{
	"id": "d3fed875-ad41-406a-ba10-8671f1e33a44",
	"created_at": "2026-04-06T00:13:51.161632Z",
	"updated_at": "2026-04-10T03:21:58.822413Z",
	"deleted_at": null,
	"sha1_hash": "a55a624d98fda2430fe50c5449641f3ca68aaf59",
	"title": "SUNBURST indicator detection in QRadar",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1426615,
	"plain_text": "SUNBURST indicator detection in QRadar\r\nArchived: 2026-04-05 15:11:51 UTC\r\nEstimated reading time: 6 minutes\r\nThis week, and based on current information as of the time of publication, SolarWinds announced a cyberattack that inserted\r\na vulnerability into the SolarWinds® Orion® Platform software builds for versions 2019.4 HF 5, 2020.2 with no hotfix\r\ninstalled, and 2020.2 HF 1.  This vulnerability could enable an attacker to compromise the server(s) on which SolarWinds\r\nruns, and thus gain a foothold in the victim’s network. Post compromise, the attacker can conduct lateral movement, data\r\nexfiltration and other threat activity.\r\nThe United States Cybersecurity and Infrastructure Security Agency (CISA) has published Emergency Directive 21-101,\r\nadvising Federal agencies to disconnect or power down all SolarWinds Orion products until further notice. \r\nAs with the 'FireEye Red Team Tools detection in QRadar’ blog, in this blog we’ll provide guidance that can help you use\r\nQRadar to respond quickly.\r\nThis blog will cover the following topics and content extensions:\r\nThreat Intelligence\r\nIBM QRadar Threat Intelligence App\r\nSnort Rules\r\nIBM Security QRadar Custom Properties for Snort\r\nMD5, SHA-1 and SHA-256\r\nIBM QRadar Custom Properties for Microsoft Windows\r\nIBM QRadar Custom Properties for Cisco AMP\r\nIBM QRadar Custom Properties for McAfee EPO\r\nIBM QRadar Custom Properties for Windows Defender ATP\r\nIBM QRadar Custom Properties for Carbon Black Response\r\nPipe creation and Sysmon\r\nIBM QRadar Custom Properties for Microsoft Windows\r\nEndpoint content extension\r\nIBM QRadar Endpoint Content Extension\r\nIBM QRadar Custom Properties for Microsoft Windows\r\nIBM QRadar Custom Properties for Linux\r\nThreat Monitoring Content Extension\r\nIBM QRadar Security Threat Monitoring Content Extension\r\nThreat Intelligence\r\nIBM Security X-Force researchers published a collection of IOCs, including malicious file hashes, IP addresses and URLs,\r\nconnected to this on-going threat.  These IOCs can easily be brought into QRadar using the Threat Intelligence App, which\r\ncan be downloaded either from IBM Security App Exchange or natively via the QRadar Assistant.  Threat indicators can be\r\nadded to a reference set so that they can be used within building blocks, rules and searches to detect the presence of these\r\nIOCs within your environment. Public X-Force Collections, including this one, are free to existing QRadar customers.\r\nQRadar customers who also subscribe to the IBM Security X-Force Advanced Threat Protection Feed have access to a built-in “Am I Affected?” featured with the Threat Intelligence app. This tool can be used in tandem with other forms of threat\r\nintelligence that may become available in this developing situation to help assess known IOCs.  With this subscription, new\r\nX-Force collections are loaded directly into QRadar, and users can simply click ‘Scan now’ to automatically search for all\r\nIOCs associated with a collection. The query results will show you which systems and users may have been connected to\r\nthis threat, assisting you to initiate investigation, remediation and response.\r\nhttps://community.ibm.com/community/user/security/blogs/gladys-koskas1/2020/12/18/sunburst-indicator-detection-in-qradar\r\nPage 1 of 6\n\nIf you do not currently subscribe to the Advanced Threat Protection Feed, a 30-day free trial is available.\r\nSnort Rules\r\nOnce again, FireEye and Cisco Talos teams provided a new set of Snort rules to implement. QRadar users can easily create a\r\nnew rule based on these signatures, correlate these insights with other events, or optionally be alerted directly via email. The\r\nsteps to implement this are:\r\n1.  Install the IBM Security QRadar Custom Properties for Snort content extension\r\n2. Create a new Event rule\r\nApply Sunburst - Snort Rules on events which are detected by the Local system\r\nand when the event(s) were detected by one or more of Snort Open Source IDS\r\nand when the event matches \"Rule ID\" in\r\n(77600832,77600833,77600842,77600843,77600844,77600845,77600846,77600847,77600848,77600850,77600851,77600852,77600853,77600854,7760\r\n77600840,77600863,77600864,77600865,77600837,77600856,77600857,77600858,77600859,77600860,77600866,56660,56661,56662,56663,56664,56\r\nAQL filter query\r\nMD5, SHA-1 and SHA-256\r\nWe talked about it, file hashes are a great source to improve threat detection. Once again, you can have a quick\r\nimplementation by enabling detection with MD5, SHA-1 and SHA-256 through three reference sets and one custom rule.