{ "id": "c9a4528f-32ba-426e-871d-504226ba59fa", "created_at": "2026-04-06T00:22:23.882567Z", "updated_at": "2026-04-10T03:22:39.308178Z", "deleted_at": null, "sha1_hash": "55b20ac061ecb691e02823e0eb80e40378b2b8ce", "title": "Detect SUNBURST Backdoor Attack With Corelight \u0026 Zeek | Corelight", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 263512, "plain_text": "Detect SUNBURST Backdoor Attack With Corelight \u0026 Zeek |\r\nCorelight\r\nBy John Gamble\r\nPublished: 2020-12-15 · Archived: 2026-04-05 18:48:05 UTC\r\nHome/Blog/Finding SUNBURST backdoor...\r\nZeek\r\nUPDATE 12-16-20: Corelight Resources\r\nWEBCAST RECORDING – Finding SolarWinds backdoors with Zeek, Suricata \u0026 Corelight – watch here\r\nWEBCAST SLIDE DECK – download link\r\nIOCs SPREADSHEET – Corelight/Zeek Queries Table – to hunt for Sunburst IOCs\r\n——————————————–\r\nFireEye’s threat research team has discovered a troubling new supply chain attack targeting SolarWind’s Orion\r\nIT monitoring and management platform. The attack trojanizes Orion software updates to deliver malware called\r\nSUNBURST, which opens a stealthy backdoor for command-and-control and other malicious activity that blends\r\nin with Orion Improvement Program (OIP) protocol traffic. \r\nScott Runnels, a Mandiant researcher involved in the discovery, revealed that Zeek played a key role in FireEye’s\r\ninvestigation and discovery of this new threat: \r\nGiven the widespread use of the Orion software we want to provide the community and our customers with some\r\npreliminary guidance on how to use Zeek and related tools to manually find and automatically detect this novel\r\nthreat in their environment.  \r\nhttps://corelight.blog/2020/12/15/finding-sunburst-backdoor-with-zeek-logs-and-corelight/\r\nPage 1 of 2\n\nWe will host a webinar this Wednesday, Dec. 16 to deep dive on these methods and tools, which include: \r\nZeek log queries: Network IOCs for this attack span a range of protocols parsed by Zeek including  DNS,\r\nHTTP, and X509 certificates. Targeted queries in your SIEM against Zeek logs can reveal potential\r\nevidence of compromise related to this attack, for example: \r\nSigma rules/queries: Community-developed Sigma rules to detect SUNBURST are available in SOC\r\nPrime’s Threat Detection Marketplace, which you can access here. Corelight customers with supported\r\nSIEM platforms (Splunk, Elastic, Humio, QRadar, ArcSight, Chronicle, et al.) can copy/paste the queries\r\nand/or detections directly into their SIEM environment. \r\nSuricata Rules in ET Open Ruleset: Proofpoint Emerging Threats has added detections as Suricata rules\r\nin their latest ET Open Ruleset release, which you can download here. Corelight customers with AP 200,\r\nAP 1001, and/or AP 3000 Sensors and a Suricata subscription can download and run these rules on their\r\nsensors.\r\nAgain, we will host a webinar on Wednesday, Dec. 16 at 7a PST / 10a EST / 3p GMT to deep dive on these\r\nmethods and tools. \r\nIf you would like to attend, please register here: https://www3.corelight.com/finding-sunburst-solarwinds-zeek-suricata\r\nSource: https://corelight.blog/2020/12/15/finding-sunburst-backdoor-with-zeek-logs-and-corelight/\r\nhttps://corelight.blog/2020/12/15/finding-sunburst-backdoor-with-zeek-logs-and-corelight/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://corelight.blog/2020/12/15/finding-sunburst-backdoor-with-zeek-logs-and-corelight/" ], "report_names": [ "finding-sunburst-backdoor-with-zeek-logs-and-corelight" ], "threat_actors": [ { "id": "08c8f238-1df5-4e75-b4d8-276ebead502d", "created_at": "2023-01-06T13:46:39.344081Z", "updated_at": "2026-04-10T02:00:03.294222Z", "deleted_at": null, "main_name": "Copy-Paste", "aliases": [], "source_name": "MISPGALAXY:Copy-Paste", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434943, "ts_updated_at": 1775791359, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/55b20ac061ecb691e02823e0eb80e40378b2b8ce.pdf", "text": "https://archive.orkl.eu/55b20ac061ecb691e02823e0eb80e40378b2b8ce.txt", "img": "https://archive.orkl.eu/55b20ac061ecb691e02823e0eb80e40378b2b8ce.jpg" } }