Skip to content

Latest commit

 

History

History
89 lines (70 loc) · 12.8 KB

playbook-SolarStorm_and_SUNBURST_Hunting_and_Response_Playbook_6_5_README.md

File metadata and controls

89 lines (70 loc) · 12.8 KB
Raw

This playbook does the following:

  • Collect indicators to aid in your threat hunting process.
    • Retrieve IOCs of SUNBURST (a trojanized version of the SolarWinds Orion plugin).
    • Retrieve C2 domains and URLs associated with Sunburst.
    • Discover IOCs of associated activity related to the infection.
    • Generate an indicator list to block indicators with SUNBURST tags.
  • Hunt for the SUNBURST backdoor
    • Query firewall logs to detect network activity.
    • Search endpoint logs for Sunburst hashes to detect presence on hosts. If compromised hosts are found:
  • Notify security team to review and trigger remediation response actions.
  • Run sub-playbooks to isolate/quarantine infected hosts/endpoints and await further actions from the security team.

Sources: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/3/ https://www.splunk.com/en_us/blog/security/sunburst-backdoor-detections-in-splunk.html

Dependencies

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks

  • Search Endpoints By Hash - Generic V2
  • Panorama Query Logs
  • Search Endpoint by CVE - Generic
  • CVE Enrichment - Generic v2
  • SolarStorm Activity Behavior Hunting playbook
  • Palo Alto Networks - Hunting And Threat Detection
  • Block Indicators - Generic v3
  • Office 365 and Azure Hunting
  • Isolate Endpoint - Generic V2
  • Block IP - Generic v3
  • Office 365 and Azure Configuration Analysis

Integrations

This playbook does not use any integrations.

Scripts

  • UnEscapeIPs
  • FileCreateAndUploadV2
  • SearchIncidentsV2
  • UnEscapeURLs
  • http
  • CreateIndicatorsFromSTIX

Commands

  • createNewIndicator
  • extractIndicators
  • closeInvestigation
  • expanse-get-issues
  • appendIndicatorField

