SolarWinds SUNBURST Backdoor: Inside the APT Campaign -
SentinelLabs
By James Haughom
Published: 2020-12-18 · Archived: 2026-04-05 13:51:45 UTC
Key findings:
Without any updates, SentinelOne customers are protected from SUNBURST; additionally, our customers
have been supplied bespoke in-product hunting packs for real-time artifact observability.
The malware deployed through the SolarWinds Orion platform waits 12 days before it executes. This
common phenomenon is a prime example of why lengthy EDR data retention is critical.
After the 12-day dormant period, SUNBURST’s malicious code looks for processes, services, and drivers.
You can find each list at the end of this research.
List of processes: includes mostly monitoring tools like Sysinternals and researchers tools. If they
are seen, SUNBURST exits and does not run.
List of services: includes security products that have weak anti-tamper measures. SUNBURST
goes to the registry and tries to disable them. The backdoor may have bypassed these products, or at
least tried to. SentinelOne is not on this list, and even if it was, SentinelOne’s anti-tamper capability
protects from such attempts (without any special configuration needed).
List of drivers: The third list is shorter and includes a list of drivers; among them is SentinelOne.
When SUNBURST sees the drivers, it exits before initiating any C2 communication or enabling
additional payloads.
The following analysis demonstrates the above key findings.
Reversing SUNBURST
Interesting functionality resides within the UpdateNotification() and Update() methods; more specifically,
the true payload lies within an important while() loop. 
https://labs.sentinelone.com/solarwinds-sunburst-backdoor-inside-the-stealthy-apt-campaign/
Page 1 of 11

The TrackProcesses() method (called both by Update and UpdateNotification ) is responsible for querying
the running processes on the victim’s machine to find process, service, and driver names of interest. This routine
will get a list of running process objects, then pass it to three methods below for identifying blacklisted
processes/services. These methods will return true if a blacklisted process/service is found, causing the malware to
break out of the Update() loop.
The hash of each process name is calculated, and then checked against a blacklist of hardcoded hashes. If the
calculated hash is present in the blacklist, this method will return true.
https://labs.sentinelone.com/solarwinds-sunburst-backdoor-inside-the-stealthy-apt-campaign/
Page 2 of 11

In the SearchServices() method, the malware leverages the same hashing technique to identify services of
interest, then tries to manually disable the service through modifying its registry key.
Below, the SetValue() method is used with argument 4 for the Start entry, thus disabling the service through
the registry.
https://labs.sentinelone.com/solarwinds-sunburst-backdoor-inside-the-stealthy-apt-campaign/
Page 3 of 11

In order to ensure that this works as intended, the malware attempts to take ownership of the registry key before
disabling the service.
Lastly, SearchConfigurations() is used to identify blacklisted drivers.  This is performed through the WMI
query – Select * From Win32_SystemDriver , which is obfuscated in the below screenshot as
C07NSU0uUdBScCvKz1UIz8wzNooPriwuSc11KcosSy0CAA==. The file name is obtained for each driver, and
if this driver is found in the blacklist, this method will return true. As mentioned before, returning true causes the
malware to break out of the Update() loop prior to initiating the true backdoor code.  Our driver
SentinelMonitor.sys is hardcoded in the blacklist, meaning that the malware will not fully execute its payload
on endpoints protected by SentinelOne so long as our driver is loaded.
https://labs.sentinelone.com/solarwinds-sunburst-backdoor-inside-the-stealthy-apt-campaign/
Page 4 of 11

If this blacklist check is passed, only then is the backdoor code initiated. The first interesting action the backdoor
code takes is to call out to C2 to receive instructions/commands that will be parsed and passed to the job engine. 
This C2 callout is to a URL generated at runtime by the malware’s DGA, which will end up being a subdomain of
avsvmcloud[.]com.  We have observed no endpoints monitored by SentinelOne calling out to any subdomain of
*.avsvmcloud[.]com.
During the research, we extracted all hashes from the malware, then calculated components in our agent found in
C:Program FilesSentinelOne* to match.  The only SentinelOne-related hash found was the driver name that
FireEye shared.
Snip of hardcoded hashes extracted from the malware:
Hashing function extracted from the malware:
https://labs.sentinelone.com/solarwinds-sunburst-backdoor-inside-the-stealthy-apt-campaign/
Page 5 of 11

