Skip to main content

SolarStorm and SUNBURST Hunting and Response Playbook

This Playbook is part of the Rapid Breach Response Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

This playbook does the following:

  • Collect indicators to aid in your threat hunting process.
    • Retrieve IOCs of SUNBURST (a trojanized version of the SolarWinds Orion plugin).
    • Retrieve C2 domains and URLs associated with Sunburst.
    • Discover IOCs of associated activity related to the infection.
    • Generate an indicator list to block indicators with SUNBURST tags.
  • Hunt for the SUNBURST backdoor
    • Query firewall logs to detect network activity.
    • Search endpoint logs for Sunburst hashes to detect presence on hosts. If compromised hosts are found:
  • Notify security team to review and trigger remediation response actions.
  • Run sub-playbooks to isolate/quarantine infected hosts/endpoints and await further actions from the security team.

Sources: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/3/ https://www.splunk.com/en_us/blog/security/sunburst-backdoor-detections-in-splunk.html

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • Panorama search thread-ids in threat logs
  • CVE Enrichment - Generic v2
  • SolarStorm Activity Behavior Hunting playbook
  • Palo Alto Networks - Hunting And Threat Detection
  • Search Endpoint by CVE - Generic
  • Office 365 and Azure Configuration Analysis
  • Isolate Endpoint - Generic V2
  • Block IP - Generic v3
  • Block Indicators - Generic v2
  • Search Endpoints By Hash - Generic V2
  • Office 365 and Azure Hunting
  • Panorama search SolarWinds App-IDs traffic logs

Integrations#

This playbook does not use any integrations.

Scripts#

  • http
  • CreateIndicatorsFromSTIX
  • UnEscapeURLs
  • UnEscapeIPs
  • FileCreateAndUpload
  • SearchIncidentsV2

Commands#

  • appendIndicatorField
  • closeInvestigation
  • extractIndicators
  • expanse-get-issues
  • createNewIndicator

