← Back to SOC feed Coverage →

locate-dll-created-locally[Nobelium]

kql MEDIUM Azure-Sentinel
DeviceFileEvents
aptbackdoorhuntingmicrosoftofficial
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at Azure-Sentinel →
Retrieved: 2026-05-06T23:00:00Z · Confidence: medium

Hunt Hypothesis

The hypothesis is that the detection identifies the creation of a locally hosted DLL file, which may indicate the presence of the Nobelium adversary leveraging a supply chain attack vector. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise of internal systems and mitigate lateral movement risks.

KQL Query

DeviceFileEvents 
| where SHA1 in ("76640508b1e7759e548771a5359eaed353bf1eec","d130bd75645c2433f88ac03e73395fba172ef676","1acf3108bf1e376c8848fbb25dc87424f2c2a39c","e257236206e99f5a5c62035c9c59c57206728b28","6fdd82b7ca1c1f0ec67c05b36d14c9517065353b","2f1a5a7411d015d01aaee4535835400191645023","bcb5a4dcbc60d26a5f619518f2cfc1b4bb4e4387","16505d0b929d80ad1680f993c02954cfd3772207","d8938528d68aabe1e31df485eb3f75c8a925b5d9","395da6d4f3c890295f7584132ea73d759bd9d094","c8b7f28230ea8fbf441c64fdd3feeba88607069e","2841391dfbffa02341333dd34f5298071730366a","2546b0e82aecfe987c318c7ad1d00f9fa11cd305","2dafddbfb0981c5aa31f27a298b9c804e553c7bc","e2152737bed988c0939c900037890d1244d9a30e","fd15760abfc0b2537b89adc65b1ff3f072e7e31c") or SHA256 in ("32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77","ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6","dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b","eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed","ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c","019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134","c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77","0f5d7e6dfdd62c83eb096ba193b5ae394001bac036745495674156ead6557589","e0b9eda35f01c1540134aba9195e7e6393286dde3e001fce36fb661cc346b91d","20e35055113dac104d2bb02d4e7e33413fae0e5a426e0eea0dfd2c1dce692fd9","2b3445e42d64c85a5475bdbc88a50ba8c013febb53ea97119a11604b7595e53d","a3efbc07068606ba1c19a7ef21f4de15d15b41ef680832d7bcba485143668f2d","92bd1c3d2a11fc4aba2735d9547bd0261560fb20f36a0e7ca2f2d451f1b62690","a58d02465e26bdd3a839fd90e4b317eece431d28cab203bbdde569e11247d9e2","b8a05cc492f70ffa4adcd446b693d5aa2b71dc4fa2bf5022bf60d7b13884f666","cc082d21b9e880ceb6c96db1c48a0375aaf06a5f444cb0144b70e01dc69048e6","ffdbdd460420972fd2926a7f460c198523480bc6279dd6cca177230db18748e8")

Analytic Rule Definition

id: 644a6cea-7662-45db-89d0-a9136a9a5da6
name: locate-dll-created-locally[Nobelium]
description: |
  This query was originally published in the threat analytics report, Solorigate supply chain attack. Please note that these attacks are currently known as the Nobelium campaign.
  Microsoft detects the 2020 SolarWinds supply chain attack implant and its other components as part of a campaign by the Nobelium activity group. Nobelium is the threat actor behind the attack against SolarWinds, which was previously referred to as Solorigate.
  Nobelium silently added malicious code to legitimate software updates for Orion, which is IT monitoring software provided by SolarWinds. In this way, malicious dynamic link libraries (DLLs) were distributed to SolarWinds customers.
  The following query locates malicious Nobelium-associated DLLs that have been created in the system or locally.
  More Nobelium-related queries can be found listed under the See also section of this document.
  References:
  https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
  https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceFileEvents
tactics:
- Persistence
- Impact
- Malware, component
tags:
- Nobelium
query: |
  DeviceFileEvents 
  | where SHA1 in ("76640508b1e7759e548771a5359eaed353bf1eec","d130bd75645c2433f88ac03e73395fba172ef676","1acf3108bf1e376c8848fbb25dc87424f2c2a39c","e257236206e99f5a5c62035c9c59c57206728b28","6fdd82b7ca1c1f0ec67c05b36d14c9517065353b","2f1a5a7411d015d01aaee4535835400191645023","bcb5a4dcbc60d26a5f619518f2cfc1b4bb4e4387","16505d0b929d80ad1680f993c02954cfd3772207","d8938528d68aabe1e31df485eb3f75c8a925b5d9","395da6d4f3c890295f7584132ea73d759bd9d094","c8b7f28230ea8fbf441c64fdd3feeba88607069e","2841391dfbffa02341333dd34f5298071730366a","2546b0e82aecfe987c318c7ad1d00f9fa11cd305","2dafddbfb0981c5aa31f27a298b9c804e553c7bc","e2152737bed988c0939c900037890d1244d9a30e","fd15760abfc0b2537b89adc65b1ff3f072e7e31c") or SHA256 in ("32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77","ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6","dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b","eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed","ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c","019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134","c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77","0f5d7e6dfdd62c83eb096ba193b5ae394001bac036745495674156ead6557589","e0b9eda35f01c1540134aba9195e7e6393286dde3e001fce36fb661cc346b91d","20e35055113dac104d2bb02d4e7e33413fae0e5a426e0eea0dfd2c1dce692fd9","2b3445e42d64c85a5475bdbc88a50ba8c013febb53ea97119a11604b7595e53d","a3efbc07068606ba1c19a7ef21f4de15d15b41ef680832d7bcba48514366

Required Data Sources

Sentinel TableNotes
DeviceFileEventsEnsure this data connector is enabled

MITRE ATT&CK Context

References

False Positive Guidance

Original source: https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/Microsoft 365 Defender/Campaigns/locate-dll-created-locally[Nobelium].yaml