{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/solarwinds/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","Windows Defender Advanced Threat Protection","SupportAssistAgent","Obkio Agent","SolarWinds Agent","SecuraAgent"],"_cs_severities":["low"],"_cs_tags":["discovery","privilege-escalation","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Dell","Obkio","SolarWinds","Infraon Corp"],"content_html":"\u003cp\u003eThis detection rule identifies instances where the SYSTEM account is used to execute account discovery utilities, such as \u003ccode\u003ewhoami.exe\u003c/code\u003e and \u003ccode\u003enet1.exe\u003c/code\u003e. This behavior is commonly observed after an attacker has successfully achieved privilege escalation within a Windows environment, or after exploiting a web application. The rule is designed to detect post-exploitation discovery activity where an adversary attempts to gain situational awareness by enumerating accounts and system information using the elevated SYSTEM context. The rule leverages data from Elastic Defend and Sysmon Event ID 1 to identify these behaviors, helping defenders spot potential privilege escalation and lateral movement attempts. The original rule was created 2020/03/18 and updated 2026/05/04.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system, potentially through exploiting a vulnerability in a web application or through phishing.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to the SYSTEM account, possibly by exploiting a local privilege escalation vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003ewhoami.exe\u003c/code\u003e or \u003ccode\u003enet1.exe\u003c/code\u003e via the SYSTEM account to enumerate user accounts and gather system information.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ewhoami.exe\u003c/code\u003e or \u003ccode\u003enet1.exe\u003c/code\u003e process is spawned by a parent process such as a web server process (e.g., w3wp.exe) or a service process.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the discovered account information to plan further actions, such as lateral movement or credential theft.\u003c/li\u003e\n\u003cli\u003eThe attacker may use \u003ccode\u003enet1.exe\u003c/code\u003e to query domain information.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the gained information to identify valuable targets within the network.\u003c/li\u003e\n\u003cli\u003eThe final objective is often data exfiltration, deployment of ransomware, or further compromise of the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to unauthorized access to sensitive data, lateral movement within the network, and potential data exfiltration or ransomware deployment. Although this rule has low severity, the execution of discovery commands by the SYSTEM account can be a critical indicator of compromise. Early detection of such activity can prevent more severe damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rules to detect account discovery commands executed via the SYSTEM account and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) to ensure the necessary data is available for detection.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules, focusing on the process execution chain to identify the source of the SYSTEM account usage.\u003c/li\u003e\n\u003cli\u003eIf the process tree includes a web-application server process, investigate suspicious file creation or modification to assess for webshell backdoors.\u003c/li\u003e\n\u003cli\u003eReview and harden web application security to prevent initial access and privilege escalation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T14:00:00Z","date_published":"2024-01-09T14:00:00Z","id":"/briefs/2024-01-09-system-account-discovery/","summary":"The rule identifies when the SYSTEM account uses an account discovery utility, potentially indicating discovery activity after privilege escalation, focusing on utilities like whoami.exe and net1.exe executed under the SYSTEM account.","title":"Account Discovery Command via SYSTEM Account","url":"https://feed.craftedsignal.io/briefs/2024-01-09-system-account-discovery/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SolarWinds.BusinessLayerHost.exe","SolarWinds.BusinessLayerHostx64.exe","SentinelOne Cloud Funnel"],"_cs_severities":["medium"],"_cs_tags":["supply-chain","execution","solarwinds"],"_cs_type":"advisory","_cs_vendors":["Elastic","SolarWinds","SentinelOne"],"content_html":"\u003cp\u003eThis detection rule identifies suspicious child processes initiated by SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe, excluding known legitimate operations. Adversaries may exploit the trusted SolarWinds processes to execute unauthorized programs with elevated privileges, bypassing security controls. The rule focuses on Windows systems and is designed to detect activity indicative of post-compromise actions following a supply chain attack. This detection is crucial for organizations that utilize SolarWinds software, as malicious actors could leverage compromised SolarWinds installations to gain unauthorized access and execute arbitrary code within the network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial compromise of the SolarWinds software supply chain (T1195.002).\u003c/li\u003e\n\u003cli\u003eMalicious code is injected into SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe.\u003c/li\u003e\n\u003cli\u003eThe compromised SolarWinds process spawns a suspicious child process.\u003c/li\u003e\n\u003cli\u003eThe child process executes a malicious command or binary, attempting to evade detection.\u003c/li\u003e\n\u003cli\u003eThe child process leverages Native APIs (T1106) to perform privileged actions.