Malware

Threat Brief: SolarStorm and SUNBURST Customer Coverage

Clock Icon 14 min read
Related Products
Advanced DNS Security iconAdvanced DNS SecurityAdvanced Threat Prevention iconAdvanced Threat PreventionAdvanced URL Filtering iconAdvanced URL FilteringAdvanced WildFire iconAdvanced WildFireCortex XDR iconCortex XDRCortex XSOAR iconCortex XSOARIoT Security iconIoT SecurityManaged Threat Hunting iconManaged Threat HuntingNext-Generation Firewall iconNext-Generation Firewall

This post is also available in: 日本語 (Japanese)

SolarStorm Response With Next-Generation Firewall

It is possible to identify SolarWinds systems in a network using NGFW traffic monitoring. This section provides details of multiple queries and examples of their outputs. It is imperative for customers to employ the best practices for Palo Alto Networks products in order to ensure their appliances are configured in a manner best suited for their protection.

The following query filter will identify hosts contacting a server using the SolarWinds App-ID. 

 

 

Example query filter to identify hosts contacting a server using the SolarWinds App-ID.

URL Filtering can also help identify compromised servers. This query filter will identify systems connecting to the SolarWinds download server and specifically downloading the SUNBURST plugin update. 

 

 

Example of how URL Filtering can help identify systems connecting to the SolarWinds download server and specifically downloading the SUNBURST plug-in update.
Example of URL Filtering categorizing the download of the SUNBURST plug-in update as malware.

The following URL Filtering query will identify traffic to the known SUNBURST command and control domains: 

 

 

Example of how URL Filtering can identify traffic to the known SUNBURST command and control domains.

File Blocking will identify hosts that have downloaded the known filenames associated with the  SUNBURST plugin update. 

 

 

Example of how File Blocking will identify hosts that have downloaded the known filenames associated with the SUNBURST plug-in update.

Threat logs can expose DNS queries that indicate SUNBURST command and control traffic. The following filter identifies known domain names used by the backdoor. 

 

 

Threat logs can expose DNS queries that indicate SUNBURST command and control traffic.

The following v9.x query can also be used to expose relative DNS queries:

 

 

This example shows how to expose relative DNS queries signaling possible SolarStorm compromise.

WildFire and Threat Prevention identify the known SUNBURST backdoor files. The following filter will identify the specific threats associated with SUNBURST in the Threat log. 

 

 

This example shows how WildFire and Threat Prevention can identify the specific threats associated with SUNBURST in the Threat log.

The following filter will identify known SUNBURST and TEARDROP files submitted to WildFire in the WildFire submissions log: 

 

 

This example shows how known SUNBURST files submitted to WildFire in the WildFire submissions log can be identified.

Threat Prevention can detect command and control traffic from SUNBURST as well as the Cobalt Strike Beacon used by SolarStorm. The following filter will identify this command and control traffic in the Threat log.

 

 

Threat Prevention can detect command and control traffic from SUNBURST as well as the Cobalt Strike Beacon used by SolarStorm.

Continue reading: SolarStorm Response With Cortex XDR and/or Cortex XSOAR

Back to Top

Tags

Table of Contents

Related Articles

Related Malware Resources

Pictorial representation of FrostyGoop malware. Close-up view of a digital screen displaying a pixelated, abstract image, possibly representing a face.
category iconThreat Research

FrostyGoop’s Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications
Read now Right arrow
Pictorial representation of a threat like the Bring Your Own Vulnerable Driver (BYOVD) technique. Image of computer code on a screen with a prominent biohazard symbol.
category iconThreat Research

TA Phone Home: EDR Evasion Testing Reveals Extortion Actor's Toolkit
Read now Right arrow
Pictorial representation of a campaign like Contagious Interview. Digital graphic of a glowing globe with network connections and data streams, symbolizing global connectivity and technology advancements.
category iconThreat Research

Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware
Read now Right arrow
A pictorial representation of machine learning detecting vulnerability scanning. A Black man using a tablet with a background of illuminated city buildings at night.
category iconThreat Research

Detecting Vulnerability Scanning Traffic From Underground Tools Using Machine Learning
Read now Right arrow
Pictorial representation of keylogger malware like KLogEXE and FPSpy. Person working on a laptop with lines of code displayed on the screen, with a blurred effect indicating motion or activity, surrounded by a vivid blue and red lighting.
category iconThreat Actor Groups

Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy
Read now Right arrow
Pictorial representation of SnipBot. Digital abstract background featuring binary code and technology symbols with a blue glow in the shape of a skull.
category iconThreat Research

Inside SnipBot: The Latest RomCom Malware Variant
Read now Right arrow
A pictorial representation of a red team tool like Splinter. A digital illustration showing a 3D brain model surrounded by rising data columns on a circuit board, representing advanced artificial intelligence technology.
category iconThreat Research

Discovering Splinter: A First Look at a New Post-Exploitation Red Team Tool
Read now Right arrow
Pictorial representation of APT groups from North Korea. The silhouette of two fish and the Pisces constellation inside an orange abstract planet, surrounded by two larger blue fish. Abstract, stylized cosmic setting with vibrant blue and purple shapes, representing space and distant planetary bodies.
category iconThreat Actor Groups

Gleaming Pisces Poisoned Python Packages Campaign Delivers PondRAT Linux and MacOS Backdoors
Read now Right arrow
Illustrative image featuring two fish and the Pisces constellation superimposed on a stylized, abstract background with flowing purple waves and a starry night sky.
category iconHigh Profile Threats

Threat Assessment: North Korean Threat Groups
Read now Right arrow
Pictorial representation of Stately Taurus' updated TTPs. Illustration of a bull's head and the Taurus constellation inside a stylized orange moon, set against the profile of a much larger bull's head. Shooting stars are on the dark background.
category iconThreat Actor Groups

Chinese APT Abuses VSCode to Target Government in Asia
Read now Right arrow
Enlarged Image

Default Heading

Read the article Right Arrow