{
	"id": "57a53949-6490-4b55-9456-a5e33e4925df",
	"created_at": "2026-04-06T00:13:46.660921Z",
	"updated_at": "2026-04-10T03:21:42.365766Z",
	"deleted_at": null,
	"sha1_hash": "8fa2e8fd80fdba57a1b475abea20402801b492dc",
	"title": "Tactics, Techniques, and Procedures (TTPs) Used in the SolarWinds Breach",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 85824,
	"plain_text": "Tactics, Techniques, and Procedures (TTPs) Used in the\r\nSolarWinds Breach\r\nBy Suleyman Ozarslan, PhD\r\nPublished: 2020-12-15 · Archived: 2026-04-05 17:11:37 UTC\r\nEXECUTIVE SUMMARY\r\nSolarWinds announced on Sunday that the SolarWinds Orion Platform network monitoring product had been\r\nmodified by a state-sponsored threat actor via embedding backdoor code into a legitimate SolarWinds library. This\r\nleads to the attacker having remote access into the victim’s environment and a foothold in the network, which can\r\nbe used by the attacker to obtain privileged credentials. SolarWinds breach is also connected to the FireEye\r\nbreach. In this article, we analyzed tactics, techniques, and procedures utilized by threat actors of the SolarWinds\r\nincident to understand their attack methods and the impact of this breach. \r\nKey Findings\r\nIt is a global attack campaign that started in March 2020 and is ongoing.\r\nThe attack campaign has the potential to affect thousands of public and private organizations.\r\nThe attack started with a software supply chain compromise attack.\r\nThreat actors trojanized a component of the SolarWinds Orion Platform software, dubbed as SUNBURST\r\nby FireEye [1].\r\nThe backdoored version of the software was distributed via its automatic update mechanism.\r\nAttackers heavily used various defense evasion techniques such as masquerading,  code signing,\r\nobfuscated files or information, indicator removal on host, and virtualization/sandbox evasion.\r\nThe threat actor leverages ten different MITRE ATT\u0026CK tactics, including Lateral Movement, Command\r\nand Control, and Data Exfiltration.\r\nUsed techniques indicate that the threat actors are highly skilled.\r\nTactic, Techniques and Procedures used in SolarWinds Breach (Mapped to\r\nMITRE ATT\u0026CK Framework)\r\nOur analysis uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT\u0026CK®) version 8.1\r\nframework. See the ATT\u0026CK for Enterprise version 8.1 for all referenced threat actor tactics and techniques.\r\n1. Resource Development\r\n1.1. T1587.001 Develop Capabilities: Malware\r\nAdversaries create malware and malware components before compromising a victim, such as payloads, droppers,\r\nbackdoors, and post-compromise tools [2]. They may create malware from scratch or use publicly available tools.\r\nhttps://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach\r\nPage 1 of 6\n\nIn the SolarWinds incident, attackers embedded their malicious payload on a legitimate component of the\r\nSolarWinds Orion Platform software. This component is a DLL library, SolarWinds.Orion.Core.BusinessLayer.dll.\r\nFireEye named the backdoored version of the DLL file as SUNBURST [1]. The SUNBURST backdoor delivers\r\ndifferent payloads, such as a previously unseen memory-only dropper dubbed TEARDROP by FireEye [1]. The\r\nTEARDROP dropper deploys an infamous post-compromise tool, Cobalt Strike Beacon. Apparently, attackers\r\nused Beacon in the FireEye breach and stole FireEye’s Red Team tools that include Beacon.\r\n1.2. T1583.003 Acquire Infrastructure: Virtual Private Server\r\nIn this MITRE ATT\u0026CK technique, adversaries rent Virtual Private Servers (VPSs) that can be used during the\r\nattack campaign [3]. According to the FireEye research, the threat actor leverages VPSs to use only IP addresses\r\noriginating from the same country as the victim [1]. FireEye has provided two Yara rules to detect TEARDROP\r\navailable on GitHub [4].