The hypothesis is that the observed command-line execution via echo may indicate the deployment of Nobelium malware through a supply chain compromise. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage adversary activity and prevent further lateral movement and data exfiltration.
KQL Query
DeviceProcessEvents
| where InitiatingProcessFileName =~ "SolarWinds.BusinessLayerHost.exe"
| where FileName == "cmd.exe" and ProcessCommandLine has "echo"
id: c250fb07-a349-4c2c-a38c-2321e32235ca
name: launching-cmd-echo[Nobelium]
description: |
This query was originally published in the threat analytics report, Solorigate supply chain attack. Please note that these attacks are currently known as the Nobelium campaign.
Microsoft detects the 2020 SolarWinds supply chain attack implant and its other components as part of a campaign by the Nobelium activity group. Nobelium is the threat actor behind the attack against SolarWinds, which was previously referred to as Solorigate.
Nobelium silently added malicious code to legitimate software updates for Orion, which is IT monitoring software provided by SolarWinds. In this way, malicious dynamic link libraries (DLLs) were distributed to SolarWinds customers.
The following query detects events when SolarWinds processes attempted to launch the cmd.exe command prompt using the 'echo' command. Using 'echo' in this way is suspicious, as it is an indirect way of issuing commands, and may not be readily detected by certain kinds of security solutions.
More Nobelium-related queries can be found listed under the See also section of this document.
References:
https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/
https://docs.microsoft.com/windows-server/administration/windows-commands/cmd
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Execution
- Defense evasion
tags:
- Nobelium
query: |
DeviceProcessEvents
| where InitiatingProcessFileName =~ "SolarWinds.BusinessLayerHost.exe"
| where FileName == "cmd.exe" and ProcessCommandLine has "echo"
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Task
Description: A legitimate scheduled task runs cmd.exe with echo to output log messages or verify script execution.
Filter/Exclusion: Exclude processes associated with schtasks.exe or tasks with known names like SystemMaintenance or DiskCleanup.
Scenario: Admin Debugging or Script Testing
Description: A system administrator uses cmd.exe with echo to test a script or debug a command-line tool like PowerShell.exe or certutil.exe.
Filter/Exclusion: Exclude processes initiated by users with administrative privileges or those running from known admin tools like PowerShell.exe or certutil.exe.
Scenario: Log File Generation via Command Prompt
Description: A script or tool like logparser.exe or eventvwr.exe uses cmd.exe with echo to generate or append logs.
Filter/Exclusion: Exclude processes where the parent process is logparser.exe, eventvwr.exe, or taskhost.exe.
Scenario: Software Installation or Patching
Description: A legitimate software update or patching tool (e.g., msiexec.exe, setup.exe) uses cmd.exe with echo during installation.
Filter/Exclusion: Exclude processes where the parent process is msiexec.exe, setup.exe, or wusa.exe.
Scenario: User-Initiated Command Prompt Session
Description: A user manually opens cmd.exe and runs echo to test or troubleshoot a command, such as verifying a path or checking environment variables.
Filter/Exclusion: Exclude processes where the user is a known admin or where the command is part of a documented troubleshooting procedure.