SolarStorm Activity Behavior Hunting playbook

This manual playbook should be used as a sub-playbook in the 'SolarStorm and SUNBURST Hunting and Response' playbook and it helps you hunt for suspicious behavior related to SolarStorm activity. Sources: - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html - https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/3/ - https://www.splunk.com/en_us/blog/security/sunburst-backdoor-detections-in-splunk.html

Rapid Breach Response · 13 tasks · 0 inputs · 0 outputs

Flowchart

Start Start SUNBURST Backdoor Hunting SUNBURST Backdoor Hunting Search SUNBURST DNS queries Search SUNBURST DNS queries Search the malicious DLL Search the malicious DLL Search for Cobalt Strike Alerts Search for Cobalt Strike ... Hunt Behavior SolarStorm Activity Hunt Behavior SolarStorm ... Search for files dropped from the infected SolarWinds process Search for files dropped ... SolarWinds process accessing non-SolarWinds domains SolarWinds process access... Search the infected SolarWinds process running WMI queries Search the infected Solar... Search for modifying or creating a service by the process Search for modifying or c... Search backdoor DLLs which initiated network connections Search backdoor DLLs whic... Search for known backdoor named pipe Search for known backdoor... Done Done