{ "id": "98c513de-9de9-452e-b709-960eeace2be2", "created_at": "2026-04-06T00:11:54.809112Z", "updated_at": "2026-04-10T03:37:33.249378Z", "deleted_at": null, "sha1_hash": "deba7402c28fea70c2e108f46d4453a512ccb574", "title": "Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2112590, "plain_text": "Analyzing Solorigate, the compromised DLL file that started a\r\nsophisticated cyberattack, and how Microsoft Defender helps\r\nprotect customers | Microsoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2020-12-18 · Archived: 2026-04-05 13:14:15 UTC\r\nUPDATE: Microsoft continues to work with partners and customers to expand our knowledge of the threat actor\r\nbehind the nation-state cyberattacks that compromised the supply chain of SolarWinds and impacted multiple\r\nother organizations. Microsoft previously used ‘Solorigate’ as the primary designation for the actor, but moving\r\nforward, we want to place appropriate focus on the actors behind the sophisticated attacks, rather than one of the\r\nexamples of malware used by the actors. Microsoft Threat Intelligence Center (MSTIC) has named the actor\r\nbehind the attack against SolarWinds, the SUNBURST backdoor, TEARDROP malware, and related components\r\nas NOBELIUM. As we release new content and analysis, we will use NOBELIUM to refer to the actor and the\r\ncampaign of attacks.\r\nWe, along with the security industry and our partners, continue to investigate the extent of the Solorigate attack.\r\nWhile investigations are underway, we want to provide the defender community with intelligence to understand\r\nthe scope, impact, remediation guidance, and product detections and protections we have built in as a result. We\r\nhave established a resource center that is constantly updated as more information becomes available\r\nat https://aka.ms/solorigate.\r\nWhile the full extent of the compromise is still being investigated by the security industry as a whole, in this blog\r\nwe are sharing insights into the compromised SolarWinds Orion Platform DLL that led to this sophisticated attack.\r\nThe addition of a few benign-looking lines of code into a single DLL file spelled a serious threat to organizations\r\nusing the affected product, a widely used IT administration software used across verticals, including government\r\nand the security industry. The discreet malicious codes inserted into the DLL called a backdoor composed of\r\nalmost 4,000 lines of code that allowed the threat actor behind the attack to operate unfettered in compromised\r\nnetworks.\r\nThe fact that the compromised file is digitally signed suggests the attackers were able to access the company’s\r\nsoftware development or distribution pipeline. Evidence suggests that as early as October 2019, these attackers\r\nhave been testing their ability to insert code by adding empty classes. Therefore, insertion of malicious code into\r\nthe SolarWinds.Orion.Core.BusinessLayer.dll likely occurred at an early stage, before the final stages of the\r\nsoftware build, which would include digitally signing the compiled code. As a result, the DLL containing the\r\nmalicious code is also digitally signed, which enhances its ability to run privileged actions—and keep a low\r\nprofile.\r\nIn many of their actions, the attackers took steps to maintain a low profile. For example, the inserted malicious\r\ncode is lightweight and only has the task of running a malware-added method in a parallel thread such that the\r\nDLL’s normal operations are not altered or interrupted. This method is part of a class, which the attackers\r\nhttps://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/\r\nPage 1 of 21\n\nnamed OrionImprovementBusinessLayer to blend in with the rest of the code. The class contains all the backdoor\r\ncapabilities, comprising 13 subclasses and 16 methods, with strings obfuscated to further hide malicious code.\r\nOnce loaded, the backdoor goes through an extensive list of checks to make sure it’s running in an actual\r\nenterprise network and not on an analyst’s machines. It then contacts a command-and-control (C2) server using a\r\nsubdomain generated partly from information gathered from the affected device, which means a unique\r\nsubdomain for each affected domain. This is another way the attackers try to evade detection.