Uptycs Blog | Cloud Security Insights for Linux and Containers

Detecting the SolarWinds Supply Chain Attack Using Osquery & Uptycs

Written by Amit Malik | 12/17/20 3:25 PM

On December 13, FireEye shared details on the SolarWinds supply chain attack, dubbed SUNBURST. The next day, Volexity shared additional information on the lateral movement and exfiltration activities of the attackers.

 

The adversaries behind this attack are sophisticated and they demonstrated a high level of technical maturity throughout the attack progression. Based on the FireEye and Volexity reports, it’s clear the attackers choose to be stealthy, using legitimate tools to carry out attacks, waiting up to two weeks to contact the command and control server, and remaining dormant if specific detection tools are present.

 

This is not the first attack on the supply chains of popular software companies. In 2017, Kaspersky reported that ShadowPad APT targeted the NetSarang supply chain and in 2019 Kaspersky noted that ShadowHammer went after the Asus supply chain. Accounting for supply chain attacks is not a simple task for software vendors. Supply chain defense at the vendor level requires more controls in DevOps processes and will likely involve accelerated industry adoption of the Zero Trust model.

 

Supply chain attacks are difficult to spot during initial stages because they come from software that’s already trusted by organizations and customers. Despite the challenges supply chain attacks present, I believe they can be detected. It may be difficult to detect the attack at the initial stage, but opportunities for detection emerge as the attack progresses.

 

The FireEye and Volexity blog posts note the attackers in the SolarWinds case used a customized Cobalt Strike Beacon and PowerShell to carry out lateral movement and exfiltration activity. Uptycs’ EDR functionality provides comprehensive detection and visibility for both in-memory and PowerShell related activities. In addition, Uptycs customers already have the following EDR features that can help detect SolarWinds malicious activity as well as similar sophisticated attacks.

 

YARA memory scan: Uptycs provides the ability to scan process memory automatically or on-demand for the entire fleet based on YARA rules in real time.

 

PowerShell visibility: Uptycs has nearly 100 behavior rules for PowerShell activity that check for suspicious parent/child process relationships, file drops, network connections, and command line options. All of the PowerShell activity is stored in the powershell_events table to provide in-depth visibility inside PowerShell script/code.

Lateral movement correlation: Uptycs’ correlation engine can detect and correlate as the attack progresses across systems. For example, Uptycs’ EDR functionality can detect and correlate the following activity used by SolarWinds attackers:

C:\Windows\system32\cmd.exe /C schtasks /create /F /tn “\Microsoft\Windows\SoftwareProtectionPlatform\EventCacheManager” /tr “C:\Windows\SoftwareDistribution\EventCacheManager.exe” /sc ONSTART /ru system /S [machine_name]

File integrity monitoring (FIM): Uptycs provides configurable FIM settings. By default, sensitive locations like the SysWOW64, System32, and Windows directories are configured with detection rules. If any change happens in these directories it will be reported as an alert based on the alert configuration.

 

Logon events: Uptycs’ EDR functionality captures logon events in the logon_events table. It records both the source system IP address and user. Coupled with other alerts, this information provides details on compromised accounts.

Threat intelligence: Uptycs comes with native threat intelligence integration to provide detection for known IOCs. We have added relevant IOCs related to this attack in our blocklist.

 

Historical data store: Attackers often clear their activity. According to the FireEye and Volexity blog posts, that was the case in the SolarWinds attack. If real-time detection fails to identify the attack, it can be difficult to investigate the incident after the fact. Uptycs' EDR capabilities address this issue by storing system activity for several months, allowing for historical data to be queried at any point.

 

Final thoughts

Credit must be given to FireEye and SolarWinds for addressing this urgent situation with transparency and depth. By quickly surfacing important information, they’ve helped defenders identify, scope, and respond to a significant threat.

 

Schedule a demo to see how the rich telemetry, detection, and correlation in Uptycs can help your organization respond to sophisticated attacks.

 

Hunting Queries

AdFind cmdlines:

select * from process_events where (cmdline like '%name=%' or cmdline like '%objectcategory=%') and (cmdline like '%Domain Admins%' or cmdline like '%Organization Management%') and ancestor_list like '%cmd.exe%'

PowerShell remote task creation:

select * from powershell_events where script_text like '%Schedule.Service%' and script_text like '%.RegisterTaskDefinition%'
select * from process_events where cmdline like '%Schedule.Service%' and cmdline like '%.RegisterTaskDefinition%' and exe_name = 'powershell.exe'

Schtasks remote task creation:

select * from process_events where exe_name = 'schtasks.exe' and cmdline like '%/create%' and cmdline like '%ONSTART%' and cmdline like '%/S%'

Rundll32 use for malicious dll execution:

select * from process_events where exe_name = 'rundll32.exe' and ancestor_list like '%powershell.exe%'

C2 DNS loookup:

select * from dns_lookup_events where question like '%.avsvmcloud%'

SolarWinds process spawning cmd.exe or powershell.exe:

select * from process_events where (exe_name = 'cmd.exe' or exe_name = 'powershell.exe') and ancestor_list like '%SolarWinds.BusinessLayerHost.exe%'

To find systems with SolarWinds Orion software in your organization:

select * from programs where publisher like '%solarwinds%' and name like '%orion%'

 

EDR detection rules:

The following EDR rules are already available to customers to detect malicious activity generically.

  1. PowerShell obfuscated base64 data - T1027 - Obfuscated Files or Information - Windows
  2. Schtasks.exe launched to create new scheduled task on remote machine - T1053.005 - Scheduled Task - Windows
  3. PowerShell execution with schedule task/service commands detected - T1053.005 - Scheduled Task - Windows
  4. Rundll32.exe execution detected - T1218.011 - Rundll32 - Windows
  5. Likely remote system process dropped portable executable file - T1570 - Lateral Movement - Windows
  6. PowerShell or its child process dropped archive file - T1560 - Execution - Windows
  7. Process dropped portable executable file - TA0002 - Execution - Windows (score 0)
  8. Process dropped archive file - T1560 - Archive Collected Data - Windows (score 0)
  9. PowerShell or its child process dropped portable executable file - TA0002 - Execution - Windows
  10. PowerShell made network connection - T1071 - Application Layer Protocol - Windows
  11. PowerShell/cmd child process made network connection to access local network resources - T1570 - Lateral Tool Transfer - Windows