SolarStorm and SUNBURST Hunting and Response Playbook
This Playbook is part of the Rapid Breach Response Pack.#
Supported versions
Supported Cortex XSOAR versions: 6.5.0 and later.
This playbook does the following:
- Collect indicators to aid in your threat hunting process.
- Retrieve IOCs of SUNBURST (a trojanized version of the SolarWinds Orion plugin).
- Retrieve C2 domains and URLs associated with Sunburst.
- Discover IOCs of associated activity related to the infection.
- Generate an indicator list to block indicators with SUNBURST tags.
- Hunt for the SUNBURST backdoor
- Query firewall logs to detect network activity.
- Search endpoint logs for Sunburst hashes to detect presence on hosts. If compromised hosts are found:
- Notify security team to review and trigger remediation response actions.
- Run sub-playbooks to isolate/quarantine infected hosts/endpoints and await further actions from the security team.
Sources: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/3/ https://www.splunk.com/en_us/blog/security/sunburst-backdoor-detections-in-splunk.html
Dependencies#
This playbook uses the following sub-playbooks, integrations, and scripts.
Sub-playbooks#
- Search Endpoints By Hash - Generic V2
- Panorama Query Logs
- Search Endpoint by CVE - Generic
- CVE Enrichment - Generic v2
- SolarStorm Activity Behavior Hunting playbook
- Palo Alto Networks - Hunting And Threat Detection
- Block Indicators - Generic v3
- Office 365 and Azure Hunting
- Isolate Endpoint - Generic V2
- Block IP - Generic v3
- Office 365 and Azure Configuration Analysis
Integrations#
This playbook does not use any integrations.
Scripts#
- UnEscapeIPs
- FileCreateAndUploadV2
- SearchIncidentsV2
- UnEscapeURLs
- http
- CreateIndicatorsFromSTIX
Commands#
- createNewIndicator
- extractIndicators
- closeInvestigation
- expanse-get-issues
- appendIndicatorField
Playbook Inputs#
| Name | Description | Default Value | Required |
|---|---|---|---|
| IsolateEndpointAutomatically | Whether to automatically isolate endpoints, or opt for manual user approval. True means isolation will be done automatically. | False | Optional |
| BlockIndicatorsAutomatically | Whether to automatically indicators involved with SolarStorm. | False | Optional |
| CVEs | CVEs related to SUNBURST and SolarStorm. | CVE-2020-14005,CVE-2020-13169 | Optional |
| SunBurstSTIX | Hard-coded STIX file of SUNBURST and SolarStorm indicators. | {"id":"bundle--60aab587-660c-4b58-89d0-efcf9cbdf8dd","type":"bundle","spec_version":"2.0","objects":[{"created":"2020-12-17T16:50:49.000Z","id":"indicator--180de847-a4c8-4e76-b719-138ac9c9b58e","labels":["file sha-256"],"modified":"2020-12-17T16:50:49.000Z","pattern":"[file:hashes.sha256 = '019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.12709Z"},{"created":"2020-12-17T16:51:42.000Z","id":"indicator--8d217031-22f6-4d86-bd42-0519032d93bc","labels":["file sha-256"],"modified":"2020-12-17T16:51:42.000Z","pattern":"[file:hashes.sha256 = '439bcd0a17d53837bc29fb51c0abd9d52a747227f97133f8ad794d9cc0ef191e']","score":"Medium","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.144865Z"},{"created":"2020-12-17T16:58:27.000Z","id":"indicator--ff3c830a-dbe2-45ec-bfbc-dd357ae040fc","labels":["domain"],"modified":"2020-12-17T16:58:27.000Z","pattern":"[domain-name:value = 'thedoccloud.com']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.146129Z"},{"created":"2020-12-17T16:52:06.000Z","id":"indicator--514f2faf-9572-44e3-8f67-ea782206335f","labels":["file sha-256"],"modified":"2020-12-17T16:52:06.000Z","pattern":"[file:hashes.sha256 = 'a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.149043Z"},{"created":"2020-12-17T16:50:28.000Z","id":"indicator--2e3e39c2-757d-496f-82b1-a715e44fb682","labels":["file sha-256"],"modified":"2020-12-17T16:50:28.000Z","pattern":"[file:hashes.sha256 = 