\r\nWith a lengthy list of functions and capabilities, this backdoor allows hands-on-keyboard attackers to perform a\r\nwide range of actions. As we’ve seen in past human-operated attacks, once operating inside a network, adversaries\r\ncan perform reconnaissance on the network, elevate privileges, and move laterally. Attackers progressively move\r\nacross the network until they can achieve their goal, whether that’s cyberespionage or financial gain.\r\nFigure 1. Solorigate malware infection chain\r\nThe challenge in detecting these kinds of attacks means organizations should focus on solutions that can look at\r\ndifferent facets of network operations to detect ongoing attacks already inside the network, in addition to strong\r\npreventative protection.\r\nWe have previously provided guidance and remediation steps to help ensure that customers are empowered to\r\naddress this threat. In this blog, we’ll share our in-depth analysis of the backdoor’s behavior and functions, and\r\nshow why it represents a high risk for business environments. We’ll also share details of the comprehensive\r\nendpoint protection provided by Microsoft Defender for Endpoint. In another blog, we discuss protections across\r\nthe broader Microsoft 365 Defender, which integrates signals from endpoints with other domains – identities, data,\r\ncloud – to provide coordinated detection, investigation, and remediation capabilities. Read: Using Microsoft 365\r\nDefender to protect against Solorigate.\r\nhttps://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/\r\nPage 2 of 21\n\nWhere it all starts: A poisoned code library\r\nThe attackers inserted malicious code into SolarWinds.Orion.Core.BusinessLayer.dll, a code library belonging to\r\nthe SolarWinds Orion Platform. The attackers had to find a suitable place in this DLL component to insert their\r\ncode. Ideally, they would choose a place in a method that gets invoked periodically, ensuring both execution and\r\npersistence, so that the malicious code is guaranteed to be always up and running. Such a suitable location turns\r\nout to be a method named RefreshInternal.\r\nFigure 2: The method infected with the bootstrapper for the backdoor\r\nFigure 3: What the original method looks like\r\nThe modification to this function is very lightweight and could be easily overlooked—all it does is to execute the\r\nmethod OrionImprovementBusinessLayer.Initialize within a parallel thread, so that the normal execution flow\r\nof RefreshInternal is not altered.\r\nWhy was this method chosen rather than other ones? A quick look at the architecture of this DLL shows\r\nthat RefreshInternal is part of the\r\nclass SolarWinds.Orion.Core.BusinessLayer.BackgroundInventory.InventoryManager and is invoked by a\r\nhttps://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/\r\nPage 3 of 21\n\nsequence of methods that can be traced back to the CoreBusinessLayerPlugin class. The purpose of this class,\r\nwhich initiates its execution with a method named Start (likely at an early stage when the DLL is loaded), is to\r\ninitialize various other components and schedule the execution of several tasks. Among those tasks is Background\r\nInventory, which ultimately starts the malicious code.\r\nFigure 4. The inserted malicious code runs within a parallel thread\r\nThe functionality of the backdoor resides entirely in the class OrionImprovementBusinessLayer, comprising 13\r\nsubclasses and 16 methods. Its name blends in with the rest of the legitimate code. The threat actors were savvy\r\nenough to avoid give-away terminology like “backdoor”, “keylogger”, etc., and instead opted for a more neutral\r\njargon. At first glance, the code in this DLL looks normal and doesn’t raise suspicions, which could be part of the\r\nreason why the insertion of malicious code was undetected for months, especially if the code for this DLL was not\r\nfrequently updated.