{ "id": "fe397a2a-ac58-4630-97b2-e13892a68701", "created_at": "2026-04-06T00:13:28.002203Z", "updated_at": "2026-04-10T03:37:32.853348Z", "deleted_at": null, "sha1_hash": "c66ab77dd7746d450df0fd7c7172b9d7fab271c3", "title": "BlueTeam CheatSheet * SolarWinds Events* | Last updated: 2020-12-24 1334 UTC", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 98028, "plain_text": "BlueTeam CheatSheet * SolarWinds Events* | Last updated: 2020-\r\n12-24 1334 UTC\r\nBy 262588213843476\r\nArchived: 2026-04-05 23:51:58 UTC\r\nSolarWinds Supply-chain Compromises\r\nDetections\r\nGeneral\r\nThis section aims to provide the detections released by security companies to detect the malwares / files\r\nlinked to SolarWinds supply-chain compromise events. We kindly remind you that this detections\r\nsignatures could / will evolve in the next days, stays updated by checking the vendors resources to have the\r\nlast information.\r\nWarning\r\nSolarWinds in a support article now removed, asked the organizations to exclude SolarWinds products\r\npaths of the anti-virus scans. If it is an understandable practice to not impact SolarWinds products\r\nfunctions, the following detections will not work if the installation paths exclusions are not removed first.\r\nSecurity Products\r\nFireEye\r\nTheir indicators (Network and File hashes) are available on their GitHub repository . There are also\r\ndetections rules for Snort, Yara, IOC \u0026 ClamAV formats.\r\nTheir products rules covering the detection:\r\nAPT_Backdoor_MSIL_SUNBURST_1\r\nAPT_Backdoor_MSIL_SUNBURST_2\r\nAPT_Backdoor_MSIL_SUNBURST_3\r\nAPT_Backdoor_MSIL_SUNBURST_4\r\nAPT.Backdoor.MSIL.SUNBURST\r\nSUNBURST SUSPICIOUS FILEWRITES (METHODOLOGY)\r\nSUNBURST SUSPICIOUS URL HOSTNAME (METHODOLOGY)\r\nSUNBURST SUSPICIOUS CHILD PROCESSES (METHODOLOGY)\r\nSUNBURST COMPROMISE INDICATORS\r\nAPT_Webshell_MSIL_SUPERNOVA_2\r\nAPT_Webshell_MSIL_SUPERNOVA_1\r\nhttps://gist.github.com/SwitHak/8b59e740b187511caad1bf06caa44df1\r\nPage 1 of 9\n\nAPT_HackTool_PS1_COSMICGALE_1\r\nAPT_Dropper_Raw64_TEARDROP_1\r\nAPT_Dropper_Win64_TEARDROP_2\r\nBackdoor.BEACON\r\nSources\r\nHighly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims\r\nWith SUNBURST Backdoor\r\nFireEye Github dedicated repo\r\nMicrosoft\r\nMicrosoft detects the threat with Windows Defender signatures available with detection release\r\n1.329.368.0 or higher.\r\nDetection for backdoored SolarWinds.Orion.Core.BusinessLayer.dll files:\r\nTrojan:MSIL/Solorigate.BR!dha\r\nDetection for Cobalt Strike fragments in process memory and stops the process:\r\nTrojan:Win32/Solorigate.A!dha\r\nBehavior:Win32/Solorigate.A!dha\r\nDetection for the second-stage payload, a cobalt strike beacon that might connect to infinitysoftwares[.]com:\r\nTrojan:Win64/Solorigate.SA!dha\r\nDetection for the PowerShell payload that grabs hashes and SolarWinds passwords from the database along with machine\r\ninformation:\r\nTrojan:PowerShell/Solorigate.H!dha\r\nSources\r\nMicrosoft Security Response Center - Solorigate Resource Center\r\nAnalyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how\r\nMicrosoft Defender helps protect customers\r\nSymantec\r\nTools associated with these IOCs will be detected and blocked on machines running Symantec Endpoint\r\nproducts .\r\nFile-based protection:\r\nhttps://gist.github.com/SwitHak/8b59e740b187511caad1bf06caa44df1\r\nPage 2 of 9\n\nBackdoor.Sunburst\r\nBackdoor.Sunburst!gen1\r\nBackdoor.SuperNova\r\nBackdoor.Teardrop\r\nNetwork-based protection:\r\nSystem Infected: Trojan.Backdoor Activity 244\r\nSources\r\nSunburst: Supply Chain Attack Targets SolarWinds Users\r\nKaspersky\r\nKaspersky products protect against this threat and detect it with the following names:\r\nBackdoor.MSIL.Sunburst.a\r\nBackdoor.MSIL.Sunburst.b\r\nHEUR:Trojan.MSIL.Sunburst.gen\r\nHEUR:Backdoor.MSIL.Sunburst.gen\r\nBackdoor.MSIL.Sunburst.b\r\nKaspersky Behavior Detection component detects activity of the trojanized library a:\r\nPDM:Trojan.Win32.Generic.