\r\n1.  Create three Reference Sets, one per hash type, and populate them with the Sunburst_md5, Sunburst_sha1,\r\nSunburst_sha256 files (comma separated).\r\n2. Install content extensions containing Hash properties or create your own.\r\nOn the App Exchange, you can find MD5, SHA-1 and SHA-256 parsed for the following devices:\r\nCarbon Black Response, Cisco AMP, McAfee ePolicy Orchestrator, Microsoft Windows Defender ATP, Microsoft\r\nWindows Security Event Log\r\n3. Create a rule that tests the Custom Properties MD5 Hash, Parent MD5, SHA1 Hash, Parent SHA1 Hash, SHA256\r\nHash, Parent SHA256 Hash against the new Reference Sets.\r\nApply Sunburst - Tools Hash on events which are detected by the Local system\r\nand when the event(s) were detected by one or more of Carbon Black Response, Cisco AMP, McAfee ePolicy\r\nOrchestrator, Microsoft Windows Defender ATP, Microsoft Windows Security Event Log\r\nand when the event matches (\"MD5 Hash\" IS NOT NULL AND REFERENCESETCONTAINS('Sunburst -\r\nMD5', \"MD5 Hash\")) OR (\"Parent MD5\" IS NOT NULL AND REFERENCESETCONTAINS('Sunburst -\r\nMD5', \"Parent MD5\")) OR (\"SHA1 Hash\" IS NOT NULL AND REFERENCESETCONTAINS('Sunburst -\r\nSHA1', \"SHA1 Hash\")) OR (\"Parent SHA1 Hash\" IS NOT NULL AND\r\nhttps://community.ibm.com/community/user/security/blogs/gladys-koskas1/2020/12/18/sunburst-indicator-detection-in-qradar\r\nPage 2 of 6\n\nREFERENCESETCONTAINS('Sunburst - MD5', \"Parent SHA1 Hash\")) OR (\"SHA256 Hash\" IS NOT\r\nNULL AND REFERENCESETCONTAINS('Sunburst - SHA256', \"SHA256 Hash\")) OR (\"Parent SHA256\r\nHash\" IS NOT NULL AND REFERENCESETCONTAINS('Sunburst - SHA256', \"Parent SHA256 Hash\"))\r\nAQL filter query\r\nPipe creation and Sysmon\r\nIn the blog published by FireEye regarding SUNBURST, there is a mention about the creation of a pipe named 583da945-\r\n62af-10e8-4902-a8f205c72b2e as one of the “delivery and installation” mechanism:\r\nSource: Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With\r\nSUNBURST Backdoor\r\nIf you are collecting Sysmon logs, you have another opportunity for a quick way to detect another IOC.\r\n1. Download the IBM QRadar Custom Properties for Microsoft Windows content extension\r\n2. Create a rule that detects the pipe name mentioned in the blog\r\nApply Sunburst - Pipe Name on events which are detected by the Local system\r\nand when the event(s) were detected by one or more of Microsoft Windows Security Event Log\r\nand when the event QID is one of the following (5001836) PipeEvent (Pipe Created)\r\nand when the event matches PipeName (custom) is any of 583da945-62af-10e8-4902-a8f205c72b2e\r\nEndpoint content extension\r\nThis time I will be quick with this one, but I wanted to renew my recommendation to download the latest version of the\r\nEndpoint content pack.\r\nThe pack has been built to detect lateral movement, reconnaissance tools, help to make the difference between a legitimate\r\nadministration task from a suspicious one... All these behaviour have been mentioned in all the blogs you’ve read on the\r\ntopic so far.\r\nBelow is the list of the rules (excluding building blocks) present in the Endpoint content extension\r\nAttempt to Delete Shadow Copies Ransomware IOCs Detected on Multiple Machines\r\nCobalt Strike Behaviour Detected Ransomware: BadRabbit IOC in Events\r\nCommunication with a Potential Hostile Host Ransomware: BadRabbit IOC in Flows\r\nCommunication with a Potential Hostile IP Address Ransomware: Maze IOC in Events\r\nCredential Dumping Activities Discovered Ransomware: Maze Suspicious File Transfer\r\nCritical File Deleted (Unix) Ransomware: Petya / NotPetya IOC in Events\r\nCritical File Permission Changed (Unix) Ransomware: Petya / NotPetya IOC in Flows\r\nCritical Security Tool Killed (Unix) Ransomware: Petya / NotPetya Payload in Flows\r\nCritical Security Tool Stopped Ransomware: REvil IOC in Events\r\nDetection of Malicious File or Process Ransomware: WCry IOC in Events\r\nDetection of Malicious IOC Ransomware: WCry IOC in Flows\r\nhttps://community.ibm.com/community/user/security/blogs/gladys-koskas1/2020/12/18/sunburst-indicator-detection-in-qradar\r\nPage 3 of 6\n\nExcessive Failed Access to an Administrative Share from\r\nthe Same Source\r\nRansomware: WCry Payload in Flows\r\nExcessive File Deletion and Creation RDP Hijacking Tool Detected\r\nExcessive Login Failures via RDP Recommended Blocked Process is Running\r\nExcessive Login Failures via RDP to Multiple Machines Reconnaissance Tool Detected\r\nExcessive Nslookup Usage Recovery Disabled in Boot Configuration Data\r\nFile Created with Right to Left Override Search for Password Files using findstr (Windows)\r\nFile Created with Space After Filename Search for Password Files using grep or find (Unix)\r\nFile Decode or Download followed by Suspicious\r\nActivity\r\nSearch for Password Files using Select-String (Windows)\r\nPotential Component Object Model (COM) Hijacking SharpHound PowerShell Detected\r\nPotential DLL Hijacking\r\nSuspicious Activity Followed by Endpoint Administration\r\nTask\r\nPotential Malicious Application Shimming Suspicious Amount of Files Deleted on the Same Machine\r\nProcess Masquerading (Unix)\r\nSuspicious Amount of Files Renamed on the Same\r\nMachine (Windows)\r\nProcess Masquerading (Windows)\r\nSuspicious Amount of Files Renamed/Moved on the Same\r\nMachine (Unix)\r\nProgramming Environment Spawned by a Suspicious\r\nProcess\r\nUser Account Creation followed by Account Deletion\r\n(Unix)\r\nRansomware Decryption Instructions Created\r\nUser Account Creation followed by Account Deletion\r\n(Windows)\r\nRansomware Encrypted File Extension\r\nAll these rules provide a wide spectrum of detection capabilities\r\nPlease refer to the documentation for more information on each rule. You can also refer to the Endpoint dedicated blog to\r\nhave a better understanding of the implementation of some use cases.\r\nhttps://community.ibm.com/community/user/security/blogs/gladys-koskas1/2020/12/18/sunburst-indicator-detection-in-qradar\r\nPage 4 of 6\n\nThreat Monitoring Content Extension\r\nThe multi-task pack ! This pack is mentioned last in this blog because it is certainly going to need some tuning to be adapted\r\nto what you are looking for, but it is definitely a good help to know where to go.\r\nAs an example, thanks to your endpoint security software, you can increase the visibility on a threat spreading through the\r\nnetwork. Indeed, this extension contains a series of rules alerting on security software.\r\nAll you have to do is to:\r\n1. Ensure your device is listed in one of BB:DeviceDefinition: AV/AM or BB:DeviceDefinition: IDS / IPS Building\r\nblocks\r\n2. Get the Threat Name parsed either by downloading one of our content extension, or creating your own extraction.\r\nYou can decide to duplicate the rules to focus the detection on SUNBURST specifically, and have a higher priority rule\r\nresponse (email, SNMP trap, vulnerability scan). Simply add a new filter to the original rule, catching the specific Threat\r\nName reported by your product:\r\nand when the event matches Threat Name (custom) is any of Backdoor.Sunburst\r\nPlease refer to your product documentation to get more information on the relevant detection name\r\nConclusion\r\nThe above steps can enable you to easily take advantage of the publicly available IOCs and Countermeasures to detect\r\nindicators of the SUNBURST threat within your environment.  All of the QRadar apps, custom properties and content\r\nextensions mentioned above are available free of charge to all QRadar customers and can be downloaded either from the\r\nIBM Security App Exchange or natively via QRadar Assistant.\r\nAs usual, we build content for you, to save you time and effort, a content that you can use as a base and adapt to your\r\nenvironment and your needs. Don't hesitate to give us any feedback or ideas, tell us what you need.\r\nIf you are directly impacted and in need of expert assistance, you can contact the IBM Security X-Force Incident Response\r\nteam, who is available to assist 24×7, at US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.\r\nhttps://community.ibm.com/community/user/security/blogs/gladys-koskas1/2020/12/18/sunburst-indicator-detection-in-qradar\r\nPage 5 of 6\n\nSource: https://community.ibm.com/community/user/security/blogs/gladys-koskas1/2020/12/18/sunburst-indicator-detection-in-qradar\r\nhttps://community.ibm.com/community/user/security/blogs/gladys-koskas1/2020/12/18/sunburst-indicator-detection-in-qradar\r\nPage 6 of 6\n\nenvironment and your If you are directly impacted needs. Don't hesitate and in need of expert to give us any feedback assistance, you or ideas, tell us what can contact the IBM you need. Security X-Force Incident Response\nteam, who is available to assist 24×7, at US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.\n  Page 5 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://community.ibm.com/community/user/security/blogs/gladys-koskas1/2020/12/18/sunburst-indicator-detection-in-qradar"
	],
	"report_names": [
		"sunburst-indicator-detection-in-qradar"
	],
	"threat_actors": [],
	"ts_created_at": 1775434431,
	"ts_updated_at": 1775791318,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a55a624d98fda2430fe50c5449641f3ca68aaf59.pdf",
		"text": "https://archive.orkl.eu/a55a624d98fda2430fe50c5449641f3ca68aaf59.txt",
		"img": "https://archive.orkl.eu/a55a624d98fda2430fe50c5449641f3ca68aaf59.jpg"
	}
}