# Extracting Security Products from SUNBURST DNS Beacons **netresec.com/** December 29, 2020 Erik Hjelmvik , Tuesday, 29 December 2020 09:38:00 (UTC/GMT) The latest version of our [SunburstDomainDecoder (v1.7) can be used to reveal which](https://netresec.com/?b=20C0f71) endpoint protection applications that are installed on trojanized SolarWinds Orion deployments. The security application info is extracted from DNS queries for "avsvmcloud.com" subdomains, which is used by SUNBURST as a beacon and C2 channel. Here's an example showing that City of Kingston, Ontario, Canada were running Windows Defender on their trojanized SolarWinds deployment back in June: C:\> SunburstDomainDecoder.exe < uniq-hostnames.txt | findstr F9A9387F7D252842 F9A9387F7D252842 2020-06-16T00:00:00.0000000Z, WindowsDefender_RUNNING,WindowsDefender_STOPPED lt5ai41qh5d53qoti3mkmc0 F9A9387F7D252842 on.ca olc62cocacn7u2q22v02eu F9A9387F7D252842 2020-06-17T00:00:00.0000000Z q94idf4sjbem0rait7gv F9A9387F7D252842 city.kingston. r1qshoj05ji05ac6eoip02jovt6i2v0c F9A9387F7D252842 city.kingston.on.ca The "F9A9387F7D252842" value is the victim's unique SUNBURST GUID. See our blog post [Reassembling Victim Domain Fragments from SUNBURST DNS for more info about how the](https://www.netresec.com/?page=Blog&month=2020-12&post=Reassembling-Victim-Domain-Fragments-from-SUNBURST-DNS) GUID value is encoded into the DNS traffic. [You can also run SunburstDomainDecoder in Linux, with help of Mono, like this:](https://www.mono-project.com/download/stable/) $ mono SunburstDomainDecoder.exe < uniq-hostnames.txt | grep 76330B4D49BF7EC4 76330B4D49BF7EC4 LABELMAR e8fh1ravufms0qpt00gudir2951udivf >76330B4D49BF7EC4 2020-05-30T12:30:00.0000000Z, ESET_RUNNING,ESET_STOPPED gp27ssesmvnpkgff7rc0eok 76330B4D49BF7EC4 nde5gaefm oiltaoj08jjd8h12vnr4tur5h 76330B4D49BF7EC4 LABELMARKET.ES [The file "uniq-hostnames.txt" is a publicly available SUNBURST passive DNS repository](https://github.com/bambenek/research/tree/main/sunburst) created by Bambenek Consulting. ----- **Security Product Statistics** [It is also possible to use the passive DNS data shared by Bambenek,](https://github.com/bambenek/research/tree/main/sunburst) [Joe Słowik and](https://twitter.com/jfslowik/status/1338321984527228928) [others](https://docs.google.com/spreadsheets/d/1fpyFt0GL2Swxn0Ihw43eu-kM7HlJXni0EvFYqqMRTz8/) to compute statistics of which security products that are popular among SolarWinds' customers. **Application** **Count** Windows Defender 150 Windows Defender ATP 1 MS Azure ATP / Defender for Identity 0 Carbon Black 21 CrowdStrike Falcon 25 FireEye 9 ESET 32 F-Secure 0 It is worth mentioning that SUNBURST does not report status for several other major endpoint protection vendors, such as Kaspersky, McAfee, Symantec, Sophos or Trend Micro. **Download SunburstDomainDecoder** [Our tool SunburstDomainDecoder is released under a Creative Commons CC-BY license,](https://creativecommons.org/licenses/by/2.0/) and can be downloaded here: [https://www.netresec.com/files/SunburstDomainDecoder.zip](https://www.netresec.com/files/SunburstDomainDecoder.zip) ----- You can also read more about SunburstDomainDecoder in our blog post Reassembling Victim Domain Fragments from SUNBURST DNS. Posted by Erik Hjelmvik on Tuesday, 29 December 2020 09:38:00 (UTC/GMT) [Tags: #SunburstDomainDecoder #SUNBURST #SolarWinds #Solorigate #DNS #Windows](https://www.netresec.com/?page=Blog&tag=SunburstDomainDecoder) [Defender #Carbon Black #FireEye #ESET #F-Secure #C2 #beacon](https://www.netresec.com/?page=Blog&tag=Carbon%20Black) ## Recent Posts » [Real-time PCAP-over-IP in Wireshark](https://www.netresec.com/?page=Blog&month=2022-05&post=Real-time-PCAP-over-IP-in-Wireshark) » [Emotet C2 and Spam Traffic Video](https://www.netresec.com/?page=Blog&month=2022-05&post=Emotet-C2-and-Spam-Traffic-Video) » [Industroyer2 IEC-104 Analysis](https://www.netresec.com/?page=Blog&month=2022-04&post=Industroyer2-IEC-104-Analysis) » [NetworkMiner 2.7.3 Released](https://www.netresec.com/?page=Blog&month=2022-04&post=NetworkMiner-2-7-3-Released) » [PolarProxy in Windows Sandbox](https://www.netresec.com/?page=Blog&month=2022-01&post=PolarProxy-in-Windows-Sandbox) » [PolarProxy 0.9 Released](https://www.netresec.com/?page=Blog&month=2022-01&post=PolarProxy-0-9-Released) ## Blog Archive » [2022 Blog Posts](https://www.netresec.com/?page=Blog&year=2022) » [2021 Blog Posts](https://www.netresec.com/?page=Blog&year=2021) » [2020 Blog Posts](https://www.netresec.com/?page=Blog&year=2020) » [2019 Blog Posts](https://www.netresec.com/?page=Blog&year=2019) » [2018 Blog Posts](https://www.netresec.com/?page=Blog&year=2018) » [2017 Blog Posts](https://www.netresec.com/?page=Blog&year=2017) » [2016 Blog Posts](https://www.netresec.com/?page=Blog&year=2016) » [2015 Blog Posts](https://www.netresec.com/?page=Blog&year=2015) » [2014 Blog Posts](https://www.netresec.com/?page=Blog&year=2014) » [2013 Blog Posts](https://www.netresec.com/?page=Blog&year=2013) » [2012 Blog Posts](https://www.netresec.com/?page=Blog&year=2012) » [2011 Blog Posts](https://www.netresec.com/?page=Blog&year=2011) [List all blog posts](https://www.netresec.com/?page=Blog&blogPostList=true) ----- ## NETRESEC on Twitter Follow [@netresec on twitter:](http://twitter.com/netresec) » [twitter.com/netresec](http://twitter.com/netresec) -----