\r\nKaspersky IoA Tag \"Sunburst\"\r\nKaspersky Anti-Targeted Attack Platform detects Sunburst traffic with a set of IDS rules with the following\r\nverdicts:\r\nTrojan.Sunburst.HTTP.C\u0026C\r\nBackdoor.Sunburst.SSL.C\u0026C\r\nBackdoor.Sunburst.HTTP.C\u0026C\r\nBackdoor.Sunburst.UDP.C\u0026C\r\nBackdoor.Beacon.SSL.C\u0026C\r\nBackdoor.Beacon.HTTP.C\u0026C\r\nBackdoor.Beacon.UDP.C\u0026C\r\nSource\r\nHow we protect our users against the Sunburst backdoor\r\nMalwareBytes\r\nhttps://gist.github.com/SwitHak/8b59e740b187511caad1bf06caa44df1\r\nPage 3 of 9\n\nMalwaresBytes released its signatures with a blog post , watch the following:\r\nBackdoor.Sunburst\r\nBackdoor.WebShell\r\nSources\r\nSolarWinds advanced cyberattack: What happened and what to do now\r\nMcAfee\r\nCoverage for all known binaries used in this attack will be covered in the 4287 V3 DATs (ENS) and the\r\n9835 V2 DATs (VSE, Web Gateway) to be released on December 14, 2020, and in GTI for cloud-connected systems.\r\nThe Extra.DAT contains more generic detection capabilities tentatively scheduled to be included in the\r\n4288 V3 DATs (ENS) and the 9836 V2 DATs (VSE). These DATs are to be released on December 15,\r\n2020.\r\nThe detection name for threats in this attack is \"HackTool-Leak.c\" before the 4288 V3 DATs (ENS) and the\r\n9836 V2 DATs (VSE, Web Gateway). After these DATs, the detection name for threats in this attack is\r\nTrojan-Sunburst.\r\nFor customers who cannot update DATs or who are not using On-Access Scanning / On-Demand Scanning,\r\nExploit Prevention coverage can be configured using the following Expert Rules. The Rule content is also\r\navailable in the attached Sunburst_Expert_Rules.zip.\r\nSources:\r\nKB93861: McAfee coverage for SolarWinds Sunburst Backdoor\r\nSUNBURST Malware and SolarWinds Supply Chain Compromise\r\nMVISION Insights Campaign: SolarWinds Supply Chain Attack Affecting Multiple Global Victims With\r\nSUNBURST Backdoor\r\nSophos\r\nSophos has an article regarding the playbook for incident response that includes good knowledge on how\r\nto use the Sophos tools.\r\nTheir detections signatures are the following ones:\r\nTroj/SunBurst-A.CORE-2019.4.5220.20574-SolarWinds-Core-v2019.4.5220-Hotfix5.msp\r\nMal/Generic-S.Solarwinds Worldwide LLC\r\nTroj/Agent-BGGA.SolarWinds.Orion.Core.BusinessLayer.dll\r\nTroj/Agent-BGGB.SolarWinds.Orion.Core.BusinessLayer.dll\r\nTroj/Agent-BGFZ.SolarWinds.Orion.Core.BusinessLayer.dll\r\nMal/Generic-S.OrionImprovementBusinessLayer.2.cs\r\nTroj/Agent-BGGC+Mal/Generic-S.app_web_logoimagehandler.ashx.b6031896.dll\r\nMal/Sunburst-A\r\nhttps://gist.github.com/SwitHak/8b59e740b187511caad1bf06caa44df1\r\nPage 4 of 9\n\nSources\r\nIncident response playbook for responding to SolarWinds Orion compromise\r\nSophos GitHub info\r\nSentinelOne\r\nFollowing the SolarWinds supply chain attack:\r\nSentinelOne’s Singularity Cloud blocks all reported IOCs\r\nAll SentinelOne customers have access to a new hunting pack which includes custom Deep Visibility\r\nhunting queries for the latest SUNBURST and FireEye breach IOCs\r\nSource\r\nFireEye/SolarWinds: Taking Action and Staying Protected\r\nPalo Alto networks\r\nCortex XDR\r\nCortex XDR customers are protected using the product’s WildFire integration, as well as through Local\r\nAnalysis, the Password Theft Protection module, and the Behavioral Threat Protection (BTP) engine.\r\nProtections are continually being evaluated, developed, and deployed for Cortex XDR.