Adversaries may establish unauthorized network connections to SolarWinds IP addresses to exfiltrate data or move laterally within the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise from supply chain attacks leveraging CVE-2021-35211.
KQL Query
let IPs = pack_array("98.176.196.89", "68.235.178.32",
"208.113.35.58","144.34.179.162","97.77.97.58");
DeviceNetworkEvents
| where RemotePort == 443
| where Protocol == "Tcp" and ActionType == "ConnectionSuccess"
| where Timestamp > ago(7d)
| where RemoteIP in(IPs)
id: ff01fb94-9b27-48b9-a304-2e86108b5ca4
name: SolarWinds -CVE-2021-35211
description: |
//Check for network connections with SolarWInds IP's based on DeviceNetworkEvents## Query
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceNetworkEvents
tactics:
- Command and control
query: |
let IPs = pack_array("98.176.196.89", "68.235.178.32",
"208.113.35.58","144.34.179.162","97.77.97.58");
DeviceNetworkEvents
| where RemotePort == 443
| where Protocol == "Tcp" and ActionType == "ConnectionSuccess"
| where Timestamp > ago(7d)
| where RemoteIP in(IPs)
| Sentinel Table | Notes |
|---|---|
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using SolarWinds Network Performance Monitor (NPM) to perform routine health checks on the network.
Filter/Exclusion: Add a filter for process.name containing “SolarWindsNPM” or “SolarWinds” to exclude legitimate monitoring activities.
Scenario: A scheduled job runs SolarWinds Log Viewer to process and archive log files as part of a daily maintenance task.
Filter/Exclusion: Include a condition for process.name matching “LogViewer” or “SolarWindsLogViewer” to exclude scheduled log processing.
Scenario: An IT technician is using SolarWinds Server & Application Monitor (SAM) to troubleshoot a service issue on a remote server.
Filter/Exclusion: Filter by process.name containing “SolarWindsSAM” or “SAM” to exclude legitimate troubleshooting activities.
Scenario: A backup job is configured to transfer SolarWinds configuration files between servers using a script or scheduled task.
Filter/Exclusion: Add a filter for process.name containing “backup” or “SolarWindsConfig” to exclude legitimate file transfers.
Scenario: A developer is using SolarWinds IP Intelligence to analyze network traffic for security research purposes.
Filter/Exclusion: Include a condition for process.name containing “IPIntelligence” or “SolarWindsIP” to exclude legitimate security analysis activities.