\r\nTo have some minimal form of obfuscation from prying eyes, the strings in the backdoor are compressed and\r\nencoded in Base64, or their hashes are used instead.\r\nFigure 5: Example of obfuscated strings\r\nInitial reconnaissance\r\nhttps://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/\r\nPage 4 of 21\n\nThe Initialize method is the de facto execution entry point of the backdoor. It carries out several checks to verify\r\nthat it is running in a real victim’s environment:\r\nIt verifies that the process hosting the malicious DLL is named solarwinds.businesslayerhost.exe\r\nIt checks that the last write-time of the malicious DLL is at least 12 to 14 days earlier\r\nIt delays execution by random amounts of time\r\nIt verifies that the domain name of the current device meets the following conditions:\r\nThe domain must not contain certain strings; the check for these strings is implemented via hashes,\r\nso at this time the domain names that are block-listed are unknown\r\nThe domain must not contain “solarwinds”\r\nThe domain must not match the regular expression (?i)([^a-z]|^)(test)([^a-z]|$), or in simpler terms,\r\nit must not look like a test domain\r\nIt checks that there are no running processes related to security-related software\r\n(e.g., Windbg, Autoruns, Wireshark)\r\nIt checks that there are no drivers loaded from security-related software (e.g., groundling32.sys)\r\nIt checks that the status of certain services belonging to security-related software meets certain conditions\r\n(e.g., windefend, sense, cavp)\r\nIt checks that the host “api.solarwinds.com” resolves to an expected IP address\r\nIf any of these checks fail, the backdoor terminates. All these inspections are carried out to avoid exposing the\r\nmalicious functionality to unwanted environments, such as test networks or machines belonging to SolarWinds.\r\nThe backdoor\r\nAfter the extensive validation described above, the backdoor enters its main execution stage. At its core, the\r\nbackdoor is a very standard one that receives instructions from the C2 server, executes those instructions, and\r\nsends back information. The type of commands that can be executed range from manipulating of registry keys, to\r\ncreating processes, and deleting files, etc., effectively providing the attackers with full access to the device,\r\nespecially since it’s executing from a trusted, signed binary.\r\nIn its first step, the backdoor initiates a connection to a predefined C2 server to report some basic information\r\nabout the compromised system and receive the first commands. The C2 domain is composed of four different\r\nparts: three come from strings that are hardcoded in the backdoor, and one component is generated dynamically\r\nbased on some unique information extracted from the device. This means that every affected device generates a\r\ndifferent subdomain to contact (and possibly more than one). Here’s an example of a generated domain:\r\nhttps://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/\r\nPage 5 of 21\n\nFigure 6: Dynamically generated C2 domain\r\nThe dynamically generated portion of the domain is the interesting part. It is computed by hashing the following\r\ndata:\r\nThe physical address of the network interface\r\nThe domain name of the device\r\nThe content of the MachineGuid registry value from the\r\nkey HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\r\nThe backdoor also generates a pseudo-random URI that is requested on the C2 domain. Like the domain, the URI\r\nis composed using a set of hardcoded keywords and paths, which are chosen partly at random and partly based on\r\nthe type of HTTP request that is being sent out. Possible URIs that can be generated follow these formats:\r\npki/crl/\u003crandom components\u003e.crl, where \u003crandom components\u003e can be numbers and one of the following\r\nstrings:\r\n“-root”\r\n“-cert”\r\n“-universal_ca”\r\n“-ca”\r\n“-primary_ca”\r\n“-timestamp”\r\n“-global”\r\n“-secureca”\r\nfonts/woff/\u003crandom components\u003e-webfont\u003crandom component\u003e.woff2 or fonts/woff/\u003crandom\r\ncomponents\u003e.woff2, where the \u003crandom components\u003e can be numbers and one or more of the following\r\nstrings:\r\n“Bold”\r\n“BoldItalic”\r\n“ExtraBold”\r\n“ExtraBoldItalic”\r\n“Italic”,\r\n“Light”\r\n“LightItalic”\r\nhttps://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/\r\nPage 6 of 21\n\n“Regular”\r\n“SemiBold”\r\n“SemiBoldItalic”\r\n“opensans”\r\n“noto”\r\n“freefont”\r\n“SourceCodePro”\r\n“SourceSerifPro”\r\n“SourceHanSans”\r\n“SourceHanSerif”\r\nswip/upd/\u003crandom components\u003e, where \u003crandom components\u003e can be one or more of the following\r\nstrings:\r\n“SolarWinds”\r\n“.CortexPlugin”\r\n“.Orion”\r\n“Wireless”\r\n“UI”\r\n“Widgets”\r\n“NPM”\r\n“Apollo”\r\n“CloudMonitoring”\r\n“Nodes”,\r\n“Volumes”,\r\n“Interfaces”,\r\n“Components”\r\nswip/Upload.ashx\r\nswip/Events\r\nHere are examples of final URLs generated by the backdoor:\r\nhxxps://3mu76044hgf7shjf[.]appsync-api[.]eu-west-1[.]avsvmcloud[.]com\r\n/swip/upd/Orion[.]Wireless[.]xml\r\nhxxps://3mu76044hgf7shjf[.]appsync-api[.]us-east-2[.]avsvmcloud[.]com /pki/crl/492-ca[.]crl\r\nhxxps://3mu76044hgf7shjf[.]appsync-api[.]us-east-1[.]avsvmcloud[.]com /fonts/woff/6047-freefont-ExtraBold[.]woff2\r\nFinally, the backdoor composes a JSON document into which it adds the unique user ID described earlier, a\r\nsession ID, and a set of other non-relevant data fields. It then sends this JSON document to the C2 server.\r\nhttps://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/\r\nPage 7 of 21\n\nFigure 7: Example of data generated by the malware\r\nIf the communication is successful, the C2 responds with an encoded, compressed buffer of data containing\r\ncommands for the backdoor to execute. The C2 might also respond with information about an additional C2\r\naddress to report to. The backdoor accepts the following commands:\r\nIdle\r\nExit\r\nSetTime\r\nCollectSystemDescription\r\nUploadSystemDescription\r\nRunTask\r\nGetProcessByDescription\r\nKillTask\r\nGetFileSystemEntries\r\nWriteFile\r\nFileExists\r\nDeleteFile\r\nGetFileHash\r\nReadRegistryValue\r\nSetRegistryValue\r\nDeleteRegistryValue\r\nGetRegistrySubKeyAndValueNames\r\nReboot\r\nNone\r\nhttps://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/\r\nPage 8 of 21\n\nIn a nutshell, these commands allow the attackers to run, stop, and enumerate processes; read, write, and\r\nenumerate files and registry keys; collect and upload information about the device; and restart the device, wait, or\r\nexit. The command CollectSystemDescription retrieves the following information:\r\nLocal Computer Domain name\r\nAdministrator Account SID\r\nHostName\r\nUsername\r\nOS Version\r\nSystem Directory\r\nDevice uptime\r\nInformation about the network interfaces\r\nResulting hands-on-keyboard attack\r\nOnce backdoor access is obtained, the attackers follow the standard playbook of privilege escalation exploration,\r\ncredential theft, and lateral movement hunting for high-value accounts and assets. To avoid detection, attackers\r\nrenamed Windows administrative tools like adfind.exe which were then used for domain enumeration.\r\nC:\\Windows\\system32\\cmd.exe /C csrss.exe -h breached.contoso.com -f (name=”Domain Admins”) member -\r\nlist | csrss.exe -h breached.contoso.com -f objectcategory=* \u003e .\\Mod\\mod1.log\r\nLateral movement was observed via PowerShell remote task creation, as detailed by FireEye and Volexity:\r\n$scheduler = New-Object -ComObject (“Schedule.Service”);$scheduler.Connect($env:COMPUTERNAME);$folder\r\n= $scheduler.GetFolder(“\\Microsoft\\Windows\\SoftwareProtectionPlatform”);$task =\r\n$folder.GetTask(“EventCacheManager”);$definition =\r\n$task.Definition;$definition.Settings.ExecutionTimeLimit =\r\n“PT0S”;$folder.RegisterTaskDefinition($task.Name,$definition,6,”System”,$null,5);echo “Done”\r\nC:\\Windows\\system32\\cmd.exe /C schtasks /create /F /tn\r\n“\\Microsoft\\Windows\\SoftwareProtectionPlatform\\EventCacheManager” /tr\r\n“C:\\Windows\\SoftwareDistribution\\EventCacheManager.exe” /sc ONSTART /ru system /S [machine_name]\r\nPersistence is achieved via backdoors deployed via various