Results of the tool:
> .fnva_hash_s1.exe
12343334044036541897 matched --> SentinelMonitor.sys
List of processes: SunBurst Exits
apimonitor-x64
apimonitor-x86
autopsy64
autopsy
autoruns64
autoruns
autorunsc64
autorunsc
binaryninja
blacklight
cff
cutter
de4dot
debugview
diskmon
dnsd
dnspy
dotpeek32
dotpeek64
dumpcap
evidence
exeinfope
fakedns
https://labs.sentinelone.com/solarwinds-sunburst-backdoor-inside-the-stealthy-apt-campaign/
Page 6 of 11

fakenet
ffdec
fiddler
fileinsight
floss
gdb
*NO MATCH*
hiew32
*NO MATCH*
idaq64
idaq
idr
ildasm
ilspy
jd-gui
lordpe
officemalscanner
ollydbg
pdfstreamdumper
pe-bear
pebrowse64
peid
pe-sieve32
pe-sieve64
pestudio
peview
pexplorer
ppee
ppee
procdump64
procdump
processhacker
procexp64
procexp
procmon
prodiscoverbasic
py2exedecompiler
r2agent
rabin2
radare2
ramcapture64
ramcapture
https://labs.sentinelone.com/solarwinds-sunburst-backdoor-inside-the-stealthy-apt-campaign/
Page 7 of 11

reflector
regmon
resourcehacker
retdec-ar-extractor
retdec-bin2llvmir
retdec-bin2pat
retdec-config
retdec-fileinfo
retdec-getsig
retdec-idr2pat
retdec-llvmir2hll
retdec-macho-extractor
retdec-pat2yara
retdec-stacofin
retdec-unpacker
retdec-yarac
rundotnetdll
sbiesvc
scdbg
scylla_x64
scylla_x86
shellcode_launcher
solarwindsdiagnostics
sysmon64
sysmon
task
task
tcpdump
tcpvcon
tcpview
vboxservice
win32_remote
win64_remotex64
windbg
windump
winhex64
winhex
winobj
wireshark
x32dbg
x64dbg
xwforensics64
https://labs.sentinelone.com/solarwinds-sunburst-backdoor-inside-the-stealthy-apt-campaign/
Page 8 of 11

xwforensics
redcloak
avgsvc
avgui
avgsvca
avgidsagent
avgsvcx
avgwdsvcx
avgadminclientservice
afwserv
avastui
avastsvc
aswidsagent
aswidsagenta
aswengsrv
avastavwrapper
bccavsvc
psanhost
psuaservice
psuamain
avp
avpui
ksde
ksdeui
tanium
taniumclient
taniumdetectengine
taniumendpointindex
taniumtracecli
taniumtracewebsocketclient64
List of services: SunBurst tries to bypass
The list includes Windows Defender, Carbon Black, CrowdStrike, FireEye, ESET, F-SECURE, and more.
apimonitor-x64
apimonitor-x86
autopsy64
autopsy
autoruns64
autoruns
fsgk32st
fswebuid
https://labs.sentinelone.com/solarwinds-sunburst-backdoor-inside-the-stealthy-apt-campaign/
Page 9 of 11

fsgk32
fsma32
fssm32
fnrb32
fsaua
fsorsp
fsav32
ekrn
eguiproxy
egui
xagt
xagtnotif
csfalconservice
csfalconcontainer
cavp
cb
mssense
msmpeng
windefend
sense
carbonblack
carbonblackk
cbcomms
cbstream
csagent
csfalconservice
xagt
fe_avk
fekern
feelam
eamonm
eelam
ehdrv
ekrn
ekrnepfw
epfwwfp
ekbdflt
epfw
fsaua
fsma
fsbts
fsni
https://labs.sentinelone.com/solarwinds-sunburst-backdoor-inside-the-stealthy-apt-campaign/
Page 10 of 11

fsvista
fses
fsfw
fsdfw
fsaus
fsms
fsdevcon
List of drivers: SunBurst Exits
cybkerneltracker.sys
atrsdfw.sys
eaw.sys
rvsavd.sys
dgdmk.sys
sentinelmonitor.sys
hexisfsmonitor.sys
groundling32.sys
groundling64.sys
safe-agent.sys
crexecprev.sys
psepfilter.sys
cve.sys
brfilter.sys
brcow_x_x_x_x.sys
lragentmf.sys
libwamf.sys
IOCs/Hunt:
1. Search for the presence of the Injected class of weaponized DLL on OrionImprovementBusinessLayer class
in the SolarWinds.Orion.Core.BusinessLayer namespace –  Indicates weaponized .NET assembly/DLL
2. Hardcoded named pipe name 583da945-62af-10e8-4902-a8f205c72b2e – Does not indicate that the
backdoor code was initiated, but is the first action taken after the 12-14 day dormant period.
3. Review proxy/web gateway logs for traffic to subdomains of this domain.  This indicates that the backdoor
code was indeed executed – avsvmcloud[.]com
4. Executed during blacklist check routine in the context of the process businesslayerhost.exe :
Select * From Win32_SystemDriver – WMI query to identify blacklisted drivers
Source: https://labs.sentinelone.com/solarwinds-sunburst-backdoor-inside-the-stealthy-apt-campaign/
https://labs.sentinelone.com/solarwinds-sunburst-backdoor-inside-the-stealthy-apt-campaign/
Page 11 of 11