This query was originally published in the threat analytics report, Solorigate supply chain attack.
Microsoft detects the 2020 SolarWinds supply chain attack implant and its other components as Solorigate. A threat actor silently added malicious code to legitimate software updates for Orion, which is IT monitoring software provided by SolarWinds. In this way, malicious dynamic link libraries (DLLs) were distributed to SolarWinds customers.
The following query searches Threat and Vulnerability Management (TVM) data for Orion software known to be affected by Solorigate.
More Solorigate-related queries can be found listed under the See also section of this document.
DeviceTvmSoftwareInventoryVulnerabilities
| where CveId == 'TVM-2020-0002'
| project DeviceId, DeviceName, SoftwareVendor, SoftwareName, SoftwareVersionThis query can be used to detect the following attack techniques and tactics (see MITRE ATT&CK framework) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|---|---|---|
| Initial access | ||
| Execution | ||
| Persistence | ||
| Privilege escalation | ||
| Defense evasion | ||
| Credential Access | ||
| Discovery | ||
| Lateral movement | ||
| Collection | ||
| Command and control | ||
| Exfiltration | ||
| Impact | v | |
| Vulnerability | ||
| Misconfiguration | ||
| Malware, component |
- Credentials were added to an Azure AD application after 'Admin Consent' permissions granted [Solorigate]
- Locate Solorigate-related malicious DLLs loaded in memory
- Locate Solorigate-related malicious DLLs created in the system or locally
- Locate SolarWinds processes launching suspicious PowerShell commands
- Locate SolarWinds processes launching command prompt with the echo command
- Locate Solorigate attempting DNS lookup of command-and-control infrastructure
- Locate Solorigate receiving DNS response
- Get an inventory of SolarWinds Orion software possibly affected by Solorigate
Contributor: Microsoft Threat Protection team