{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/solarwinds.businesslayerhost.exe/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SolarWinds.BusinessLayerHost.exe","SolarWinds.BusinessLayerHostx64.exe","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["supply-chain","execution","solarwinds"],"_cs_type":"advisory","_cs_vendors":["Elastic","SolarWinds","SentinelOne"],"content_html":"\u003cp\u003eThis detection rule identifies suspicious child processes initiated by SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe, excluding known legitimate operations. Adversaries may exploit the trusted SolarWinds processes to execute unauthorized programs with elevated privileges, bypassing security controls. The rule focuses on Windows systems and is designed to detect activity indicative of post-compromise actions following a supply chain attack. This detection is crucial for organizations that utilize SolarWinds software, as malicious actors could leverage compromised SolarWinds installations to gain unauthorized access and execute arbitrary code within the network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial compromise of the SolarWinds software supply chain (T1195.002).\u003c/li\u003e\n\u003cli\u003eMalicious code is injected into SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe.\u003c/li\u003e\n\u003cli\u003eThe compromised SolarWinds process spawns a suspicious child process.\u003c/li\u003e\n\u003cli\u003eThe child process executes a malicious command or binary, attempting to evade detection.\u003c/li\u003e\n\u003cli\u003eThe child process leverages Native APIs (T1106) to perform privileged actions.\u003c/li\u003e\n\u003cli\u003eLateral movement or data exfiltration may occur from the compromised host.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the execution of arbitrary code on systems running SolarWinds software. This can result in data theft, system compromise, and further propagation of the attack throughout the network. Organizations in various sectors utilizing SolarWinds products are potentially at risk. The impact may include loss of sensitive data, disruption of critical services, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious SolarWinds Child Process - CommandLine\u003c/code\u003e to detect potentially malicious child processes of SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious SolarWinds Child Process - Executable\u003c/code\u003e to detect execution of unusual executables as child processes of SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command line details on Windows systems to ensure the Sigma rules have sufficient data.\u003c/li\u003e\n\u003cli\u003eReview and tune the rules for false positives based on legitimate SolarWinds child processes in your environment, updating the exclusion lists in the rules accordingly, referencing the \u0026ldquo;false_positives\u0026rdquo; section in the rule description.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-solarwinds-child-process/","summary":"Detection of unusual child processes spawned by SolarWinds processes may indicate malicious program execution, potentially bypassing security controls.","title":"Suspicious SolarWinds Child Process Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-solarwinds-child-process/"}],"language":"en","title":"CraftedSignal Threat Feed — SolarWinds.BusinessLayerHost.exe","version":"https://jsonfeed.org/version/1.1"}