructure to establish command and control over compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate potential Nobelium campaign activity early.
KQL Query
IdentityQueryEvents
| where ActionType == "DNS query"
| where QueryTarget has "appsync-api" or QueryTarget has "avsvmcloud.com"
| project Timestamp, QueryTarget, DeviceName, IPAddress, ReportId
id: 10a55c6e-8cce-4c6a-891c-99ead1771446
name: c2-lookup-response[Nobelium] (1)
description: |
This query was originally published in the threat analytics report, Solorigate supply chain attack. Please note that these attacks are currently known as the Nobelium campaign.
Microsoft detects the 2020 SolarWinds supply chain attack implant and its other components as part of a campaign by the Nobelium activity group. Nobelium is the threat actor behind the attack against SolarWinds, which was previously referred to as Solorigate.
Nobelium silently added malicious code to legitimate software updates for Orion, which is IT monitoring software provided by SolarWinds. In this way, malicious dynamic link libraries (DLLs) were distributed to SolarWinds customers.
The following query detects events when Nobelium received a DNS response after launching a lookup request to known command-and-control infrastructure.
More Nobelium-related queries can be found listed under the See also section of this document.
References:
https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- IdentityQueryEvents
tactics:
- Command and control
tags:
- Nobelium
query: |
IdentityQueryEvents
| where ActionType == "DNS query"
| where QueryTarget has "appsync-api" or QueryTarget has "avsvmcloud.com"
| project Timestamp, QueryTarget, DeviceName, IPAddress, ReportId
| Sentinel Table | Notes |
|---|---|
IdentityQueryEvents | Ensure this data connector is enabled |
Scenario: Legitimate Windows Update Check
Description: A system is performing a routine Windows update check, which may involve querying a domain that is also used by the Nobelium C2 infrastructure.
Filter/Exclusion: Exclude IP addresses or domains associated with Microsoft update servers (e.g., update.microsoft.com, windowsupdate.microsoft.com). Use a filter like:
(domain == "update.microsoft.com" || domain == "windowsupdate.microsoft.com")Scenario: Scheduled System Maintenance Task
Description: A scheduled task is running a system maintenance script that connects to a domain used by the Nobelium C2. This could be a false positive if the domain is used for legitimate system health checks.
Filter/Exclusion: Exclude tasks that are part of known system maintenance processes. Use a filter like:
(process_name == "schtasks.exe" || process_name == "taskhost.exe") && (domain == "internal.system.maintenance.domain")Scenario: Admin Access via Remote Desktop (RDP)
Description: An administrator is accessing a server remotely using RDP, and the connection is being flagged due to the use of a domain that overlaps with Nobelium C2 domains.
Filter/Exclusion: Exclude RDP connections to internal servers. Use a filter like:
(process_name == "mstsc.exe" || process_name == "rdpclip.exe") && (domain == "internal.corp.domain")Scenario: Legitimate Cloud Provider API Calls
Description: A cloud service (e.g., AWS, Azure) is making API calls to a domain that is also used by Nobelium. This could be a false positive if the domain is used for legitimate cloud operations.
Filter/Exclusion: