Coverage for all known binaries used in this attack is covered in the 4287 V3 DATs (ENS) and the 9835 V2 DATs (MWG and VSE). These DATs released on December 14, 2020, for cloud-connected systems, and in Global Threat Intelligence (GTI).

Generic detection capabilities, previously provided by Extra.DAT, are included in the 4288 V3 DATs (ENS) and the 9836 V2 DATs (MWG and VSE) released on December 15, 2020.

The detection name for threats in this attack is HackTool-Leak.c before the 4288 V3 DATs (ENS) and the 9836 V2 DATs (MWG and VSE). After these DATs, the detection name for threats in this attack is Trojan-Sunburst.

At the time of publication, customers using MVISION Endpoint will see a Windows Defender detection for Trojan:MSIL/Solorigate.B!dha.

For enhanced detection coverage, MVISION Endpoint customers can update to the MVISION Endpoint 2011 Hotfix release, made available on December 16, 2020.

• Customers with MVISION ePO: Confirm that Auto-Update is enabled and configured for immediate deployment.
• Customers with on-premises ePO: Check in MVISION Endpoint 2011 Hotfix after you get it from the Software Center or Product Downloads site and deploy to the environment.

For additional information about this release and other MVISION Endpoint releases, see KB90744 - Supported platforms for MVISION Endpoint.

For customers who can't update DATs or who are not using on-access scanning / on-demand scanning, Exploit Prevention coverage can be configured using the following Expert Rules. The rule content is also available in the Sunburst_Expert_Rules.zip in the Attachment section of this article.

ENS Expert Rules:
 

Rule name	Sunburst: Block creation of named pipe
Severity	High
Action	Block, Report
Rule type	Files
Rule content	Rule { Process { Include OBJECT_NAME { -v "SolarWinds.BusinessLayerHost.exe" -v "SolarWinds.BusinessLayerHostx64.exe" } } Target { Match FILE { Include OBJECT_NAME { -v "**583da945-62af-10e8-4902-a8f205c72b2e"} Include -access "CONNECT_NAMED_PIPE" ; # Prevents pipe connection } } }
Notes (Optional)	This rule trigger indicates that the SolarWinds application tried to create a known malicious named pipe.

 

Rule name	Sunburst: Detect 7zip anomalous use
Severity	High
Action	Block, Report
Rule type	Processes
Rule content	Rule {               Process {                              Include OBJECT_NAME { -v "rundll32.exe" }                              Include OBJECT_NAME { -v "dllhost.exe" }                              Include GROUP_SID { -v "S-1-16-12288" }                              Include GROUP_SID { -v "S-1-16-16384" }               }               Target {                              Match PROCESS {                                                               Include OBJECT_NAME { -v "7z*" }                                            Include PROCESS_CMD_LINE { -v "*-mx9*" }                                            Include -access "CREATE"                              }               } }
Notes (Optional)	This rule trigger indicates that the SolarWinds application tried to abuse 7zip application.

 

Rule name	Sunburst: Detect Registering dllhost.exe as a temp service
Severity	High
Action	Block, Report
Rule type	Registry
Rule content	Rule {         Process {                Include OBJECT_NAME { -v "**" }         }         Target {                Match VALUE {                        Include OBJECT_NAME { -v "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\dllhost.exe" }                        Include OBJECT_NAME { -v "HKLM\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\ dllhost.exe " }                        Include -access "CREATE RENAME REPLACE_KEY RESTORE_KEY"                }                Match VALUE {                        Include TARGET_OBJECT_NAME { -v "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\ dllhost.exe " }                        Include TARGET_OBJECT_NAME { -v "HKLM\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\ dllhost.exe " }                        Include -access "RENAME"                }         } }
Notes (Optional)	This rule trigger indicates that an application tried to temporarily register dllhost.exe as a service on registry hive Image File Execution Option.

 

Rule name	Sunburst: Prevent loading of unsigned NetSetupSvc.dll
Severity	High
Action	Block, Report
Rule type	Files
Rule content	Rule { Process { Include OBJECT_NAME { -v "**\\svchost.exe" } } Target { Match FILE { Include OBJECT_NAME { -v "**\\windows\\syswow64\\netsetupsvc.dll" } Exclude CERT_NAME { -v "*Microsoft Corporation*" } } } }
Notes (Optional)	NetSetupSVC.dll is a shared DLL that Microsoft uses for several applications such as Microsoft Access, Office, and more. This rule trigger indicates that SVCHost.exe tried to load an unsigned NetSetupSVC.dll which could indicate a breach.

Host IPS Custom Signature:
For Host IPS 8.0, coverage is not possible due to no support for using named pipe creation blocking. But, you can use a custom signature for partial coverage. False positive detections might occur, so it is recommended to regularly review any signature events. Per the ENS Expert Rule above, monitor for any activity using unsigned or non-Microsoft signed use of NetSetupSvc.dll.
 

Signature name	Sunburst: Monitoring of NetSetupSvc.dll through svchost.exe
Severity	High
Platform	Windows
Signature type	Host IPS
Severity Level	<Configure to match the LOG or PREVENT threshold of your choice according to your IPS Protection policy>
Client rules	<Enable if you want for IPS Adaptive mode to auto-learn exception if Adaptive mode is enabled>
Log status	<Enable if you want to generate ePO events for signature violations>
Description	NetSetupSVC.dll is a shared DLL that Microsoft uses for several applications such as Microsoft Access, Office, and more. This rule trigger indicates that SVCHost.exe tried to load an unsigned NetSetupSVC.dll which could indicate a breach.
Subrules	<Click New Expert Subrule>
Subrule Syntax	Rule { Class "Files" Id 7000 level 4 files {Include "*\\windows\\syswow64\\netsetupsvc.dll"} application { Include "*\\svchost.exe" } time { Include "*" } user_name { Include "*"} attributes "-v" directives "-d" "-c" "files:execute" }
	NOTE: The ID value defined above will change (after saving the policy change) to be the next available Signature ID available on your ePO server database between ID 4001 and 5999.

Customers using McAfee Application and Change Control are advised to unsolidify SolarWinds Orion Platform software if running an affected build. If rules were created to add SolarWinds as an updater, McAfee recommends deleting them.

NSP IPS Signature Set 10.8.16.6 released on December 15, 2020 which includes coverage to detect and block the Sunburst Backdoor traffic.
 

Attack Signature	Attack ID
MEDIUM - BACKDOOR: SUNBURST Activity Detected	0x40e10a00

For details, see KB93875 - REGISTERED - Network Security Signature Sets Release Bulletin (10.8.16.6).

The referenced article is available only to registered ServicePortal users.

To view registered articles:

1. Log on to the ServicePortal at http://support.mcafee.com.
2. Type the article ID in the search field on the home page.
3. Click Search or press Enter.