Detecting SolarWinds SUNBURST IOC, from Microsoft Defender for Endpoint and Azure Sentinel

By Gianni Castaldi

Today I have been hunting for IOC and found a few ways to detect if your network has been compromised. We will make some KQL to see if your network also has been compromised.

We will use the Network IOC and the Hash IOC to hunt in Microsoft Defender for Endpoint and Azure Sentinel.

For all the file related activity, we will look in the DeviceFileEvents table in Microsoft Defender for Endpoint.

let SHA1Hash= dynamic(["1b476f58ca366b54f34d714ffce3fd73cc30db1a",
"47d92d49e6f7f296260da1af355f941eb25360c4",
"2f1a5a7411d015d01aaee4535835400191645023",
"d130bd75645c2433f88ac03e73395fba172ef676",
"76640508b1e7759e548771a5359eaed353bf1eec",
"c2c30b3a287d82f88753c85cfb11ec9eb1466bad",
"75af292f34789a1c782ea36c7127bf6106f595e8"]);
let SHA256Hash= dynamic(["d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600",
"53f8dfc65169ccda021b72a62e0c22a4db7c4077f002fa742717d41b3c40f2c7",
"019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134",
"ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6",
"32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77",
"292327e5c94afa352cc5a02ca273df543f2020d0e76368ff96c84f4e90778712",
"c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71"]);
let MD5Hash = dynamic(["02af7cec58b9a5da1c542b5a32151ba1",
"08e35543d6110ed11fdf558bb093d401",
"2c4a910a1299cdae2a4e55988a2f102e",
"846e27a652a5e1bfbd0ddd38a16dc865",
"b91ce2fa41029f6955bff20079468448",
"4f2eb62fa529c0283b28d05ddd311fae",
"56ceb6d0011d87b6e4d7023d7ef85676"]);
DeviceFileEvents
| where SHA1 in(SHA1Hash) or SHA256 in(SHA256Hash) or MD5 in(MD5Hash)

For the network-related IOC, we will look in the DeviceNetworkEvents table.

let IPList = dynamic(["13.59.205.66",
"54.193.127.66",
"54.215.192.52",
"34.203.203.23",
"139.99.115.204",
"5.252.177.25",
"5.252.177.21",
"204.188.205.176",
"51.89.125.18",
"167.114.213.199"]);
DeviceNetworkEvents
| where RemoteIP in(IPList)

When we collect the traffic logs from Firewalls like Palo Alto Networks or Fortinet in Azure Sentinel we can also hunt for network activity to the Network IOC.

For Palo Alto Networks we use the following query:

let IPList = dynamic(["13.59.205.66",
"54.193.127.66",
"54.215.192.52",
"34.203.203.23",
"139.99.115.204",
"5.252.177.25",
"5.252.177.21",
"204.188.205.176",
"51.89.125.18",
"167.114.213.199"]);
CommonSecurityLog
| where DeviceVendor == "Palo Alto Networks"
| where DeviceProduct == "PAN-OS"
| where TimeGenerated > ago(360d)
| where Activity == "TRAFFIC"
| where DestinationIP in(IPList)

and for Fortinet we could use the following query:

let IPList = dynamic(["13.59.205.66",
"54.193.127.66",
"54.215.192.52",
"34.203.203.23",
"139.99.115.204",
"5.252.177.25",
"5.252.177.21",
"204.188.205.176",
"51.89.125.18",
"167.114.213.199"]);
CommonSecurityLog
| where DeviceVendor == "Fortinet"
| where DeviceProduct == "Fortigate"
| where TimeGenerated > ago(360d)
| where DestinationIP in(IPList)

If you find one of the IOC on your network please continue to read the following article Customer Guidance on Recent Nation-State Cyber Attacks – Microsoft Security Response Center

Thanks for reading and if you have any questions or ideas for a blog post let me know.

Alternative Text

By Gianni Castaldi

MVP | NinjaCat | Researching and Engineering Cyber Security @ Wortell

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close