Sunburst Correlation DLL And Network Event

Description

The malware sunburst will load the malicious dll by SolarWinds.BusinessLayerHost.exe. After a period of 12-14 days, the malware will attempt to resolve a subdomain of avsvmcloud.com. This detections will correlate both events.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Security Monitoring

Category

Adversary Tactics

Alert Volume

The malware sunburst will load the malicious dll by SolarWinds.BusinessLayerHost.exe. After a period of 12-14 days, the malware will attempt to resolve a subdomain of avsvmcloud.com. This detections will correlate both events.

SPL Difficulty

None

Journey

Stage 3

MITRE ATT&CK Tactics

Execution

MITRE ATT&CK Techniques

Exploitation for Client Execution

Exploitation for Client Execution

MITRE Threat Groups

APT12
APT28
APT29
APT32
APT33
APT37
APT41
BRONZE BUTLER
BlackTech
Cobalt Group
Elderwood
Frankenstein
Inception
Lazarus Group
Leviathan
MuddyWater
Patchwork
Sandworm Team
TA459
The White Company
Threat Group-3390
Tropic Trooper
admin@338

Data Sources

Endpoint Detection and Response

   Help

Sunburst Correlation DLL And Network Event Help

This detection relies on sysmon logs with the Event ID 6, Driver loaded. Please tune your sysmon config that you DriverLoad event for SolarWinds.Orion.Core.BusinessLayer.dll is captured by Sysmon. Additionally, you need sysmon logs for Event ID 22, DNS Query. We suggest to run this detection at least once a day over the last 14 days.

   Search

Open in Search