techniques:\r\n1. PowerShell:\r\nPowershell -nop -exec bypass -EncodedCommand\r\nThe –EncodedCommand, once decoded, would resemble:\r\nInvoke-WMIMethod win32_process -name create -argumentlist ‘rundll32 c:\\windows\\idmu\\common\\ypprop.dll\r\n_XInitImageFuncPtrs’ -ComputerName WORKSTATION\r\n2. Rundll32:\r\nhttps://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/\r\nPage 9 of 21\n\nC:\\Windows\\System32\\rundll32.exe C:\\Windows\\Microsoft.NET\\Framework64\\[malicious .dll file], [various\r\nexports]\r\nWith Rundll32, each compromised device receives a unique binary hash, unique local filesystem path, pseudo-unique export, and unique C2 domain.\r\nThe backdoor also allows the attackers to deliver second-stage payloads, which are part of the Cobalt Strike\r\nsoftware suite. We continue to investigate these payloads, which are detected as Trojan:Win32/Solorigate.A!dha,\r\nas the situation continues to unfold.\r\nMicrosoft Defender for Endpoint product and hardening guidance\r\nSupply chain compromise continues to be a growing concern in the security industry. The Solorigate incident is a\r\ngrave reminder that these kinds of attacks can achieve the harmful combination of widespread impact and deep\r\nconsequences for successfully compromised networks. We continue to urge customers to:\r\nIsolate and investigate devices where these malicious binaries have been detected\r\nIdentify accounts that have been used on the affected device and consider them compromised\r\nInvestigate how those endpoints might have been compromised\r\nInvestigate the timeline of device compromise for indications of lateral movement\r\nHardening networks by reducing attack surfaces and building strong preventative protection are baseline\r\nrequirements for defending organizations. On top of that, comprehensive visibility into system and network\r\nactivities drive the early detection of anomalous behaviors and potential signs of compromise. More importantly,\r\nthe ability to correlate signals through AI could surface more evasive attacker activity.\r\nMicrosoft Defender for Endpoint has comprehensive detection coverage across the Solorigate attack chain. These\r\ndetections raise alerts that inform security operations teams about the presence of activities and artifacts related to\r\nthis incident. Given that this attack involves the compromise of legitimate software, automatic remediation is not\r\nenabled to prevent service interruption. The detections, however, provide visibility into the attack activity.\r\nAnalysts can then use investigation and remediation tools in Microsoft Defender Endpoint to perform deep\r\ninvestigation and additional hunting.\r\nMicrosoft 365 Defender provides visibility beyond endpoints by consolidating threat data from across domains –\r\nidentities, data, cloud apps, as well as endpoints – delivering coordinated defense against this threat. This cross-domain visibility allows Microsoft 365 Defender to correlate signals and comprehensively resolve whole attack\r\nchains. Security operations teams can then hunt using this rich threat data and gain insights for hardening\r\nnetworks from compromise. Read: Using Microsoft 365 Defender to protect against Solorigate.\r\nhttps://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/\r\nPage 10 of 21\n\nFigure 8. Microsoft Defender for Endpoint detections across the Solorigate attack chain\r\nSeveral Microsoft Defender for Endpoint capabilities are relevant to the Solorigate attack:\r\nNext generation protection\r\nMicrosoft Defender Antivirus, the default antimalware solution on Windows 10, detects and blocks the malicious\r\nDLL and its behaviors. It quarantines malware, even if the process is running.\r\nDetection for backdoored SolarWinds.Orion.Core.BusinessLayer.dll files:\r\nTrojan:MSIL/Solorigate.BR!dha\r\nDetection for Cobalt Strike fragments in process memory and stops the process:\r\nTrojan:Win32/Solorigate.A!dha\r\nBehavior:Win32/Solorigate.A!dha\r\nDetection for the second-stage payload, a cobalt strike beacon that might connect to infinitysoftwares[.]com.