SolarStorm and SUNBURST Hunting and Response Playbook

This playbook does the following: - Collect indicators to aid in your threat hunting process. - Retrieve IOCs of SUNBURST (a trojanized version of the SolarWinds Orion plugin). - Retrieve C2 domains and URLs associated with Sunburst. - Discover IOCs of associated activity related to the infection. - Generate an indicator list to block indicators with SUNBURST tags. - Hunt for the SUNBURST backdoor - Query firewall logs to detect network activity. - Search endpoint logs for Sunburst hashes to detect presence on hosts. If compromised hosts are found: - Notify security team to review and trigger remediation response actions. - Run sub-playbooks to isolate/quarantine infected hosts/endpoints and await further actions from the security team. Sources: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/3/ https://www.splunk.com/en_us/blog/security/sunburst-backdoor-detections-in-splunk.html

Rapid Breach Response · 73 tasks · 11 inputs · 0 outputs

Inputs

  • IsolateEndpointAutomatically — Whether to automatically isolate endpoints, or opt for manual user approval. True means isolation will be done automatically.
  • BlockIndicatorsAutomatically — Whether to automatically indicators involved with SolarStorm.
  • CVEs — CVEs related to SUNBURST and SolarStorm.
  • SunBurstSTIX — Hard-coded STIX file of SUNBURST and SolarStorm indicators.
  • KnownRelatedIOCs — Add your own custom SUNBURST and SolarStorm IOCs to hunt.
  • LogForwarding — PAN-OS Log Forwarding Profile Name
  • AutoCommit — This input establishes whether to commit the configuration automatically in PAN-OS. Yes - Commit automatically. No - Commit manually.
  • AutoBlockSolarWindsServer — This input establishes whether to block the SolarWinds server automatically in PAN-OS. True - Commit automatically. False - Commit manually.
  • DeviceGroup — Target Device Group (Panorama only)
  • O365_AdminRolesList — Comma-separated list of Service O365 admin roles.
  • Mialboxes_Retrieve_Limit — The maximum number of results to retrieve. Default is 10.

Commands used

appendIndicatorField closeInvestigation createNewIndicator expanse-get-issues extractIndicators

