Detecting SolarWinds SUNBURST IOC, from Microsoft Defender for Endpoint and Azure Sentinel
By Gianni Castaldi
Today I have been hunting for IOC and found a few ways to detect if your network has been compromised. We will make some KQL to see if your network also has been compromised.
We will use the Network IOC and the Hash IOC to hunt in Microsoft Defender for Endpoint and Azure Sentinel.
For all the file related activity, we will look in the DeviceFileEvents table in Microsoft Defender for Endpoint.
let SHA1Hash= dynamic(["1b476f58ca366b54f34d714ffce3fd73cc30db1a",
"47d92d49e6f7f296260da1af355f941eb25360c4",
"2f1a5a7411d015d01aaee4535835400191645023",
"d130bd75645c2433f88ac03e73395fba172ef676",
"76640508b1e7759e548771a5359eaed353bf1eec",
"c2c30b3a287d82f88753c85cfb11ec9eb1466bad",
"75af292f34789a1c782ea36c7127bf6106f595e8"]);
let SHA256Hash= dynamic(["d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600",
"53f8dfc65169ccda021b72a62e0c22a4db7c4077f002fa742717d41b3c40f2c7",
"019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134",
"ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6",
"32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77",
"292327e5c94afa352cc5a02ca273df543f2020d0e76368ff96c84f4e90778712",
"c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71"]);
let MD5Hash = dynamic(["02af7cec58b9a5da1c542b5a32151ba1",
"08e35543d6110ed11fdf558bb093d401",
"2c4a910a1299cdae2a4e55988a2f102e",
"846e27a652a5e1bfbd0ddd38a16dc865",
"b91ce2fa41029f6955bff20079468448",
"4f2eb62fa529c0283b28d05ddd311fae",
"56ceb6d0011d87b6e4d7023d7ef85676"]);
DeviceFileEvents
| where SHA1 in(SHA1Hash) or SHA256 in(SHA256Hash) or MD5 in(MD5Hash)
For the network-related IOC, we will look in the DeviceNetworkEvents table.
let IPList = dynamic(["13.59.205.66",
"54.193.127.66",
"54.215.192.52",
"34.203.203.23",
"139.99.115.204",
"5.252.177.25",
"5.252.177.21",
"204.188.205.176",
"51.89.125.18",
"167.114.213.199"]);
DeviceNetworkEvents
| where RemoteIP in(IPList)
When we collect the traffic logs from Firewalls like Palo Alto Networks or Fortinet in Azure Sentinel we can also hunt for network activity to the Network IOC.
For Palo Alto Networks we use the following query:
let IPList = dynamic(["13.59.205.66",
"54.193.127.66",
"54.215.192.52",
"34.203.203.23",
"139.99.115.204",
"5.252.177.25",
"5.252.177.21",
"204.188.205.176",
"51.89.125.18",
"167.114.213.199"]);
CommonSecurityLog
| where DeviceVendor == "Palo Alto Networks"
| where DeviceProduct == "PAN-OS"
| where TimeGenerated > ago(360d)
| where Activity == "TRAFFIC"
| where DestinationIP in(IPList)
and for Fortinet we could use the following query:
let IPList = dynamic(["13.59.205.66",
"54.193.127.66",
"54.215.192.52",
"34.203.203.23",
"139.99.115.204",
"5.252.177.25",
"5.252.177.21",
"204.188.205.176",
"51.89.125.18",
"167.114.213.199"]);
CommonSecurityLog
| where DeviceVendor == "Fortinet"
| where DeviceProduct == "Fortigate"
| where TimeGenerated > ago(360d)
| where DestinationIP in(IPList)
If you find one of the IOC on your network please continue to read the following article Customer Guidance on Recent Nation-State Cyber Attacks – Microsoft Security Response Center
Thanks for reading and if you have any questions or ideas for a blog post let me know.