Playbook Inputs#


NameDescriptionDefault ValueRequired
IsolateEndpointAutomaticallyWhether to automatically isolate endpoints, or opt for manual user approval. True means isolation will be done automatically.FalseOptional
BlockIndicatorsAutomaticallyWhether to automatically indicators involved with SolarStorm.FalseOptional
CVEsCVEs related to SUNBURST and SolarStorm.CVE-2020-14005,CVE-2020-13169Optional
SunBurstSTIXHard-coded STIX file of SUNBURST and SolarStorm indicators.{"id":"bundle--60aab587-660c-4b58-89d0-efcf9cbdf8dd","type":"bundle","spec_version":"2.0","objects":[{"created":"2020-12-17T16:50:49.000Z","id":"indicator--180de847-a4c8-4e76-b719-138ac9c9b58e","labels":["file sha-256"],"modified":"2020-12-17T16:50:49.000Z","pattern":"[file:hashes.sha256 = '019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.12709Z"},{"created":"2020-12-17T16:51:42.000Z","id":"indicator--8d217031-22f6-4d86-bd42-0519032d93bc","labels":["file sha-256"],"modified":"2020-12-17T16:51:42.000Z","pattern":"[file:hashes.sha256 = '439bcd0a17d53837bc29fb51c0abd9d52a747227f97133f8ad794d9cc0ef191e']","score":"Medium","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.144865Z"},{"created":"2020-12-17T16:58:27.000Z","id":"indicator--ff3c830a-dbe2-45ec-bfbc-dd357ae040fc","labels":["domain"],"modified":"2020-12-17T16:58:27.000Z","pattern":"[domain-name:value = 'thedoccloud.com']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.146129Z"},{"created":"2020-12-17T16:52:06.000Z","id":"indicator--514f2faf-9572-44e3-8f67-ea782206335f","labels":["file sha-256"],"modified":"2020-12-17T16:52:06.000Z","pattern":"[file:hashes.sha256 = 'a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.149043Z"},{"created":"2020-12-17T16:50:28.000Z","id":"indicator--2e3e39c2-757d-496f-82b1-a715e44fb682","labels":["file sha-256"],"modified":"2020-12-17T16:50:28.000Z","pattern":"[file:hashes.sha256 = 'abe22cf0d78836c3ea072daeaf4c5eeaf9c29b6feb597741651979fc8fbd2417']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.150253Z"},{"created":"2020-12-17T16:59:49.000Z","id":"indicator--a444b6e0-da14-4a6e-8024-15cda0061a6e","labels":["domain"],"modified":"2020-12-17T16:59:49.000Z","pattern":"[domain-name:value = 'databasegalore.com']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.151314Z"},{"created":"2020-12-17T16:54:00.000Z","id":"indicator--1fbf05cb-270c-4c0b-aac1-1ae960fb166a","labels":["file sha-256"],"modified":"2020-12-17T16:54:00.000Z","pattern":"[file:hashes.sha256 = 'c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.152749Z"},{"created":"2020-12-17T16:51:14.000Z","id":"indicator--18561b05-1cbe-42ab-b4ae-b315e8709c02","labels":["file sha-256"],"modified":"2020-12-17T16:51:14.000Z","pattern":"[file:hashes.sha256 = 'ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.15395Z"},{"created":"2020-12-17T16:49:45.000Z","id":"indicator--85ebd471-202b-4086-93fb-e075f70f506d","labels":["file sha-256"],"modified":"2020-12-17T16:49:45.000Z","pattern":"[file:hashes.sha256 = '53f8dfc65169ccda021b72a62e0c22a4db7c4077f002fa742717d41b3c40f2c7']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.155011Z"},{"created":"2020-12-17T16:52:27.000Z","id":"indicator--57f6e856-0188-4ab8-b563-f3633ec093fb","labels":["file sha-256"],"modified":"2020-12-17T16:52:27.000Z","pattern":"[file:hashes.sha256 = 'd3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0af']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.156195Z"},{"created":"2020-12-17T16:57:26.000Z","id":"indicator--bf705330-2adb-4dfa-a844-d5d1176a0ad0","labels":["url"],"modified":"2020-12-17T16:57:26.000Z","pattern":"[url:value = 'mhdosoksaccf9sni9icp.appsync-api.eu-west-1.avsvmcloud.com \t']","score":"Medium","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.157272Z"},{"created":"2020-12-17T16:57:06.000Z","id":"indicator--2c1cfda2-2481-498f-8123-47ac1276f799","labels":["url"],"modified":"2020-12-17T16:57:06.000Z","pattern":"[url:value = 'k5kcubuassl3alrf7gm3.appsync-api.eu-west-1.avsvmcloud.com \t']","score":"Medium","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.159475Z"},{"created":"2020-12-17T16:59:33.000Z","id":"indicator--a64f9a04-d494-40ee-bb54-9b9406b76372","labels":["domain"],"modified":"2020-12-17T16:59:33.000Z","pattern":"[domain-name:value = 'incomeupdate.com']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.160553Z"},{"created":"2020-12-17T16:52:52.000Z","id":"indicator--8683f37c-2ea9-4253-b8c5-e138ddff40c3","labels":["file sha-256"],"modified":"2020-12-17T16:52:52.000Z","pattern":"[file:hashes.sha256 = '292327e5c94afa352cc5a02ca273df543f2020d0e76368ff96c84f4e90778712']","score":"Medium","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.161572Z"},{"created":"2020-12-17T16:46:31.000Z","id":"indicator--cc6f08e1-3475-43bc-ab4e-e5818e5b37b2","labels":["file sha-256"],"modified":"2020-12-17T16:46:31.000Z","pattern":"[file:hashes.sha256 = '32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.162783Z"},{"created":"2020-12-17T16:47:35.000Z","id":"indicator--9ca400a7-257b-4cf3-91a8-b2c9a565266b","labels":["file sha-256"],"modified":"2020-12-17T16:47:35.000Z","pattern":"[file:hashes.sha256 = 'd0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.163984Z"},{"created":"2020-12-17T17:00:14.000Z","id":"indicator--ea44dc42-e516-4307-9225-21ccb22a7cc2","labels":["domain"],"modified":"2020-12-17T17:00:14.000Z","pattern":"[domain-name:value = 'panhardware.com']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.165095Z"},{"created":"2020-12-17T16:56:41.000Z","id":"indicator--45f9a437-c4ee-4a24-9ffa-35a1202d62d5","labels":["url"],"modified":"2020-12-17T16:56:41.000Z","pattern":"[url:value = 'ihvpgv9psvq02ffo77et.appsync-api.us-east-2.avsvmcloud.com']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.166111Z"},{"created":"2020-12-17T16:55:40.000Z","id":"indicator--242b1ad9-6309-4752-bad4-abf73f641297","labels":["url"],"modified":"2020-12-17T16:55:40.000Z","pattern":"[url:value = '7sbvaemscs0mc925tb99.appsync-api.us-west-2.avsvmcloud.com \t']","score":"Medium","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.167169Z"},{"created":"2020-12-17T16:55:18.000Z","id":"indicator--b96ee095-a7d4-40a8-a4b4-9e7c080f5a44","labels":["url"],"modified":"2020-12-17T16:55:18.000Z","pattern":"[url:value = '6a57jk2ba1d9keg15cbg.appsync-api.eu-west-1.avsvmcloud.com']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.168384Z"},{"created":"2020-12-17T16:59:14.000Z","id":"indicator--e03d0075-7880-43cd-86b1-18325470be45","labels":["domain"],"modified":"2020-12-17T16:59:14.000Z","pattern":"[domain-name:value = 'highdatabase.com']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.169586Z"},{"created":"2020-12-17T16:58:56.000Z","id":"indicator--8942bb33-e898-4a10-bfb3-64530bd973ab","labels":["domain"],"modified":"2020-12-17T16:58:56.000Z","pattern":"[domain-name:value = 'websitetheme.com']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.170584Z"},{"created":"2020-12-17T16:56:08.000Z","id":"indicator--2be41276-00d3-4438-bbf0-4fcc56dc3076","labels":["url"],"modified":"2020-12-17T16:56:08.000Z","pattern":"[url:value = 'gq1h856599gqh538acqn.appsync-api.us-west-2.avsvmcloud.com']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.171575Z"},{"created":"2020-12-17T16:58:10.000Z","id":"indicator--8cd838ae-6330-4fbf-b5b4-07b77d46438d","labels":["domain"],"modified":"2020-12-17T16:58:10.000Z","pattern":"[domain-name:value = 'freescanonline.com']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.172676Z"},{"created":"2020-12-17T16:57:52.000Z","id":"indicator--646c5771-6904-4176-813f-a2ca357f0e42","labels":["domain"],"modified":"2020-12-17T16:57:52.000Z","pattern":"[domain-name:value = 'deftsecurity.com']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.173695Z"},{"created":"2020-12-17T16:47:15.000Z","id":"indicator--4069cf11-f617-40f2-8f7f-534e225aa33b","labels":["file sha-256"],"modified":"2020-12-17T16:47:15.000Z","pattern":"[file:hashes.sha256 = 'efbec6863f4330dbb702cc43a85a0a7c29d79fde0f7d66eac9a3be43493cab4f']","score":"Medium","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.174561Z"},{"created":"2020-12-17T17:00:41.000Z","id":"indicator--026307f7-449c-4858-a112-fc4b73c31593","labels":["domain"],"modified":"2020-12-17T17:00:41.000Z","pattern":"[domain-name:value = 'zupertech.com']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.175745Z"}]}Optional
KnownRelatedIOCsAdd your own custom SUNBURST and SolarStorm IOCs to hunt.
Optional
LogForwardingPAN-OS Log Forwarding Profile NameOptional
AutoCommitThis input establishes whether to commit the configuration automatically in PAN-OS.
Yes - Commit automatically.
No - Commit manually.
NoOptional
AutoBlockSolarWindsServerThis input establishes whether to block the SolarWinds server automatically in PAN-OS.
True - Commit automatically.
False - Commit manually.
FalseOptional
DeviceGroupTarget Device Group (Panorama only)Optional
O365_AdminRolesListComma-separated list of Service O365 admin roles.Optional
Mialboxes_Retrieve_LimitThe maximum number of results to retrieve. Default is 10.10Optional

Playbook Outputs#


There are no outputs for this playbook.

Playbook Image#


SolarStorm and SUNBURST Hunting and Response Playbook