Snort demo: Finding SolarWinds Sunburst indicators of compromise

Introduction to SolarWinds and Sunburst

The SolarWinds hack is one of the biggest security incidents of recent years. After cyberthreat actors gained access to SolarWinds’ network, they implanted a backdoor into the code of the company’s Orion network monitoring product. This provided them with access to the networks of tens of thousands of SolarWinds customers once they installed the update.

Sunburst is one of several malware variants associated with the SolarWinds hack. After detecting and reporting on the incident, FireEye published a collection of indicators of compromise (IoCs) for detecting the breach.

In a Cyber Work podcast, Infosec’s Principal Security Researcher Keatron Evans demonstrated how to identify devices compromised with Sunburst using the IoCs provided by FireEye. Learn how to use Snort to detect Sunburst in this video.

Inside a Snort rule

The dataset of IoCs provided by FireEye is formatted as a collection of Snort rules. An example of one of these Snort rules is:

alert tcp any any -> any any (msg:”APT.Backdoor.MSIL.SUNBURST”; content:”T “; offset:2; depth:3; content:”Host:”; content:””; within:100; sid:77600853; rev:1;)

It’s not necessary to understand how Snort rules work and are written to use these for detecting the Sunburst malware on a system. However, understanding the

Read More: