Skip to content
Threat Feed
medium advisory

Suspicious SolarWinds Child Process Execution

Detection of unusual child processes spawned by SolarWinds processes may indicate malicious program execution, potentially bypassing security controls.

This detection rule identifies suspicious child processes initiated by SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe, excluding known legitimate operations. Adversaries may exploit the trusted SolarWinds processes to execute unauthorized programs with elevated privileges, bypassing security controls. The rule focuses on Windows systems and is designed to detect activity indicative of post-compromise actions following a supply chain attack. This detection is crucial for organizations that utilize SolarWinds software, as malicious actors could leverage compromised SolarWinds installations to gain unauthorized access and execute arbitrary code within the network.

Attack Chain

  1. Initial compromise of the SolarWinds software supply chain (T1195.002).
  2. Malicious code is injected into SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe.
  3. The compromised SolarWinds process spawns a suspicious child process.
  4. The child process executes a malicious command or binary, attempting to evade detection.
  5. The child process leverages Native APIs (T1106) to perform privileged actions.
  6. Lateral movement or data exfiltration may occur from the compromised host.

Impact

A successful attack can lead to the execution of arbitrary code on systems running SolarWinds software. This can result in data theft, system compromise, and further propagation of the attack throughout the network. Organizations in various sectors utilizing SolarWinds products are potentially at risk. The impact may include loss of sensitive data, disruption of critical services, and reputational damage.

Recommendation

  • Deploy the Sigma rule Suspicious SolarWinds Child Process - CommandLine to detect potentially malicious child processes of SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe.
  • Deploy the Sigma rule Suspicious SolarWinds Child Process - Executable to detect execution of unusual executables as child processes of SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe.
  • Enable process creation logging with command line details on Windows systems to ensure the Sigma rules have sufficient data.
  • Review and tune the rules for false positives based on legitimate SolarWinds child processes in your environment, updating the exclusion lists in the rules accordingly, referencing the “false_positives” section in the rule description.

Detection coverage 2

Suspicious SolarWinds Child Process - CommandLine

medium

Detects suspicious command lines in child processes of SolarWinds BusinessLayerHost.exe

sigma tactics: execution techniques: T1059.001, T1195.002 sources: process_creation, windows

Suspicious SolarWinds Child Process - Executable

medium

Detects suspicious executable names in child processes of SolarWinds BusinessLayerHost.exe

sigma tactics: execution techniques: T1059.001, T1195.002 sources: process_creation, windows

Detection queries are kept inside the platform. Get full rules →