Skip to content
Threat Feed
medium advisory

Suspicious Command Execution via SolarWinds Process

This brief covers the detection of suspicious command execution, specifically Cmd.exe or PowerShell.exe, as child processes of legitimate SolarWinds executables, indicative of potential supply chain compromise and unauthorized command execution on Windows systems.

This rule detects suspicious command execution via SolarWinds processes. Following the SolarWinds supply chain compromise (SUNBURST), adversaries may leverage legitimate SolarWinds processes to execute arbitrary commands on compromised systems. This involves spawning command-line interpreters like cmd.exe or powershell.exe as child processes of various SolarWinds executables. This activity could lead to further exploitation, lateral movement, and data exfiltration. This detection focuses on identifying parent-child process relationships where SolarWinds processes unexpectedly launch command interpreters, indicating potential malicious activity. The initial compromise occurred in 2020, impacting numerous organizations across various sectors.

Attack Chain

  1. The attacker gains initial access through a supply chain compromise, potentially via a trojanized SolarWinds Orion software update.
  2. A legitimate SolarWinds process, such as ConfigurationWizard.exe, NetFlowService.exe, or SolarWinds.BusinessLayerHost.exe, is used to execute malicious code.
  3. The compromised SolarWinds process spawns a child process, cmd.exe or powershell.exe, to execute commands.
  4. The cmd.exe or powershell.exe process executes commands to perform reconnaissance, such as gathering system information.
  5. The attacker uses the command interpreter to download and execute additional malicious payloads or tools.
  6. The attacker establishes persistence by creating scheduled tasks or modifying registry keys via the command interpreter.
  7. The attacker performs lateral movement by using the command interpreter to access other systems on the network.
  8. The attacker exfiltrates sensitive data from the compromised systems.

Impact

A successful attack can result in widespread system compromise, data theft, and disruption of services. Organizations that use SolarWinds Orion software are particularly at risk. The original SUNBURST campaign impacted thousands of organizations globally, including government agencies and Fortune 500 companies. The consequences include significant financial losses, reputational damage, and potential legal liabilities.

Recommendation

  • Enable process creation logging with command line details to allow detection of malicious command execution (Sysmon, Windows Security Logs).
  • Deploy the Sigma rules in this brief to your SIEM to detect suspicious SolarWinds child processes.
  • Investigate any alerts generated by the Sigma rules, focusing on the specific SolarWinds parent process and the command-line arguments of the child process.
  • Implement application whitelisting to prevent unauthorized execution of command-line interpreters from SolarWinds processes.
  • Monitor network connections originating from SolarWinds processes for suspicious activity (network_connection log source).
  • Review and harden the security configuration of SolarWinds Orion software, following vendor best practices and security advisories.

Detection coverage 2

Suspicious SolarWinds Child Process - cmd.exe

medium

Detects cmd.exe spawned by SolarWinds processes associated with SUNBURST.

sigma tactics: execution techniques: T1059.003, T1195.002 sources: process_creation, windows

Suspicious SolarWinds Child Process - powershell.exe

medium

Detects powershell.exe spawned by SolarWinds processes associated with SUNBURST.

sigma tactics: execution techniques: T1059.001, T1195.002 sources: process_creation, windows

Detection queries are available on the platform. Get full rules →