\r\nTrojan:Win64/Solorigate.SA!dha\r\nDetection for the PowerShell payload that grabs hashes and SolarWinds passwords from the database along with\r\nmachine information:\r\nTrojan:PowerShell/Solorigate.H!dha\r\nhttps://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/\r\nPage 11 of 21\n\nFigure 9. Microsoft Defender for Endpoint prevented malicious binaries\r\nEndpoint detection and response (EDR)\r\nAlerts with the following titles in the Microsoft Defender Security Center and Microsoft 365 security center can\r\nindicate threat activity on your network:\r\nSolarWinds Malicious binaries associated with a supply chain attack\r\nSolarWinds Compromised binaries associated with a supply chain attack\r\nNetwork traffic to domains associated with a supply chain attack\r\nAlerts with the following titles in the Microsoft Defender Security Center and Microsoft 365 security center can\r\nindicate the possibility that the threat activity in this report occurred or might occur later. These alerts can also be\r\nassociated with other malicious threats.\r\nADFS private key extraction attempt\r\nMasquerading Active Directory exploration tool\r\nSuspicious mailbox export or access modification\r\nPossible attempt to access ADFS key material\r\nSuspicious ADFS adapter process created\r\nhttps://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/\r\nPage 12 of 21\n\nFigure 10. Microsoft Defender for Endpoint detections of suspicious LDAP query being launched and attempted\r\nADFS private key extraction\r\nhttps://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/\r\nPage 13 of 21\n\nFigure 11. Microsoft Defender for Endpoint alert description and recommended actions for possible attempt to\r\naccess ADFS key material\r\nOur ability to deliver these protections through our security technologies is backed by our security experts who\r\nimmediately investigated this attack and continue to look into the incident as it develops. Careful monitoring by\r\nexperts is critical in this case because we’re dealing with a highly motivated and highly sophisticated threat actor.\r\nIn the same way that our products integrate with each other to consolidate and correlate signals, security experts\r\nand threat researchers across Microsoft are working together to address this advanced attack and ensure our\r\ncustomers are protected.\r\nThreat analytics report\r\nWe published a comprehensive threat analytics report on this incident. Threat analytics reports provide technical\r\ninformation, detection details, and recommended mitigations designed to empower defenders to understand\r\nattacks, assess its impact, and review defenses.\r\nhttps://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/\r\nPage 14 of 21\n\nFigure 12. Threat analytics report on the Solorigate attack\r\nAdvanced hunting\r\nMicrosoft 365 Defender and Microsoft Defender for Endpoint customers can run advanced hunting queries to hunt\r\nfor similar TTPs used in this attack.\r\nMalicious DLLs loaded into memory\r\nTo locate the presence or distribution of malicious DLLs loaded into memory, run the following query\r\nDeviceImageLoadEvents\r\n| where SHA1 in (\"d130bd75645c2433f88ac03e73395fba172ef676\",\r\n\"1acf3108bf1e376c8848fbb25dc87424f2c2a39c\",\"e257236206e99f5a5c62035c9c59c57206728b28\",\r\n\"6fdd82b7ca1c1f0ec67c05b36d14c9517065353b\",\"2f1a5a7411d015d01aaee4535835400191645023\",\r\n\"bcb5a4dcbc60d26a5f619518f2cfc1b4bb4e4387\",\"16505d0b929d80ad1680f993c02954cfd3772207\",\r\n\"d8938528d68aabe1e31df485eb3f75c8a925b5d9\",\"395da6d4f3c890295f7584132ea73d759bd9d094\",\r\n\"c8b7f28230ea8fbf441c64fdd3feeba88607069e\",\"2841391dfbffa02341333dd34f5298071730366a\",\r\n\"2546b0e82aecfe987c318c7ad1d00f9fa11cd305\",\"e2152737bed988c0939c900037890d1244d9a30e\")\r\nor SHA256 in (\"ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6\",\r\n\"dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b\",\r\n\"eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed\",\r\nhttps://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/\r\nPage 15 of 