'abe22cf0d78836c3ea072daeaf4c5eeaf9c29b6feb597741651979fc8fbd2417']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.150253Z"},{"created":"2020-12-17T16:59:49.000Z","id":"indicator--a444b6e0-da14-4a6e-8024-15cda0061a6e","labels":["domain"],"modified":"2020-12-17T16:59:49.000Z","pattern":"[domain-name:value = 'databasegalore.com']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.151314Z"},{"created":"2020-12-17T16:54:00.000Z","id":"indicator--1fbf05cb-270c-4c0b-aac1-1ae960fb166a","labels":["file sha-256"],"modified":"2020-12-17T16:54:00.000Z","pattern":"[file:hashes.sha256 = 'c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.152749Z"},{"created":"2020-12-17T16:51:14.000Z","id":"indicator--18561b05-1cbe-42ab-b4ae-b315e8709c02","labels":["file sha-256"],"modified":"2020-12-17T16:51:14.000Z","pattern":"[file:hashes.sha256 = 'ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.15395Z"},{"created":"2020-12-17T16:49:45.000Z","id":"indicator--85ebd471-202b-4086-93fb-e075f70f506d","labels":["file sha-256"],"modified":"2020-12-17T16:49:45.000Z","pattern":"[file:hashes.sha256 = '53f8dfc65169ccda021b72a62e0c22a4db7c4077f002fa742717d41b3c40f2c7']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.155011Z"},{"created":"2020-12-17T16:52:27.000Z","id":"indicator--57f6e856-0188-4ab8-b563-f3633ec093fb","labels":["file sha-256"],"modified":"2020-12-17T16:52:27.000Z","pattern":"[file:hashes.sha256 = 'd3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0af']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.156195Z"},{"created":"2020-12-17T16:57:26.000Z","id":"indicator--bf705330-2adb-4dfa-a844-d5d1176a0ad0","labels":["url"],"modified":"2020-12-17T16:57:26.000Z","pattern":"[url:value = 'mhdosoksaccf9sni9icp.appsync-api.eu-west-1.avsvmcloud.com \t']","score":"Medium","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.157272Z"},{"created":"2020-12-17T16:57:06.000Z","id":"indicator--2c1cfda2-2481-498f-8123-47ac1276f799","labels":["url"],"modified":"2020-12-17T16:57:06.000Z","pattern":"[url:value = 'k5kcubuassl3alrf7gm3.appsync-api.eu-west-1.avsvmcloud.com \t']","score":"Medium","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.159475Z"},{"created":"2020-12-17T16:59:33.000Z","id":"indicator--a64f9a04-d494-40ee-bb54-9b9406b76372","labels":["domain"],"modified":"2020-12-17T16:59:33.000Z","pattern":"[domain-name:value = 'incomeupdate.com']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.160553Z"},{"created":"2020-12-17T16:52:52.000Z","id":"indicator--8683f37c-2ea9-4253-b8c5-e138ddff40c3","labels":["file sha-256"],"modified":"2020-12-17T16:52:52.000Z","pattern":"[file:hashes.sha256 = '292327e5c94afa352cc5a02ca273df543f2020d0e76368ff96c84f4e90778712']","score":"Medium","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.161572Z"},{"created":"2020-12-17T16:46:31.000Z","id":"indicator--cc6f08e1-3475-43bc-ab4e-e5818e5b37b2","labels":["file sha-256"],"modified":"2020-12-17T16:46:31.000Z","pattern":"[file:hashes.sha256 = '32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.162783Z"},{"created":"2020-12-17T16:47:35.000Z","id":"indicator--9ca400a7-257b-4cf3-91a8-b2c9a565266b","labels":["file sha-256"],"modified":"2020-12-17T16:47:35.000Z","pattern":"[file:hashes.sha256 = 'd0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.163984Z"},{"created":"2020-12-17T17:00:14.000Z","id":"indicator--ea44dc42-e516-4307-9225-21ccb22a7cc2","labels":["domain"],"modified":"2020-12-17T17:00:14.000Z","pattern":"[domain-name:value = 'panhardware.com']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.165095Z"},{"created":"2020-12-17T16:56:41.000Z","id":"indicator--45f9a437-c4ee-4a24-9ffa-35a1202d62d5","labels":["url"],"modified":"2020-12-17T16:56:41.000Z","pattern":"[url:value = 'ihvpgv9psvq02ffo77et.appsync-api.us-east-2.avsvmcloud.com']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.166111Z"},{"created":"2020-12-17T16:55:40.000Z","id":"indicator--242b1ad9-6309-4752-bad4-abf73f641297","labels":["url"],"modified":"2020-12-17T16:55:40.000Z","pattern":"[url:value = '7sbvaemscs0mc925tb99.appsync-api.us-west-2.avsvmcloud.com \t']","score":"Medium","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.167169Z"},{"created":"2020-12-17T16:55:18.000Z","id":"indicator--b96ee095-a7d4-40a8-a4b4-9e7c080f5a44","labels":["url"],"modified":"2020-12-17T16:55:18.000Z","pattern":"[url:value = '6a57jk2ba1d9keg15cbg.appsync-api.eu-west-1.avsvmcloud.com']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.168384Z"},{"created":"2020-12-17T16:59:14.000Z","id":"indicator--e03d0075-7880-43cd-86b1-18325470be45","labels":["domain"],"modified":"2020-12-17T16:59:14.000Z","pattern":"[domain-name:value = 'highdatabase.com']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.169586Z"},{"created":"2020-12-17T16:58:56.000Z","id":"indicator--8942bb33-e898-4a10-bfb3-64530bd973ab","labels":["domain"],"modified":"2020-12-17T16:58:56.000Z","pattern":"[domain-name:value = 'websitetheme.com']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.170584Z"},{"created":"2020-12-17T16:56:08.000Z","id":"indicator--2be41276-00d3-4438-bbf0-4fcc56dc3076","labels":["url"],"modified":"2020-12-17T16:56:08.000Z","pattern":"[url:value = 'gq1h856599gqh538acqn.appsync-api.us-west-2.avsvmcloud.com']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.171575Z"},{"created":"2020-12-17T16:58:10.000Z","id":"indicator--8cd838ae-6330-4fbf-b5b4-07b77d46438d","labels":["domain"],"modified":"2020-12-17T16:58:10.000Z","pattern":"[domain-name:value = 'freescanonline.com']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.172676Z"},{"created":"2020-12-17T16:57:52.000Z","id":"indicator--646c5771-6904-4176-813f-a2ca357f0e42","labels":["domain"],"modified":"2020-12-17T16:57:52.000Z","pattern":"[domain-name:value = 'deftsecurity.com']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.173695Z"},{"created":"2020-12-17T16:47:15.000Z","id":"indicator--4069cf11-f617-40f2-8f7f-534e225aa33b","labels":["file sha-256"],"modified":"2020-12-17T16:47:15.000Z","pattern":"[file:hashes.sha256 = 'efbec6863f4330dbb702cc43a85a0a7c29d79fde0f7d66eac9a3be43493cab4f']","score":"Medium","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.174561Z"},{"created":"2020-12-17T17:00:41.000Z","id":"indicator--026307f7-449c-4858-a112-fc4b73c31593","labels":["domain"],"modified":"2020-12-17T17:00:41.000Z","pattern":"[domain-name:value = 'zupertech.com']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.175745Z"}]} | Optional |
| KnownRelatedIOCs | Add your own custom SUNBURST and SolarStorm IOCs to hunt. | Optional | |
| LogForwarding | PAN-OS Log Forwarding Profile Name | Optional | |
| AutoCommit | This input establishes whether to commit the configuration automatically in PAN-OS. Yes - Commit automatically. No - Commit manually. | No | Optional |
| AutoBlockSolarWindsServer | This input establishes whether to block the SolarWinds server automatically in PAN-OS. True - Commit automatically. False - Commit manually. | False | Optional |
| DeviceGroup | Target Device Group (Panorama only) | Optional | |
| O365_AdminRolesList | Comma-separated list of Service O365 admin roles. | Optional | |
| Mialboxes_Retrieve_Limit | The maximum number of results to retrieve. Default is 10. | 10 | Optional |
| AutoBlockIndicators | The input setting indicates whether to Automatically Block Indicators related to the SolarStrom Attack Default: True | True | Optional |
| UserVerification | The input indicates whether the user should verify the indicators before continuing with the playbook Default: Fasle | False | Optional |
| InternalRange | A list of internal IP ranges to check IP addresses against. The comma-separated list should be provided in CIDR notation. For example, a list of ranges would be: "172.16.0.0/12,10.0.0.0/8,192.168.0.0/16" (without quotes). | lists.PrivateIPs | Optional |
| None | Generic group for outputs | Optional |
Playbook Outputs#
There are no outputs for this playbook.
Playbook Image#
