{ "id": "49b626ef-6d42-4f7d-9b09-9747654802dc", "created_at": "2026-04-06T00:18:09.056612Z", "updated_at": "2026-04-10T03:21:25.940831Z", "deleted_at": null, "sha1_hash": "a5648fcc40d09548deb49337cca814af1ed6bd53", "title": "Extracting Security Products from SUNBURST DNS Beacons", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 56970, "plain_text": "Extracting Security Products from SUNBURST DNS Beacons\r\nBy Erik Hjelmvik\r\nPublished: 2020-12-29 · Archived: 2026-04-05 22:19:49 UTC\r\n, \r\nTuesday, 29 December 2020 09:38:00 (UTC/GMT)\r\nThe latest version of our SunburstDomainDecoder (v1.7) can be used to reveal which endpoint protection\r\napplications that are installed on trojanized SolarWinds Orion deployments. The security application info is\r\nextracted from DNS queries for \"avsvmcloud.com\" subdomains, which is used by SUNBURST as a beacon and\r\nC2 channel.\r\nHere's an example showing that City of Kingston, Ontario, Canada were running Windows Defender on their\r\ntrojanized SolarWinds deployment back in June:\r\nC:\\\u003e SunburstDomainDecoder.exe \u003c uniq-hostnames.txt | findstr F9A9387F7D252842\r\nF9A9387F7D252842 2020-06-16T00:00:00.0000000Z,\r\nWindowsDefender_RUNNING,WindowsDefender_STOPPED lt5ai41qh5d53qoti3mkmc0\r\nF9A9387F7D252842 on.ca olc62cocacn7u2q22v02eu\r\nF9A9387F7D252842 2020-06-17T00:00:00.0000000Z q94idf4sjbem0rait7gv\r\nF9A9387F7D252842 city.kingston. r1qshoj05ji05ac6eoip02jovt6i2v0c\r\nF9A9387F7D252842 city.kingston.on.ca\r\nThe \"F9A9387F7D252842\" value is the victim's unique SUNBURST GUID. See our blog post Reassembling\r\nVictim Domain Fragments from SUNBURST DNS for more info about how the GUID value is encoded into the\r\nDNS traffic.\r\nYou can also run SunburstDomainDecoder in Linux, with help of Mono, like this:\r\n$ mono SunburstDomainDecoder.exe \u003c uniq-hostnames.txt | grep 76330B4D49BF7EC4\r\n76330B4D49BF7EC4 LABELMAR e8fh1ravufms0qpt00gudir2951udivf\r\n\u003e76330B4D49BF7EC4 2020-05-30T12:30:00.0000000Z,ESET_RUNNING,ESET_STOPPED\r\ngp27ssesmvnpkgff7rc0eok\r\n76330B4D49BF7EC4 nde5gaefm oiltaoj08jjd8h12vnr4tur5h\r\n76330B4D49BF7EC4 LABELMARKET.ES\r\nThe file \"uniq-hostnames.txt\" is a publicly available SUNBURST passive DNS repository created by Bambenek\r\nConsulting.\r\nSecurity Product Statistics\r\nhttps://www.netresec.com/?page=Blog\u0026month=2020-12\u0026post=Extracting-Security-Products-from-SUNBURST-DNS-Beacons\r\nPage 1 of 3\n\nIt is also possible to use the passive DNS data shared by Bambenek, Joe Słowik and others to compute statistics of\r\nwhich security products that are popular among SolarWinds' customers.\r\nApplication Count\r\nWindows Defender 150\r\nWindows Defender ATP 1\r\nMS Azure ATP /\r\nDefender for Identity\r\n0\r\nCarbon Black 21\r\nCrowdStrike Falcon 25\r\nFireEye 9\r\nESET 32\r\nF-Secure 0\r\nIt is worth mentioning that SUNBURST does not report status for several other major endpoint protection\r\nvendors, such as Kaspersky, McAfee, Symantec, Sophos or Trend Micro.\r\nDownload SunburstDomainDecoder\r\nOur tool SunburstDomainDecoder is released under a Creative Commons CC-BY license, and can be downloaded\r\nhere:\r\nhttps://www.netresec.com/files/SunburstDomainDecoder.zip\r\nYou can also read more about SunburstDomainDecoder in our blog post Reassembling Victim Domain Fragments\r\nfrom SUNBURST DNS.\r\nPosted by Erik Hjelmvik on Tuesday, 29 December 2020 09:38:00 (UTC/GMT)\r\nhttps://www.netresec.com/?page=Blog\u0026month=2020-12\u0026post=Extracting-Security-Products-from-SUNBURST-DNS-Beacons\r\nPage 2 of 3\n\nTags: #SunburstDomainDecoder\r\n#SUNBURST#SolarWinds#Solorigate#DNS#Windows Defender#Carbon Black\r\n#FireEye#ESET#F-Secure#C2#beacon\r\nSource: https://www.netresec.com/?page=Blog\u0026month=2020-12\u0026post=Extracting-Security-Products-from-SUNBURST-DNS-Beacons\r\nhttps://www.netresec.com/?page=Blog\u0026month=2020-12\u0026post=Extracting-Security-Products-from-SUNBURST-DNS-Beacons\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.netresec.com/?page=Blog\u0026month=2020-12\u0026post=Extracting-Security-Products-from-SUNBURST-DNS-Beacons" ], "report_names": [ "?page=Blog\u0026month=2020-12\u0026post=Extracting-Security-Products-from-SUNBURST-DNS-Beacons" ], "threat_actors": [], "ts_created_at": 1775434689, "ts_updated_at": 1775791285, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a5648fcc40d09548deb49337cca814af1ed6bd53.pdf", "text": "https://archive.orkl.eu/a5648fcc40d09548deb49337cca814af1ed6bd53.txt", "img": "https://archive.orkl.eu/a5648fcc40d09548deb49337cca814af1ed6bd53.jpg" } }