\r\nCortex XDR Managed Threat Hunting\r\nOur Cortex XDR Managed Threat Hunting Team (MTH) has proactively searched all Cortex XDR Pro\r\ncustomer logs to identify potentially impacted organizations and provide them an assessment of their risk.\r\nWildFire (NGFW security subscription)\r\nGap analysis and threat hunting leveraging the FireEye-provided Yara signatures and observables has\r\nenabled Unit 42 researchers to identify potential malware samples that we are now analyzing, building and\r\ndeploying protections for within WildFire.\r\nApp-ID\r\nUsing the NGFW’s Logs, a customer can get quick situational awareness of layer-7 application data in their\r\nenvironment. Customers looking for SolarWinds activity in their environment could do this from Panorama\r\nor NGFW under the Monitor tab and search through Traffic or Unified logs for “(app eq solarwinds)or(app\r\neq solarwinds-rmm)or(app eq solarwinds-msp-manager)or(app eq solarwinds-agent)or(app eq solarwinds-npm)or(app eq solarwinds-sam)or(app eq solarwinds-msp-anywhere)”. This could also be viewed in the\r\nACC Network Activity tab and filter by Application. This can be made into a routine check through custom\r\nreporting.\r\nhttps://gist.github.com/SwitHak/8b59e740b187511caad1bf06caa44df1\r\nPage 5 of 9\n\nAutoFocus\r\nAutoFocus customers can track SolarStorm’s activity in the tags SolarStorm , SUPERNOVA and\r\nSUNBURST .\r\nIoT Security (NGFW security subscriptions)\r\nThe IoT Security subscription has the capability of identifying SolarWinds servers. These devices are being\r\nadded to the IoT Security user portal UI, and the Device-ID attribute will be pushed to PAN-OS. These\r\ndevices will be displayed to users as “SolarWinds Network Management Device” within the IoT Security\r\nuser portal UI. In PAN-OS, users will see the Device-ID attribute “Profile” = “SolarWinds Network\r\nManagement Device”. This feature will be enabled for all IoT Security customers this week.\r\nThreat Prevention DNS Security (NGFW security subscriptions)\r\nThreat Prevention and DNS Security provide protection against C2 beacons and associated traffic.\r\nProtections are continually being evaluated, developed, and deployed for Threat Prevention subscription.\r\nURL Filtering (NGFW security subscription)\r\nAs of the time of writing, associated infrastructure described in this blog have accurate verdicts of\r\nmalware.\r\nSources\r\nThreat Brief: SolarStorm and SUNBURST Customer Coverage\r\nCheckpoint\r\nCheck Point covers this threat with the following Threat Prevention products:\r\nAnti-Virus:\r\nTrojan.Win32.SUNBURST.TC.XXX\r\nThreat emulation:\r\nHackTool.Wins.FE_RT.A\r\nAnti-Bot:\r\nBackdoor.Win32.SUNBURST.XX\r\nBackdoor.Win32.Beacon.\r\nIPS:\r\nhttps://gist.github.com/SwitHak/8b59e740b187511caad1bf06caa44df1\r\nPage 6 of 9\n\nSunburst Backdoor Suspicious Traffic\r\nSources\r\nCheck Point response to SolarWinds supply chain attack\r\nCisco\r\nCisco SNORT users are protected by using the following signatures:\r\nSIDs 56660-56668\r\nCisco also released an informational security advisory to help its customers in the response in case of\r\ncompromise of Cisco equipment.\r\nSources\r\nThreat Advisory: SolarWinds supply chain attack\r\nSolarWinds Orion Platform Supply Chain Attack\r\nFortinet\r\nFortiGuard Labs has AV coverage in place for publicly available samples as:\r\nW32/Agent.1BA1!tr\r\nW32/Sunburst.A!tr\r\nMSIL/Agent.102E!tr\r\nMSIL/Agent.C865!tr\r\nMSIL/Agent.8448!tr\r\nMSIL/Agent.5676!tr\r\nFortiGuard Labs has released a revised IPS signature that will detect SUNBURST activity which was\r\nreleased in IPS definitions set (16.981):\r\nFireEye.Red.Team.Tool\r\nFortiEDR\r\nFor FortiEDR protections, all published IOC's were added to our Cloud intelligence and will be blocked if\r\nexecuted on customer systems.