Elastic Security provides free and open protections for SUNBURST

Executive summary Elastic Security’s malware prevention technology, used by both Elastic Endgame and the endpoint security capabilities within Elastic Security, has been updated and is not affected by attacks described in this disclosure Existing Elastic Security rules (listed below) can help identify potential attacks New Elastic Security rules (listed below) can help detect new threats Recommended searches/threat hunts are listed below for Elastic Security (Elastic Endgame recommendations can be found on our support portal) Users are invited to work directly with our protection engineers in our public rules repo BackgroundOn December 13, SolarWinds released a security advisory regarding a successful supply-chain attack on the Orion management platform. The attack affects Orion versions 2019.4 HF 5 through 2020.2.1, software products released between March and June of 2020. Likewise, on December 13, FireEye released information about a global campaign involving SolarWinds supply-chain compromise that affected some versions of Orion software. Many details of the intrusion have not been made public, and this content may be later updated as additional information becomes known. Elastic provides this information for users in the free tier, and recommends subscription customers refer to the support portal for additional information about licensed features. Malware protectionWe have updated our MalwareScore protection, used by both Elastic Endgame and Elastic Security. This update includes blocklist entries for known bad file hashes, providing essential prevention capability to mitigate deployed SolarWinds client software containing malicious code. Users should receive this update automatically. Free and open behavioral detectionsWe have reviewed public materials disclosed by SolarWinds and FireEye to ensure we have as up-to-date an understanding of tactics, techniques, and procedures (TTPs) as possible. Additionally, Elastic reviewed content published by Volexity describing post-exploitation activities observed during professional services engagements. While information about how the adversary responsible has leveraged this supply-chain compromise is limited, materials published by FireEye and Volexity indicate attempts to obtain lasting operational control by targeting directory services and other forms of authentication with a particular emphasis on information access. The following existing behavioral detections for the Elastic Security solution may identify evidence of successful post-exploitation: User Added as Owner for Azure Service Principal Multi-Factor Authentication Disabled for an Azure User Attempts to Brute Force a Microsoft 365 User Account Potential Password Spraying of Microsoft 365 User Accounts Possible Consent Grant Attack via Azure-Registered Application Azure Key Vault Modified Process Termination followed by Deletion Clearing Windows Event Logs Additionally, new behavioral rules are being released for the following activities: Exporting Exchange MailBox via PowerShell SolarWinds Process Disabling Services via Registry Command Execution via SolarWinds Process Suspicious SolarWinds Child Process Azure Active Directory PowerShell Sign-in Azure Service Principal Addition SUNBURST Command and Control Activity Detected Azure Application Credential Modification Outbound Scheduled Task Activity via PowerShell Elastic Security users may find value in enabling additional detection-rules in all categories, prioritizing triage and analysis of results related to SolarWinds client software.  Threat hunting using ElasticUsers may find that hunts focused on the following are important leads to prioritize based on public reporting: Disabling services via the Windows registry EQLregistry where registry.path : "HKLM\SYSTEM\ControlSet\Services\\Start" and registry.data.strings == "4" and not (process.name : "services.exe" and user.domain: "NT AUTHORITY") KQLregistry.path:HKLM\System\*ControlSet\Services\\Start and registry.data.strings:"4" and not (process.name:"services.exe" and user.domain:"NT AUTHORITY") Unusual descendants of the SolarWinds clientEQLprocess where event.type in ("start","process_started") and process.parent.name:("SolarWinds.BusinessLayerHost.exe","SolarWinds.BusinessLayerHostx64.exe") KQLevent.category:process and event.type:start and process.parent.name:("SolarWinds.BusinessLayerHost.exe" or "SolarWinds.BusinessLayerHostx64.exe") Creation of executable files by the SolarWinds clientEQLfile where process.name in ("SolarWinds.BusinessLayerHost.exe", "SolarWinds.BusinessLayerHostx64.exe") and file.name : (".dll", ".exe", ".ps1", ".jpg", ".png") KQLevent.category:file and event.type:creation and file.extension:(dll or DLL or exe or EXE or ps1 or PS1 or jpg or JPG or png or PNG) and process.name:("SolarWinds.BusinessLayerHost.exe" or "SolarWinds.BusinessLayerHostx64.exe") Unexpected network communications by the SolarWinds clientEQLnetwork where network.protocol == "http" and process.name: ("SolarWinds.BusinessLayerHostx64.exe", "ConfigurationWizard.exe", "NetflowDatabaseMaintenance.exe", "NetFlowService.exe", "SolarWinds.Administration.exe", "SolarWinds.BusinessLayerHost.exe", "SolarWinds.Collector.Service.exe" , "SolarwindsDiagnostics.exe") and wildcard(http.request.body.content, "POST/swip/Upload.ashx", "PUT/swip/Upload.ashx", "GET/swip/SystemDescription", "HEAD/swip/SystemDescription", "GET/swip/Events", "HEAD/swip/Events") and not wildcard(http.request.body.content, "POSTsolarwinds.com", "PUTsolarwinds.com", "GETsolarwinds.com", "HEADsolarwinds.com") KQLevent.category:network and event.type:protocol and network.protocol:http and process.name:(ConfigurationWizard.exe or NetFlowService.exe or NetflowDatabaseMaintenance.exe or SolarWinds.Administration.exe or SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe or SolarWinds.Collector.Service.exe or SolarwindsDiagnostics.exe) and http.request.body.content:(((/swip/Upload.ashx and (POST or PUT)) or (/swip/SystemDescription and (GET or HEAD)) or (/swip/Events and (GET or HEAD))) and not solarwinds.com*) Next stepsElastic will update our malware protection signer allowlist to remove an allowlist entry for SolarWinds Worldwide, LLC. As a result, SolarWinds users may see malware alerts for software signed by SolarWinds. These may be false positives. Elastic Security's researchers are monitoring this situation for any updates. As new information emerges, we will evaluate and create additional protections as needed. Elastic recommends users follow all applicable guidance from SolarWinds in addition to the guidance provided in this document. Users of SolarWinds products should also review reference materials for associated network-based indicators and conduct searches to identify potential evidence of prior or ongoing compromise. Elastic users can easily search for atomic indicators without learning a new query language. https://www.elastic.co/blog/elastic-security-provides-free-and-open-protections-for-sunburst