{
	"id": "67c5e277-0c09-473c-85f4-ae475ddc74c6",
	"created_at": "2026-04-10T03:22:01.979363Z",
	"updated_at": "2026-04-10T13:12:41.960027Z",
	"deleted_at": null,
	"sha1_hash": "04062facb95f38607f39ece8368c17b81a940954",
	"title": "sunburst_countermeasures.md",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 38642,
	"plain_text": "sunburst_countermeasures.md\r\nBy 262588213843476\r\nArchived: 2026-04-10 03:13:46 UTC\r\nFireEye Sunburst KQL Detections\r\nFireEye released a very interesting article regarding a third-party compromise of Solarwinds, the detections that\r\nare possible in Defender for Endpoint are listed below\r\nBlog post\r\nAll FireEye detections\r\nDeviceEvents\r\n| where ActionType contains \"ExploitGuardNonMicrosoftSignedBlocked\"\r\n| where InitiatingProcessFileName contains \"svchost.exe\" and FileName contains \"NetSetupSvc.dll\"\r\nlet SunburstMD5=dynamic([\"b91ce2fa41029f6955bff20079468448\",\"02af7cec58b9a5da1c542b5a32151ba1\",\"2c4a9\r\nlet SupernovaMD5=\"56ceb6d0011d87b6e4d7023d7ef85676\";\r\nDeviceFileEvents\r\n| where MD5 in(SunburstMD5) or MD5 in(SupernovaMD5)\r\nlet SunburstURL=dynamic([\"panhardware.com\",\"databasegalore.com\",\"avsvmcloud.com\",\"freescanonline.com\r\nDeviceNetworkEvents\r\n| where ActionType == \"ConnectionSuccess\"\r\n| where RemoteUrl in(SunburstURL)\r\nDeviceProcessEvents\r\n| where InitiatingProcessFileName =~ \"solarwinds.businesslayerhost.exe\"\r\n| where not(FolderPath endswith @\"\\SolarWinds\\Orion\\APM\\APMServiceControl.exe\"\r\nor FolderPath endswith @\"\\SolarWinds\\Orion\\ExportToPDFCmd.Exe\"\r\nor FolderPath endswith @\"\\SolarWinds.Credentials\\SolarWinds.Credentials.Orion.WebApi\r\nor FolderPath endswith @\"\\SolarWinds\\Orion\\Topology\\SolarWinds.Orion.Topology.Calcula\r\nor FolderPath endswith @\"\\SolarWinds\\Orion\\Database-Maint.exe\"\r\nor FolderPath endswith @\"\\SolarWinds.Orion.ApiPoller.Service\\SolarWinds.Orion.ApiPoll\r\nor FolderPath endswith @\"\\Windows\\SysWOW64\\WerFault.exe\"\r\n)\r\nDeviceFileEvents\r\n| where InitiatingProcessFileName =~ \"solarwinds.businesslayerhost.exe\"\r\nhttps://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\r\nPage 1 of 2\n\n| where FileName endswith \"exe\" or FileName endswith \"dll\" or FileName endswith \"ps1\" or FileName end\r\nSource: https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\r\nhttps://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f"
	],
	"report_names": [
		"71ffdd4cab4b6acd5cbcd1a0691ff82f"
	],
	"threat_actors": [],
	"ts_created_at": 1775791321,
	"ts_updated_at": 1775826761,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/04062facb95f38607f39ece8368c17b81a940954.pdf",
		"text": "https://archive.orkl.eu/04062facb95f38607f39ece8368c17b81a940954.txt",
		"img": "https://archive.orkl.eu/04062facb95f38607f39ece8368c17b81a940954.jpg"
	}
}