McAfee Gateway products block all known network indicators of compromise (IOCs).
Coverage for all known binaries used in this attack is covered in the
4287 V3 DATs (ENS) and the
9835 V2 DATs (MWG and VSE). These DATs released on December 14, 2020, for cloud-connected systems, and in Global Threat Intelligence (GTI).
Generic detection capabilities, previously provided by
Extra.DAT, are included in the
4288 V3 DATs (ENS) and the
9836 V2 DATs (MWG and VSE) released on December 15, 2020.
The detection name for threats in this attack is
HackTool-Leak.c before the
4288 V3 DATs (ENS) and the
9836 V2 DATs (MWG and VSE).
After these DATs, the detection name for threats in this attack is
Trojan-Sunburst.
At the time of publication, customers using MVISION Endpoint will see a Windows Defender detection for
Trojan:MSIL/Solorigate.B!dha.
For enhanced detection coverage, MVISION Endpoint customers can update to the
MVISION Endpoint 2011 Hotfix release, made available on December 16, 2020.
- Customers with MVISION ePO: Confirm that Auto-Update is enabled and configured for immediate deployment.
- Customers with on-premises ePO: Check in MVISION Endpoint 2011 Hotfix after you get it from the Software Center or Product Downloads site and deploy to the environment.
For additional information about this release and other MVISION Endpoint releases, see
KB90744 - Supported platforms for MVISION Endpoint.
For customers who can't update DATs or who are not using on-access scanning / on-demand scanning,
Exploit Prevention coverage can be configured using the following Expert Rules. The rule content is also available in the
Sunburst_Expert_Rules.zip in the Attachment section of this article.
ENS Expert Rules:
Rule name |
Sunburst: Block creation of named pipe |
Severity |
High |
Action |
Block, Report |
Rule type |
Files |
Rule content |
Rule {
Process {
Include OBJECT_NAME {
-v "SolarWinds.BusinessLayerHost.exe"
-v "SolarWinds.BusinessLayerHostx64.exe"
}
}
Target {
Match FILE {
Include OBJECT_NAME { -v "**583da945-62af-10e8-4902-a8f205c72b2e"}
Include -access "CONNECT_NAMED_PIPE" ; # Prevents pipe connection
}
}
} |
Notes (Optional) |
This rule trigger indicates that the SolarWinds application tried to create a known malicious named pipe. |
Rule name |
Sunburst: Detect 7zip anomalous use |
Severity |
High |
Action |
Block, Report |
Rule type |
Processes |
Rule content |
Rule {
Process {
Include OBJECT_NAME { -v "rundll32.exe" }
Include OBJECT_NAME { -v "dllhost.exe" }
Include GROUP_SID { -v "S-1-16-12288" }
Include GROUP_SID { -v "S-1-16-16384" }
}
Target {
Match PROCESS {
Include OBJECT_NAME { -v "7z*" }
Include PROCESS_CMD_LINE { -v "*-mx9*" }
Include -access "CREATE"
}
}
} |
Notes (Optional) |
This rule trigger indicates that the SolarWinds application tried to abuse 7zip application. |
Rule name |
Sunburst: Detect Registering dllhost.exe as a temp service |
Severity |
High |
Action |
Block, Report |
Rule type |
Registry |
Rule content |
Rule {
Process {
Include OBJECT_NAME { -v "**" }
}
Target {
Match VALUE {
Include OBJECT_NAME { -v "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\dllhost.exe" }
Include OBJECT_NAME { -v "HKLM\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\ dllhost.exe " }
Include -access "CREATE RENAME REPLACE_KEY RESTORE_KEY"
}
Match VALUE {
Include TARGET_OBJECT_NAME { -v "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\ dllhost.exe " }
Include TARGET_OBJECT_NAME { -v "HKLM\\Software\\Wow6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\ dllhost.exe " }
Include -access "RENAME"
}
}
} |
Notes (Optional) |
This rule trigger indicates that an application tried to temporarily register dllhost.exe as a service on registry hive Image File Execution Option. |
Rule name |
Sunburst: Prevent loading of unsigned NetSetupSvc.dll |
Severity |
High |
Action |
Block, Report |
Rule type |
Files |
Rule content |
Rule {
Process {
Include OBJECT_NAME { -v "**\\svchost.exe" }
}
Target {
Match FILE {
Include OBJECT_NAME { -v "**\\windows\\syswow64\\netsetupsvc.dll" }
Exclude CERT_NAME { -v "*Microsoft Corporation*" }
}
}
} |
Notes (Optional) |
NetSetupSVC.dll is a shared DLL that Microsoft uses for several applications such as Microsoft Access, Office, and more. This rule trigger indicates that SVCHost.exe tried to load an unsigned NetSetupSVC.dll which could indicate a breach. |
Host IPS Custom Signature:
For Host IPS 8.0, coverage is not possible due to no support for using named pipe creation blocking. But, you can use a custom signature for partial coverage. False positive detections might occur, so it is recommended to regularly review any signature events. Per the ENS Expert Rule above, monitor for any activity using unsigned or non-Microsoft signed use of
NetSetupSvc.dll.
Signature name |
Sunburst: Monitoring of NetSetupSvc.dll through svchost.exe |
Severity |
High |
Platform |
Windows |
Signature type |
Host IPS |
Severity Level |
<Configure to match the LOG or PREVENT threshold of your choice according to your IPS Protection policy> |
Client rules |
<Enable if you want for IPS Adaptive mode to auto-learn exception if Adaptive mode is enabled> |
Log status |
<Enable if you want to generate ePO events for signature violations> |
|
|
Description |
NetSetupSVC.dll is a shared DLL that Microsoft uses for several applications such as Microsoft Access, Office, and more. This rule trigger indicates that SVCHost.exe tried to load an unsigned NetSetupSVC.dll which could indicate a breach. |
|
|
Subrules |
<Click New Expert Subrule> |
Subrule Syntax |
Rule {
Class "Files"
Id 7000
level 4
files {Include "*\\windows\\syswow64\\netsetupsvc.dll"}
application { Include "*\\svchost.exe" }
time { Include "*" }
user_name { Include "*"}
attributes "-v"
directives "-d" "-c" "files:execute"
} |
|
NOTE: The ID value defined above will change (after saving the policy change) to be the next available Signature ID available on your ePO server database between ID 4001 and 5999. |
Customers using
McAfee Application and Change Control are advised to unsolidify SolarWinds Orion Platform software if running an affected build. If rules were created to add SolarWinds as an
updater, McAfee recommends deleting them.
NSP IPS Signature Set 10.8.16.6 released on December 15, 2020 which includes coverage to detect and block the Sunburst Backdoor traffic.
Attack Signature |
Attack ID |
MEDIUM - BACKDOOR: SUNBURST Activity Detected |
0x40e10a00 |
For details, see
KB93875 - REGISTERED - Network Security Signature Sets Release Bulletin (10.8.16.6).
The referenced article is available only to registered ServicePortal users.
To view registered articles:
- Log on to the ServicePortal at http://support.mcafee.com.
- Type the article ID in the search field on the home page.
- Click Search or press Enter.