Flowchart

yes yes yes yes yes yes yes yes Start Start Collect and Retrieve Indicators to Hunt Collect and Retrieve Indi... Collect hashes from FireEye for installed SUNBURST backdoor - http Collect hashes from FireE... http Close investigation - closeInvestigation Close investigation closeInvestigation Done Done Panorama search thread-ids in threat logs - Panorama Query Logs Panorama search thread-id... Panorama Query Logs Remediation Remediation Investigate further Investigate further Mitigation Mitigation Mark hash indicators with SolarStorm tag - appendIndicatorField Mark hash indicators with... appendIndicatorField Search Endpoints By Hash - Generic V2 - Search Endpoints By Hash - Generic V2 Search Endpoints By Hash ... Search Endpoints By Hash - Ge... Hunt SolarStorm and SunBurst in Network Activity Hunt SolarStorm and SunBu... Hunt Backdoor SolarWinds and SunBurst in Endpoints Hunt Backdoor SolarWinds ... No Infections Found No Infections Found Isolate Endpoint - Generic V2 - Isolate Endpoint - Generic V2 Isolate Endpoint - Generi... Isolate Endpoint - Generic V2 Panorama search SolarWinds App-IDs traffic logs - Panorama Query Logs Panorama search SolarWind... Panorama Query Logs Block Indicators Block Indicators Any compromised hosts found? Any compromised hosts found? Hunting Hunting Palo Alto Networks - Hunting And Threat Detection - Palo Alto Networks - Hunting And Threat Detection Palo Alto Networks - Hunt... Palo Alto Networks - Hunting ... Collect domains and IPs from FireEye for installed SUNBURST backdoor - http Collect domains and IPs f... http UnEscape IPs from result to indicators - UnEscapeIPs UnEscape IPs from result ... UnEscapeIPs UnEscape URLs from result to indicators - UnEscapeURLs UnEscape URLs from result... UnEscapeURLs Whether to automatically isolate compromised hosts? Whether to automatically ... Isolate Compromised Hosts Isolate Compromised Hosts Mark IP indicators with SolarStorm tag - createNewIndicator Mark IP indicators with S... createNewIndicator Mark URL indicators with SolarStorm tag - createNewIndicator Mark URL indicators with ... createNewIndicator Whether to block indicators automatically? Whether to block indicato... Manually block indicators Manually block indicators Manually isolate endpoints Manually isolate endpoints Tag SolarStorm and SUNBURST Indicators Tag SolarStorm and SUNBUR... Collect IOCs from UNIT42 GIT - http Collect IOCs from UNIT42 GIT http Indicators from GIT Sources Indicators from GIT Sources Indicators from STIX File Indicators from STIX File CVE Indicators CVE Indicators Create aSTIX file - FileCreateAndUpload Create aSTIX file FileCreateAndUpload Create indicators from STIX - CreateIndicatorsFromSTIX Create indicators from STIX CreateIndicatorsFromSTIX CVE Enrichment - Generic v2 - CVE Enrichment - Generic v2 CVE Enrichment - Generic v2 CVE Enrichment - Generic v2 CVEs Hunt CVEs Hunt Search Endpoint by CVE - Generic - Search Endpoint by CVE - Generic Search Endpoint by CVE - ... Search Endpoint by CVE - Generic Extract indicators from playbook inputs - extractIndicators Extract indicators from p... extractIndicators Search XDR incidents for SUNBURST - SearchIncidentsV2 Search XDR incidents for ... SearchIncidentsV2 Are there custom IOCs? Are there custom IOCs? Expanse search for SolarWinds server - expanse-get-issues Expanse search for SolarW... expanse-get-issues Expanse Search SolarWinds Server and C2 Network Connection Expanse Search SolarWinds... Block Access to Vulnerable SolarWinds Block Access to Vulnerabl... Was a vulnerable SolarWinds server found? Was a vulnerable SolarWin... Block vulnerable SolarWinds server automatically? Block vulnerable SolarWin... Manually block SolarWinds server Manually block SolarWinds... Is Expanse enabled? Is Expanse enabled? Search XDR incidents for suspicious SolarStorm behavior - SearchIncidentsV2 Search XDR incidents for ... SearchIncidentsV2 Additional IOCs Additional IOCs Hard-coded related IOCs - extractIndicators Hard-coded related IOCs extractIndicators Is the organization SolarWinds server version vulnerable? Is the organization Solar... Was SolarWinds found vulnerable? Was SolarWinds found vuln... SolarWinds Not Vulnerable SolarWinds Not Vulnerable SolarStorm Activity Behavior Hunting playbook - SolarStorm Activity Behavior Hunting playbook SolarStorm Activity Behav... SolarStorm Activity Behavior ... Hunt SolarStrom IOCs Hunt SolarStrom IOCs Hunt SolarStorm Activity Hunt SolarStorm Activity Office 365 and Azure Hunting - Office 365 and Azure Hunting Office 365 and Azure Hunting Office 365 and Azure Hunting Office 365 and Azure Configuration Analysis - Office 365 and Azure Configuration Analysis Office 365 and Azure Conf... Office 365 and Azure Configur... SolarWinds Mitigation SolarWinds Mitigation Azure Mitigation Azure Mitigation Patch Vulnerable SolarWinds Server Patch Vulnerable SolarWin... Compromised Organization Entities Mitigation Compromised Organization ... Change the password for SolarWinds user Change the password for S... Reset all credentials used by or stored in SolarWinds software Reset all credentials use... Replace the user account by Group Managed Service Account Replace the user account ... Configure encryption types allowed for Kerberos Configure encryption type... Rebuild hosts monitored by the SolarWinds Rebuild hosts monitored b... Mitigation Complete Mitigation Complete Block IP - Generic v3 - Block IP - Generic v3 Block IP - Generic v3 Block IP - Generic v3 Block Indicators - Generic v2 - Block Indicators - Generic v2 Block Indicators - Generi... Block Indicators - Generic v2