21\n\n\"ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c\",\r\n\"019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134\",\r\n\"c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77\",\r\n\"0f5d7e6dfdd62c83eb096ba193b5ae394001bac036745495674156ead6557589\",\r\n\"e0b9eda35f01c1540134aba9195e7e6393286dde3e001fce36fb661cc346b91d\",\r\n\"20e35055113dac104d2bb02d4e7e33413fae0e5a426e0eea0dfd2c1dce692fd9\",\r\n\"2b3445e42d64c85a5475bdbc88a50ba8c013febb53ea97119a11604b7595e53d\",\r\n\"a3efbc07068606ba1c19a7ef21f4de15d15b41ef680832d7bcba485143668f2d\",\r\n\"92bd1c3d2a11fc4aba2735d9547bd0261560fb20f36a0e7ca2f2d451f1b62690\",\r\n\"a58d02465e26bdd3a839fd90e4b317eece431d28cab203bbdde569e11247d9e2\",\r\n\"cc082d21b9e880ceb6c96db1c48a0375aaf06a5f444cb0144b70e01dc69048e6\")\r\nMalicious DLLs created in the system or locally\r\nTo locate the presence or distribution of malicious DLLs created in the system or locally, run the following query\r\nDeviceFileEvents\r\n| where SHA1 in (\"d130bd75645c2433f88ac03e73395fba172ef676\",\r\n\"1acf3108bf1e376c8848fbb25dc87424f2c2a39c\",\"e257236206e99f5a5c62035c9c59c57206728b28\",\r\n\"6fdd82b7ca1c1f0ec67c05b36d14c9517065353b\",\"2f1a5a7411d015d01aaee4535835400191645023\",\r\n\"bcb5a4dcbc60d26a5f619518f2cfc1b4bb4e4387\",\"16505d0b929d80ad1680f993c02954cfd3772207\",\r\n\"d8938528d68aabe1e31df485eb3f75c8a925b5d9\",\"395da6d4f3c890295f7584132ea73d759bd9d094\",\r\n\"c8b7f28230ea8fbf441c64fdd3feeba88607069e\",\"2841391dfbffa02341333dd34f5298071730366a\",\r\n\"2546b0e82aecfe987c318c7ad1d00f9fa11cd305\",\"e2152737bed988c0939c900037890d1244d9a30e\")\r\nor SHA256 in (\"ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6\",\r\n\"dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b\",\r\n\"eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed\",\r\n\"ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c\",\r\n\"019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134\",\r\nhttps://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/\r\nPage 16 of 21\n\n\"c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77\",\r\n\"0f5d7e6dfdd62c83eb096ba193b5ae394001bac036745495674156ead6557589\",\r\n\"e0b9eda35f01c1540134aba9195e7e6393286dde3e001fce36fb661cc346b91d\",\r\n\"20e35055113dac104d2bb02d4e7e33413fae0e5a426e0eea0dfd2c1dce692fd9\",\r\n\"2b3445e42d64c85a5475bdbc88a50ba8c013febb53ea97119a11604b7595e53d\",\r\n\"a3efbc07068606ba1c19a7ef21f4de15d15b41ef680832d7bcba485143668f2d\",\r\n\"92bd1c3d2a11fc4aba2735d9547bd0261560fb20f36a0e7ca2f2d451f1b62690\",\r\n\"a58d02465e26bdd3a839fd90e4b317eece431d28cab203bbdde569e11247d9e2\",\r\n\"cc082d21b9e880ceb6c96db1c48a0375aaf06a5f444cb0144b70e01dc69048e6\")\r\nSolarWinds processes launching PowerShell with Base64\r\nTo locate SolarWinds processes spawning suspected Base64-encoded PowerShell commands, run the following\r\nquery \r\nDeviceProcessEvents\r\n| where InitiatingProcessFileName =~ \"SolarWinds.BusinessLayerHost.exe\"\r\n| where FileName =~ \"powershell.exe\"// Extract base64 encoded string, ensure valid base64 length|\r\nextend base64_extracted = extract('([A-Za-z0-9+/]{20,}[=]{0,3})', 1, ProcessCommandLine)| extend\r\nbase64_extracted = substring(base64_extracted, 0, (strlen(base64_extracted) / 4) * 4)| extend\r\nbase64_decoded = replace(@'\\0', '', make_string(base64_decode_toarray(base64_extracted)))//\r\n| where notempty(base64_extracted) and base64_extracted matches regex '[A-Z]' and base64_extracted\r\nmatches regex '[0-9]'\r\nSolarWinds processes launching CMD with echo\r\nTo locate SolarWinds processes launching CMD with echo,  run the following query \r\nDeviceProcessEvents\r\n| where InitiatingProcessFileName =~ \"SolarWinds.BusinessLayerHost.exe\"\r\n| where FileName == \"cmd.exe\" and ProcessCommandLine has \"echo\"\r\nC2 communications\r\nTo locate DNS lookups to a malicious actor’s domain, run the following query \r\nhttps://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/\r\nPage 17 of 21\n\nDeviceEvents\r\n| where ActionType == \"DnsQueryResponse\" //DNS Query Responseand AdditionalFields has \".avsvmcloud\"\r\nTo locate DNS lookups to a malicious actor’s domain, run the following query \r\nDeviceNetworkEvents\r\n| where RemoteUrl contains 'avsvmcloud.com'\r\n| where