\r\n2. Initial Access\r\n2.1. T1195.002 Supply Chain Compromise: Compromise Software Supply Chain\r\nIn the software supply chain compromise attack technique, adversaries modify software prior to receipt by a final\r\nuser by manipulating the software's:\r\nsource code\r\nsource code repositories (public or private)\r\nopen-source dependencies' source code\r\nbuild \u0026 distribution systems\r\nupdate mechanism\r\ndevelopment environment, or\r\ncompiled release [5]\r\nIn the SolarWinds Orion breach, adversaries embedded malicious code into a SolarWinds library file,\r\nSolarWinds.Orion.Core.BusinessLayer.dll. According to SolarWinds security advisory, attackers backdoored three\r\nversions of the Orion Platform software: 2019.4 HF 5, 2020.2 with no hotfix, and 2020.2 HF 1 [6].\r\nHowever, it is not clear how attackers could tamper this file. According to Microsoft's research, adversaries might\r\nhave compromised and manipulated build or distribution systems and embedded malicious code [7]. Another\r\nclaim is that attackers might have uploaded the malicious DLL file to the source code repository of SolarWinds\r\nusing leaked FTP credentials [8].\r\nThe backdoored SolarWinds Orion Platform software update file that includes the malicious DLL file was\r\ndistributed via its automatic update mechanism. \r\nAs a countermeasure, check whether the manipulated SolarWinds.Orion.Core.BusinessLayer.dll file exists in the\r\nfollowing locations:\r\n%PROGRAMFILES%\\SolarWinds\\Orion\\\r\n%WINDIR%\\System32\\config\\systemprofile\\AppData\\Local\\assembly\\tmp\\\u003crandom\u003e\\\r\nhttps://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach\r\nPage 2 of 6\n\nIf the DLL has one of the following SHA256 hashes, it is a manipulated and malicious version [7]:\r\n32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77\r\ndab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b\r\neb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed\r\nc09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77\r\nac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c\r\n019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134\r\nce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6\r\na25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc\r\nThen, scan the above folders with up-to-date antivirus products, and run EDRs to detect maliciously tampered\r\nSolarWinds files and their (potentially) anomalous behavior.\r\n3. Execution\r\n3.1. T1569.002 System Services: Service Execution\r\nIn this MITRE ATT\u0026CK technique, adversaries execute their malware as a Windows service [6]. During the\r\ninstallation of the SolarWinds application or update, the tampered DLL file is loaded by the legitimate\r\nSolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe and installed as a Windows\r\nservice.\r\n4. Persistence\r\n4.1. T1543.003 Create or Modify System Process: Windows Service\r\nAs part of persistence, adversaries can create or change Windows services to repeatedly execute malicious\r\npayloads [4], [9]. When Windows boots up, the malicious code starts as a service. The TEARDROP malware\r\nloaded by the modified DLL  runs as a service in the background.\r\n5. Privilege Escalation\r\n5.1. T1078 Valid Accounts\r\nAccording to this MITRE ATT\u0026CK technique, adversaries may obtain and abuse legitimate credentials to gain\r\nInitial Access, Persistence, Privilege Escalation, Defense Evasion, or Lateral Movement [10]. Threat actors use\r\nmultiple valid accounts for lateral movement in this attack campaign  [1].\r\n6. Defense Evasion\r\n6.1. T1553.002 Subvert Trust Controls: Code Signing\r\nTo bypass application control technologies, adversaries sign their malware with valid signatures by creating,\r\nacquiring, or stealing code-signing materials [11].\r\nhttps://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach\r\nPage 3 of 6\n\nIn the SolarWinds incident, attackers have compromised digital certificates of SolarWinds.\r\nRemove compromised SolarWinds certificates: \r\n\"Signer\": \"Solarwinds Worldwide LLC\"\r\n\"SignerHash\": \"47d92d49e6f7f296260da1af355f941eb25360c4\"\r\n6.2. T1036.005 Masquerading: Match Legitimate Name or Location\r\nAs a defense evasion technique, adversaries change features of their malicious artifacts with legitimate and trusted\r\nones. Code signatures, names and location of malware files, names of tasks and services are some examples of\r\nthese features. After masquerading, malicious artifacts of adversaries such as malware files appear legitimate to\r\nusers and security controls [12]. You can read our blog post to find out more information about the masquerading\r\ntechnique.\r\nAccording to the FireEye report, the threat actor of the SolarWinds breach uses a legitimate hostname found\r\nwithin the victim’s environment as the hostname on their Command and Control (C2) infrastructure to avoid\r\ndetection [1].  Moreover, the malware masquerades its C2 traffic as the Orion Improvement Program (OIP)\r\nprotocol [1]. \r\n6.3. T1036.003 Masquerading: Rename System Utilities\r\nTo avoid name-based detection, adversaries may rename system utilities. Moreover, the threat actor replaces a\r\nlegitimate utility with theirs, executes their payload, and then restores the legitimate original file [1]. \r\n6.4. T1036.004 Masquerading: Masquerade Task or Service\r\nAdversaries masquerade the name of a task/service with the name of a legitimate task/service to make it appear\r\nbenign and evade detection [12]. Adversaries commonly use identical or similar names of legitimate tasks/services\r\nexecuted by the Windows Task Scheduler, at (Linux and Windows), Windows services, and Linux systemd\r\nservices.\r\n6.5. T1497.003 Virtualization/Sandbox Evasion: Time Based Evasion\r\nAdversaries employ various time-based evasion methods, such as delaying malware functionality upon initial\r\nexecution, to avoid virtualization and analysis environments [13]. In the Solarwinds case, attackers delay\r\nCommand and Control communication two weeks after the installation.\r\n6.6. T1027.003 Obfuscated Files or Information: Steganography\r\nIn this MITRE ATT\u0026CK technique, adversaries hide data in digital media such as images, audio, video, and text\r\nto prevent the detection of hidden information [14]. The TEARDROP malware used in the breach reads from the\r\nfile gracious_truth.jpg that includes a malicious payload.\r\n6.7. T1070.004 Indicator Removal on Host: File Deletion\r\nhttps://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach\r\nPage 4 of 6\n\nAdversaries delete their malicious files to clear traces and minimize the adversary’s footprint to avoid detection\r\nand inspection [15]. The threat actor removes their malicious files, including backdoors, after the remote access\r\n[1].\r\n7. Discovery\r\n7.1. T1057 Process Discovery\r\nAdversaries obtain information about running processes on a system to understand common software and\r\napplications running on systems within the network [16]. The threat actor gets a list of processes to shape follow-on behaviors [1].\r\n7.2 T1012 Query Registry\r\nAdversaries query the Windows Registry to get information about the system, configuration, and installed\r\nsoftware [17]. The threat actor obtains Cryptographic Machine GUID by querying the value of MachineGuid in\r\nthe  HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography key to generate a unique userID for each\r\nvictim.\r\n8. Lateral Movement\r\n8.1. T1021 Remote Services\r\nIn this MITRE ATT\u0026CK technique, adversaries use valid accounts to log into a remote service, such as remote\r\ndesktop protocol (RDP), SSH, and VNC. The threat actor uses valid accounts and legitimate remote access to\r\nmove laterally in the target network.\r\n9. Command and Control\r\n9.1. T1071.001 Application Layer Protocol: Web Protocols\r\nAccording to this technique, adversaries communicate using application layer (L7) protocols and blend Command\r\nand Control traffic with existing web traffic to avoid detection and network filtering [18]. The malware used in\r\nthis breach utilizes:\r\nHTTP GET or HEAD requests when data is requested\r\nHTTP PUT or HTTP POST requests when data is sent [1]. \r\nThe malicious DLL avsvmcloud.com domain to call out a remote network infrastructure [7]. Block this domain\r\nand check network connection logs.\r\n9.2. T1568.002 Dynamic Resolution: Domain Generation Algorithms\r\nAdversaries use Domain Generation Algorithms (DGAs) to dynamically generate a C2 domain rather than relying\r\non a list of static IP addresses or domains [19].  The backdoor used in this attack campaign uses a DGA to\r\ndetermine its C2 server [1].\r\nhttps://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach\r\nPage 5 of 6\n\n10. Exfiltration\r\nT1041 Exfiltration Over C2 Channel\r\nIn this MITRE ATT\u0026CK technique, adversaries steal data by exfiltrating it over an existing C2 channel [20].  The\r\nthreat actor uses HTTP PUT or HTTP POST requests when the collected data is being exfiltrated to the C2 server\r\n[1]. If the payload is bigger than 10000 bytes; the POST method is used. Otherwise, the PUT method is used.\r\nReferences\r\n[1] FireEye, “Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global\r\nVictims With SUNBURST Backdoor.” https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html. [Accessed: 15-Dec-2020]\r\n[2] “Develop Capabilities: Malware.” https://attack.mitre.org/techniques/T1587/001/. [Accessed: 15-Dec-2020]\r\n[3] “Acquire Infrastructure: Virtual Private Server.” https://attack.mitre.org/techniques/T1583/003/. [Accessed:\r\n15-Dec-2020]\r\n[4] fireeye, “fireeye/sunburst_countermeasures.” https://github.com/fireeye/sunburst_countermeasures. [Accessed:\r\n15-Dec-2020]\r\n[5] “Supply Chain Compromise: Compromise Software Supply Chain.”\r\nhttps://attack.mitre.org/techniques/T1195/002/.\r\n[6] “System Services: Service Execution.” https://attack.mitre.org/techniques/T1569/002/. \r\n[7] msrc, “Customer Guidance on Recent Nation-State Cyber Attacks – Microsoft Security Response Center.”\r\nhttps://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks. \r\n[8] “[No title].” https://twitter.com/vinodsparrow/status/1338431183588188160?s=20. \r\n[9] “Create or Modify System Process: Windows Service.” https://attack.mitre.org/techniques/T1543/003/.\r\n[10] “Valid Accounts.” https://attack.mitre.org/techniques/T1078/. \r\n[11] “Subvert Trust Controls: Code Signing.” https://attack.mitre.org/techniques/T1553/002/. \r\n[12] “MITRE ATT\u0026CK T1036 Masquerading.” https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques-t1036-masquerading. \r\n[13] “Virtualization/Sandbox Evasion: Time Based Evasion.” https://attack.mitre.org/techniques/T1497/003/. \r\n[14] “Obfuscated Files or Information: Steganography.” https://attack.mitre.org/techniques/T1027/003/. \r\n[15] “Indicator Removal on Host: File Deletion.” https://attack.mitre.org/techniques/T1070/004/. \r\n[16] “Process Discovery.” https://attack.mitre.org/techniques/T1057/. \r\n[17] “Query Registry.” https://attack.mitre.org/techniques/T1012/. \r\n[18] “Application Layer Protocol: Web Protocols.” https://attack.mitre.org/techniques/T1071/001/. \r\n[19] “Dynamic Resolution: Domain Generation Algorithms.” https://attack.mitre.org/techniques/T1568/002/.\r\n[20] “Exfiltration Over C2 Channel.” https://attack.mitre.org/techniques/T1041/.\r\nSource: https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach\r\nhttps://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach"
	],
	"report_names": [
		"ttps-used-in-the-solarwinds-breach"
	],
	"threat_actors": [],
	"ts_created_at": 1775434426,
	"ts_updated_at": 1775791302,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8fa2e8fd80fdba57a1b475abea20402801b492dc.pdf",
		"text": "https://archive.orkl.eu/8fa2e8fd80fdba57a1b475abea20402801b492dc.txt",
		"img": "https://archive.orkl.eu/8fa2e8fd80fdba57a1b475abea20402801b492dc.jpg"
	}
}