SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)

Hunt Hypothesis

Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in File Events To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimFileEven

KQL Query

let SunburstMD5=dynamic(["b91ce2fa41029f6955bff20079468448","02af7cec58b9a5da1c542b5a32151ba1","2c4a910a1299cdae2a4e55988a2f102e","846e27a652a5e1bfbd0ddd38a16dc865","4f2eb62fa529c0283b28d05ddd311fae"]);
let SupernovaMD5="56ceb6d0011d87b6e4d7023d7ef85676";
imFileEvent
| where TargetFileMD5 in (SunburstMD5) or TargetFileMD5 in (SupernovaMD5)
| extend AccountName = tostring(split(User, @'\')[1]), AccountNTDomain = tostring(split(User, @'\')[0])
| extend AlgorithmType = "MD5"

Analytic Rule Definition

id: bc5ffe2a-84d6-48fe-bc7b-1055100469bc
name: SUNBURST and SUPERNOVA backdoor hashes (Normalized File Events)
description: |
  Identifies SolarWinds SUNBURST and SUPERNOVA backdoor file hash IOCs in File Events
  To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimFileEvent)
  References:
  - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
  - https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f
severity: High
requiredDataConnectors: []
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
  - Execution
  - Persistence
  - InitialAccess
relevantTechniques:
  - T1195
  - T1059
  - T1546
tags:
  - Id: a3c144f9-8051-47d4-ac29-ffb0c312c910
    version: 1.0.0
query:  |
  let SunburstMD5=dynamic(["b91ce2fa41029f6955bff20079468448","02af7cec58b9a5da1c542b5a32151ba1","2c4a910a1299cdae2a4e55988a2f102e","846e27a652a5e1bfbd0ddd38a16dc865","4f2eb62fa529c0283b28d05ddd311fae"]);
  let SupernovaMD5="56ceb6d0011d87b6e4d7023d7ef85676";
  imFileEvent
  | where TargetFileMD5 in (SunburstMD5) or TargetFileMD5 in (SupernovaMD5)
  | extend AccountName = tostring(split(User, @'\')[1]), AccountNTDomain = tostring(split(User, @'\')[0])
  | extend AlgorithmType = "MD5"
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: User
      - identifier: Name
        columnName: AccountName
      - identifier: NTDomain
        columnName: AccountNTDomain
  - entityType: Host
    fieldMappings:
      - identifier: FullName
        columnName: Dvc
      - identifier: HostName
        columnName: DvcHostname
      - identifier: DnsDomain
        columnName: DvcDomain
  - entityType: FileHash
    fieldMappings:
      - identifier: Algorithm
        columnName: AlgorithmType
      - identifier: Value
        columnName: TargetFileMD5
version: 1.0.7
kind: Scheduled
metadata:
    source:
        kind: Community
    author:
        name: Yaron
    support:
        tier: Community
    categories:
        domains: [ "Security - Threat Intelligence" ]

Required Data Sources

Sentinel Table	Notes
`imFileEvent`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: Execution
Tactic: Persistence
Tactic: InitialAccess
Tactic: Initial Access
Tactic: Privilege Escalation
Technique: T1195 — Supply Chain Compromise

Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.

Supply chain compromise can take place at any sta

Technique: T1059 — Command and Scripting Interpreter

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common featu
Technique: T1546 — Event Triggered Execution

Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe t

Validation (Atomic Red Team)

References

Source Query