Playbook Inputs

Name Description Default Value Required
IsolateEndpointAutomatically Whether to automatically isolate endpoints, or opt for manual user approval. True means isolation will be done automatically. False Optional
BlockIndicatorsAutomatically Whether to automatically indicators involved with SolarStorm. False Optional
CVEs CVEs related to SUNBURST and SolarStorm. CVE-2020-14005,CVE-2020-13169 Optional
SunBurstSTIX Hard-coded STIX file of SUNBURST and SolarStorm indicators. {"id":"bundle--60aab587-660c-4b58-89d0-efcf9cbdf8dd","type":"bundle","spec_version":"2.0","objects":[{"created":"2020-12-17T16:50:49.000Z","id":"indicator--180de847-a4c8-4e76-b719-138ac9c9b58e","labels":["file sha-256"],"modified":"2020-12-17T16:50:49.000Z","pattern":"[file:hashes.sha256 = '019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.12709Z"},{"created":"2020-12-17T16:51:42.000Z","id":"indicator--8d217031-22f6-4d86-bd42-0519032d93bc","labels":["file sha-256"],"modified":"2020-12-17T16:51:42.000Z","pattern":"[file:hashes.sha256 = '439bcd0a17d53837bc29fb51c0abd9d52a747227f97133f8ad794d9cc0ef191e']","score":"Medium","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.144865Z"},{"created":"2020-12-17T16:58:27.000Z","id":"indicator--ff3c830a-dbe2-45ec-bfbc-dd357ae040fc","labels":["domain"],"modified":"2020-12-17T16:58:27.000Z","pattern":"[domain-name:value = 'thedoccloud.com']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.146129Z"},{"created":"2020-12-17T16:52:06.000Z","id":"indicator--514f2faf-9572-44e3-8f67-ea782206335f","labels":["file sha-256"],"modified":"2020-12-17T16:52:06.000Z","pattern":"[file:hashes.sha256 = 'a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.149043Z"},{"created":"2020-12-17T16:50:28.000Z","id":"indicator--2e3e39c2-757d-496f-82b1-a715e44fb682","labels":["file sha-256"],"modified":"2020-12-17T16:50:28.000Z","pattern":"[file:hashes.sha256 = 'abe22cf0d78836c3ea072daeaf4c5eeaf9c29b6feb597741651979fc8fbd2417']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.150253Z"},{"created":"2020-12-17T16:59:49.000Z","id":"indicator--a444b6e0-da14-4a6e-8024-15cda0061a6e","labels":["domain"],"modified":"2020-12-17T16:59:49.000Z","pattern":"[domain-name:value = 'databasegalore.com']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.151314Z"},{"created":"2020-12-17T16:54:00.000Z","id":"indicator--1fbf05cb-270c-4c0b-aac1-1ae960fb166a","labels":["file sha-256"],"modified":"2020-12-17T16:54:00.000Z","pattern":"[file:hashes.sha256 = 'c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.152749Z"},{"created":"2020-12-17T16:51:14.000Z","id":"indicator--18561b05-1cbe-42ab-b4ae-b315e8709c02","labels":["file sha-256"],"modified":"2020-12-17T16:51:14.000Z","pattern":"[file:hashes.sha256 = 'ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.15395Z"},{"created":"2020-12-17T16:49:45.000Z","id":"indicator--85ebd471-202b-4086-93fb-e075f70f506d","labels":["file sha-256"],"modified":"2020-12-17T16:49:45.000Z","pattern":"[file:hashes.sha256 = '53f8dfc65169ccda021b72a62e0c22a4db7c4077f002fa742717d41b3c40f2c7']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.155011Z"},{"created":"2020-12-17T16:52:27.000Z","id":"indicator--57f6e856-0188-4ab8-b563-f3633ec093fb","labels":["file sha-256"],"modified":"2020-12-17T16:52:27.000Z","pattern":"[file:hashes.sha256 = 'd3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0af']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.156195Z"},{"created":"2020-12-17T16:57:26.000Z","id":"indicator--bf705330-2adb-4dfa-a844-d5d1176a0ad0","labels":["url"],"modified":"2020-12-17T16:57:26.000Z","pattern":"[url:value = 'mhdosoksaccf9sni9icp.appsync-api.eu-west-1.avsvmcloud.com \t']","score":"Medium","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.157272Z"},{"created":"2020-12-17T16:57:06.000Z","id":"indicator--2c1cfda2-2481-498f-8123-47ac1276f799","labels":["url"],"modified":"2020-12-17T16:57:06.000Z","pattern":"[url:value = 'k5kcubuassl3alrf7gm3.appsync-api.eu-west-1.avsvmcloud.com \t']","score":"Medium","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.159475Z"},{"created":"2020-12-17T16:59:33.000Z","id":"indicator--a64f9a04-d494-40ee-bb54-9b9406b76372","labels":["domain"],"modified":"2020-12-17T16:59:33.000Z","pattern":"[domain-name:value = 'incomeupdate.com']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.160553Z"},{"created":"2020-12-17T16:52:52.000Z","id":"indicator--8683f37c-2ea9-4253-b8c5-e138ddff40c3","labels":["file sha-256"],"modified":"2020-12-17T16:52:52.000Z","pattern":"[file:hashes.sha256 = '292327e5c94afa352cc5a02ca273df543f2020d0e76368ff96c84f4e90778712']","score":"Medium","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.161572Z"},{"created":"2020-12-17T16:46:31.000Z","id":"indicator--cc6f08e1-3475-43bc-ab4e-e5818e5b37b2","labels":["file sha-256"],"modified":"2020-12-17T16:46:31.000Z","pattern":"[file:hashes.sha256 = '32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.162783Z"},{"created":"2020-12-17T16:47:35.000Z","id":"indicator--9ca400a7-257b-4cf3-91a8-b2c9a565266b","labels":["file sha-256"],"modified":"2020-12-17T16:47:35.000Z","pattern":"[file:hashes.sha256 = 'd0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.163984Z"},{"created":"2020-12-17T17:00:14.000Z","id":"indicator--ea44dc42-e516-4307-9225-21ccb22a7cc2","labels":["domain"],"modified":"2020-12-17T17:00:14.000Z","pattern":"[domain-name:value = 'panhardware.com']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.165095Z"},{"created":"2020-12-17T16:56:41.000Z","id":"indicator--45f9a437-c4ee-4a24-9ffa-35a1202d62d5","labels":["url"],"modified":"2020-12-17T16:56:41.000Z","pattern":"[url:value = 'ihvpgv9psvq02ffo77et.appsync-api.us-east-2.avsvmcloud.com']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.166111Z"},{"created":"2020-12-17T16:55:40.000Z","id":"indicator--242b1ad9-6309-4752-bad4-abf73f641297","labels":["url"],"modified":"2020-12-17T16:55:40.000Z","pattern":"[url:value = '7sbvaemscs0mc925tb99.appsync-api.us-west-2.avsvmcloud.com \t']","score":"Medium","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.167169Z"},{"created":"2020-12-17T16:55:18.000Z","id":"indicator--b96ee095-a7d4-40a8-a4b4-9e7c080f5a44","labels":["url"],"modified":"2020-12-17T16:55:18.000Z","pattern":"[url:value = '6a57jk2ba1d9keg15cbg.appsync-api.eu-west-1.avsvmcloud.com']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.168384Z"},{"created":"2020-12-17T16:59:14.000Z","id":"indicator--e03d0075-7880-43cd-86b1-18325470be45","labels":["domain"],"modified":"2020-12-17T16:59:14.000Z","pattern":"[domain-name:value = 'highdatabase.com']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.169586Z"},{"created":"2020-12-17T16:58:56.000Z","id":"indicator--8942bb33-e898-4a10-bfb3-64530bd973ab","labels":["domain"],"modified":"2020-12-17T16:58:56.000Z","pattern":"[domain-name:value = 'websitetheme.com']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.170584Z"},{"created":"2020-12-17T16:56:08.000Z","id":"indicator--2be41276-00d3-4438-bbf0-4fcc56dc3076","labels":["url"],"modified":"2020-12-17T16:56:08.000Z","pattern":"[url:value = 'gq1h856599gqh538acqn.appsync-api.us-west-2.avsvmcloud.com']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.171575Z"},{"created":"2020-12-17T16:58:10.000Z","id":"indicator--8cd838ae-6330-4fbf-b5b4-07b77d46438d","labels":["domain"],"modified":"2020-12-17T16:58:10.000Z","pattern":"[domain-name:value = 'freescanonline.com']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.172676Z"},{"created":"2020-12-17T16:57:52.000Z","id":"indicator--646c5771-6904-4176-813f-a2ca357f0e42","labels":["domain"],"modified":"2020-12-17T16:57:52.000Z","pattern":"[domain-name:value = 'deftsecurity.com']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.173695Z"},{"created":"2020-12-17T16:47:15.000Z","id":"indicator--4069cf11-f617-40f2-8f7f-534e225aa33b","labels":["file sha-256"],"modified":"2020-12-17T16:47:15.000Z","pattern":"[file:hashes.sha256 = 'efbec6863f4330dbb702cc43a85a0a7c29d79fde0f7d66eac9a3be43493cab4f']","score":"Medium","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.174561Z"},{"created":"2020-12-17T17:00:41.000Z","id":"indicator--026307f7-449c-4858-a112-fc4b73c31593","labels":["domain"],"modified":"2020-12-17T17:00:41.000Z","pattern":"[domain-name:value = 'zupertech.com']","score":"High","source":"","type":"indicator","valid_from":"2020-12-17T17:01:35.175745Z"}]} Optional
KnownRelatedIOCs Add your own custom SUNBURST and SolarStorm IOCs to hunt.
 Optional
LogForwarding PAN-OS Log Forwarding Profile Name Optional
AutoCommit This input establishes whether to commit the configuration automatically in PAN-OS.
Yes - Commit automatically.
No - Commit manually.		 No Optional
AutoBlockSolarWindsServer This input establishes whether to block the SolarWinds server automatically in PAN-OS.
True - Commit automatically.
False - Commit manually.		 False Optional
DeviceGroup Target Device Group (Panorama only) Optional
O365_AdminRolesList Comma-separated list of Service O365 admin roles. Optional
Mialboxes_Retrieve_Limit The maximum number of results to retrieve. Default is 10. 10 Optional
AutoBlockIndicators The input setting indicates whether to Automatically Block Indicators related to the SolarStrom Attack Default: True True Optional
UserVerification The input indicates whether the user should verify the indicators before continuing with the playbook Default: Fasle False Optional
InternalRange A list of internal IP ranges to check IP addresses against. The comma-separated list should be provided in CIDR notation. For example, a list of ranges would be: "172.16.0.0/12,10.0.0.0/8,192.168.0.0/16" (without quotes). lists.PrivateIPs Optional
None Generic group for outputs Optional

Playbook Outputs

There are no outputs for this playbook.

Playbook Image

SolarStorm and SUNBURST Hunting and Response Playbook