InitiatingProcessFileName != \"chrome.exe\"\r\n| where InitiatingProcessFileName != \"msedge.exe\"\r\n| where InitiatingProcessFileName != \"iexplore.exe\"\r\n| where InitiatingProcessFileName != \"firefox.exe\"\r\n| where InitiatingProcessFileName != \"opera.exe\"\r\nFind SolarWinds Orion software in your enterprise\r\nTo search for Threat and Vulnerability Management data to find SolarWinds Orion software organized by product\r\nname and ordered by how many devices the software is installed on, run the following query \r\nDeviceTvmSoftwareInventoryVulnerabilities\r\n| where SoftwareVendor == 'solarwinds'\r\n| where SoftwareName startswith 'orion'\r\n| summarize dcount(DeviceName) by SoftwareName\r\n| sort by dcount_DeviceName desc\r\nADFS adapter process spawning\r\nDeviceProcessEvents\r\n| where InitiatingProcessFileName =~\"Microsoft.IdentityServer.ServiceHost.exe\"\r\n| where FileName in~(\"werfault.exe\", \"csc.exe\")\r\n| where ProcessCommandLine !contains (\"nameId\")\r\nAppendix\r\nMITRE ATT\u0026CK techniques observed\r\nThis threat makes use of attacker techniques documented in the MITRE ATT\u0026CK framework.\r\nhttps://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/\r\nPage 18 of 21\n\nInitial Access\r\nT1195.001 Supply Chain Compromise\r\nExecution\r\nT1072 Software Deployment Tools\r\nCommand and Control\r\nT1071.004 Application Layer Protocol: DNS\r\nT1071.001 Application Layer Protocol: Web Protocols\r\nT1568.002 Dynamic Resolution: Domain Generation Algorithms\r\nT1132 Data Encoding\r\nPersistence\r\nT1078 Valid Accounts \r\nDefense Evasion\r\nT1480.001 Execution Guardrails: Environmental Keying\r\nT1562.001 Impair Defenses: Disable or Modify Tools\r\nCollection\r\nT1005 Data From Local System \r\nAdditional malware discovered\r\nIn an interesting turn of events, the investigation of the whole SolarWinds compromise led to the discovery of an\r\nadditional malware that also affects the SolarWinds Orion product but has been determined to be likely unrelated\r\nto this compromise and used by a different threat actor. The malware consists of a small persistence backdoor in\r\nthe form of a DLL file named App_Web_logoimagehandler.ashx.b6031896.dll, which is programmed to allow\r\nremote code execution through SolarWinds web application server when installed in the folder\r\n“inetpub\\SolarWinds\\bin\\”. Unlike Solorigate, this malicious DLL does not have a digital signature, which\r\nsuggests that this may be unrelated to the supply chain compromise.  Nonetheless, the infected DLL contains just\r\none method (named DynamicRun), that can receive a C# script from a web request, compile it on the fly, and\r\nexecute it.\r\nhttps://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/\r\nPage 19 of 21\n\nFigure 13: Original DLL\r\nFigure 14: The malicious addition that calls the DynamicRun method\r\nThis code provides an attacker the ability to send and execute any arbitrary C# program on the victim’s device.\r\nMicrosoft Defender Antivirus detects this compromised DLL as Trojan:MSIL/Solorigate.G!dha.\r\nTalk to us\r\nQuestions, concerns, or insights on this story? Join discussions at the Microsoft 365 Defender tech community.\r\nRead all Microsoft security intelligence blog posts.\r\nhttps://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/\r\nPage 20 of 21\n\nFollow us on Twitter @MsftSecIntel.\r\nSource: https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyber\r\nattack-and-how-microsoft-defender-helps-protect/\r\nhttps://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/\r\nPage 21 of 21", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE", "MISPGALAXY", "Malpedia" ], "references": [ "https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/" ], "report_names": [ "analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434314, "ts_updated_at": 1775792253, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/deba7402c28fea70c2e108f46d4453a512ccb574.pdf", "text": "https://archive.orkl.eu/deba7402c28fea70c2e108f46d4453a512ccb574.txt", "img": "https://archive.orkl.eu/deba7402c28fea70c2e108f46d4453a512ccb574.jpg" } }