\r\nWeb Filtering client\r\nAll network IOC's are blocked by the Web Filtering client.\r\nSources\r\nSupply Chain Attack on SolarWinds Orion Platform Affecting Multiple Organizations Worldwide (APT29)\r\nhttps://gist.github.com/SwitHak/8b59e740b187511caad1bf06caa44df1\r\nPage 7 of 9\n\nTrend Micro\r\nGeneral\r\nThe malicious files associated with this attack are already detected by the appropriate Trend Micro\r\nproducts as:\r\nBackdoor.MSIL.SUNBURST.A\r\nTrojan.MSIL.SUPERNOVA.A\r\nTrend Micro XDR\r\nTrend Micro XDR customers benefit from all detection capabilities of the underlying products such as\r\nApex One. In addition, depending on their data collection time range, XDR customers may be able to\r\nsweep for IOCs retroactively if there was potential activity in this range to help in investigation. Some\r\nauto-sweeping rules related to this incident have already been enabled for XDR customers.\r\nTrend Micro Cloud One - Workload Security and Deep Security Rules\r\nIn addition to the anti-malware patterns listed above (for customers that utilize the anti-malware module),\r\nTrend Micro has released the following rules that helps to block some of the known domains and malicious\r\ntraffic:\r\nRule 1010669 - Identified Malicious Domain – SolarWinds\r\nRule 1010675 - Identified HTTP Backdoor Win32.Beaconsolar.A Runtime Detection\r\nRule 1010676 - Identified HTTP Trojan.MSIL.Sunburst.A Traffic Request\r\nTippingPoint\r\nCustomers that use Trend Micro TippingPoint technologies also can utilize the following ThreatDV filters:\r\n38626 : HTTP: Trojan.MSIL.Sunburst.A Runtime Detection\r\n38627 : HTTP: Backdoor.Win32.Beaconsolar.A Runtime Detection\r\nTrend Micro Deep Discovery\r\nThe following Deep Discovery Inspector (DDI) rule has been released for this threat in the latest pattern:\r\n4491: DNS_SUNBURST_RESPONSE_SB\r\nCustomers utilizing Deep Discovery technologies such as DDI and Deep Discovery Analyzer (DDAN)\r\nmay find it useful to use the capabilities of the platform to help investigate potential lateral movement and\r\nother detections within the environment.\r\nSources\r\nSECURITY ALERT: Sunburst (SolarWinds) Targeted Attack Detection and Investigation with Trend Micro\r\nProducts\r\nhttps://gist.github.com/SwitHak/8b59e740b187511caad1bf06caa44df1\r\nPage 8 of 9\n\nSIEM cheat sheet\r\nIBM QRadar\r\nIBM employee, Gladys Koska, published a very exhaustive blog post named “SUNBURST indicator\r\ndetection in QRadar“ detailing how, using QRadar, you can detect the SolarWinds threats:\r\nSources\r\nSUNBURST indicator detection in QRadar\r\nSplunk\r\nSplunk employee, Ryan Kovar, released a blog post named “Using Splunk to Detect Sunburst Backdoor”\r\ndetailing some requests that can be useful to detect SolarWinds events.\r\nSources\r\nUsing Splunk to Detect Sunburst Backdoor\r\nErrors, typos, something to say ?\r\nFeel free to report any mistake directly below in the comment or in DM on Twitter @SwitHak\r\nSource: https://gist.github.com/SwitHak/8b59e740b187511caad1bf06caa44df1\r\nhttps://gist.github.com/SwitHak/8b59e740b187511caad1bf06caa44df1\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://gist.github.com/SwitHak/8b59e740b187511caad1bf06caa44df1" ], "report_names": [ "8b59e740b187511caad1bf06caa44df1" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434408, "ts_updated_at": 1775792252, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c66ab77dd7746d450df0fd7c7172b9d7fab271c3.pdf", "text": "https://archive.orkl.eu/c66ab77dd7746d450df0fd7c7172b9d7fab271c3.txt", "img": "https://archive.orkl.eu/c66ab77dd7746d450df0fd7c7172b9d7fab271c3.jpg" } }