\u003c/li\u003e\n\u003cli\u003eLateral movement or data exfiltration may occur from the compromised host.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the execution of arbitrary code on systems running SolarWinds software. This can result in data theft, system compromise, and further propagation of the attack throughout the network. Organizations in various sectors utilizing SolarWinds products are potentially at risk. The impact may include loss of sensitive data, disruption of critical services, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious SolarWinds Child Process - CommandLine\u003c/code\u003e to detect potentially malicious child processes of SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious SolarWinds Child Process - Executable\u003c/code\u003e to detect execution of unusual executables as child processes of SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command line details on Windows systems to ensure the Sigma rules have sufficient data.\u003c/li\u003e\n\u003cli\u003eReview and tune the rules for false positives based on legitimate SolarWinds child processes in your environment, updating the exclusion lists in the rules accordingly, referencing the \u0026ldquo;false_positives\u0026rdquo; section in the rule description.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-solarwinds-child-process/","summary":"Detection of unusual child processes spawned by SolarWinds processes may indicate malicious program execution, potentially bypassing security controls.","title":"Suspicious SolarWinds Child Process Execution","url":"https://feed.craftedsignal.io/briefs/2024-01-solarwinds-child-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend"],"_cs_severities":["medium"],"_cs_tags":["solarwinds","defense-evasion","registry-modification","supply-chain"],"_cs_type":"advisory","_cs_vendors":["SolarWinds","Microsoft","SentinelOne","Crowdstrike","Elastic"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of SolarWinds processes attempting to disable services by modifying their registry start type. This activity is associated with defense evasion tactics, potentially linked to initial access via supply chain compromise, similar to the SUNBURST campaign. The behavior involves SolarWinds binaries, such as \u003ccode\u003eSolarWinds.BusinessLayerHost*.exe\u003c/code\u003e and \u003ccode\u003eNetFlowService*.exe\u003c/code\u003e, manipulating registry entries related to service start configurations. This technique can be used to impair or disable security tools and services, allowing attackers to operate more freely within a compromised environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial compromise of the SolarWinds Orion platform, potentially through a supply chain attack.\u003c/li\u003e\n\u003cli\u003eDeployment of a malicious module or payload within the SolarWinds environment.\u003c/li\u003e\n\u003cli\u003eExecution of a SolarWinds process, such as \u003ccode\u003eSolarWinds.BusinessLayerHost*.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe SolarWinds process modifies the registry to change the start type of a service.\u003c/li\u003e\n\u003cli\u003eThe registry modification targets the \u003ccode\u003eHKLM\\SYSTEM\\ControlSet*\\Services\\*\\Start\u003c/code\u003e path.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eStart\u003c/code\u003e value is set to \u0026ldquo;4\u0026rdquo; or \u0026ldquo;0x00000004\u0026rdquo;, which disables the targeted service.\u003c/li\u003e\n\u003cli\u003eDisabling critical security services allows the attacker to evade detection and further compromise the system.\u003c/li\u003e\n\u003cli\u003eAttacker achieves persistence and performs lateral movement, exfiltrating data or deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to the disabling of critical security services, such as antivirus, endpoint detection and response (EDR) agents, or other monitoring tools. This can significantly reduce the visibility of malicious activity within the network, potentially leading to data breaches, ransomware deployment, or other severe security incidents. The SolarWinds supply chain compromise affected numerous organizations globally, underscoring the potential impact of this type of attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSolarWinds Process Disabling Services via Registry\u003c/code\u003e to your SIEM to detect registry modifications by SolarWinds processes aimed at disabling services.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon registry event logging to provide the necessary data for the Sigma rule to function effectively.\u003c/li\u003e\n\u003cli\u003eReview and harden access controls for SolarWinds processes to restrict their ability to modify critical system settings.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the affected service and the timeline of events surrounding the registry modification.\u003c/li\u003e\n\u003cli\u003eUtilize threat intelligence platforms to stay informed about known SolarWinds-related attack patterns and indicators of compromise (IOCs).\u003c/li\u003e\n\u003cli\u003eMonitor endpoints for unusual behavior by SolarWinds processes, including network connections, file modifications, and process creations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-solarwinds-service-disable/","summary":"A SolarWinds binary is modifying the start type of a service to be disabled via registry modification, potentially to disable or impair security services.","title":"SolarWinds Process Disabling Services via Registry Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-solarwinds-service-disable/"}],"language":"en","title":"CraftedSignal Threat Feed — SolarWinds","version":"https://jsonfeed.org/version/1.1"}