The following is an aggregation of threat intel sources for the SolarWinds Orion (SUNBURST) attack.
Note: I do not own, maintain, or make no claim as to the validity or safety of these resources.
- Mandiant SunBurst Countermeasures by FireEye
- Suburst DGA Domains Decoded
- Decompile of the Solorwinds "SUNBURST" Trojan associated with Campaign UNC2452 by Shadow0ps
- Sunburst IOCs for Splunk Ingest by davisshannon
- Various indicator lists and/or free research tools provided by Bambenek Labs
- SunBurst DGA Decode Script by RedDrip7
- SunBurst sample detonation review by ept-team
- Quick lookup files for SUNBURST Backdoor by rkovar
- Alienvault OTX Threat Intel
- Azure-Sentinel-Notebooks Guided Hunting - Solarwinds Post Compromise
- Credential Dumping Tool for SolarWinds Orion by mubix
- Powershell script to decode the DGA algorithm used in the SUNBURST backdoor by Truesec
- FireEye Threat Research - Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor
- FireEye Shares Details of Recent Cyber Attack, Actions to Protect Community
- FireEye Identifies Killswitch for SolarWinds Malware as Victims Scramble to Respond
- DomainTools - Unraveling Network Infrastructure Linked to the SolarWinds Hack
- Hackers used SolarWinds' dominance against it in sprawling spy campaign
- Microsoft - Ensuring customers are protected from Solorigate
- Solorigate: SolarWinds Orion Platform Contained a Backdoor Since March 2020 (SUNBURST)
- The SolarWinds Perfect Storm: Default Password, Access Sales and More
- Rapid7 - SolarWinds SUNBURST Backdoor Supply Chain Attack: What You Need to Know
- Unit42 - Threat Brief: SolarStorm and SUNBURST Customer Coverage
- Dark Halo Leverages SolarWinds Compromise to Breach Organizations
- Talos - Threat Advisory: SolarWinds supply chain attack
- Cnet - SolarWinds hack hits major tech companies and hospital system: What you need to know
- ZDNet - A second hacking group has targeted SolarWinds systems
- Cisco targeted in SolarWinds attack as Microsoft uncovers a second hacking group
- Bloomberg - SolarWinds Adviser Warned of Lax Security Years Before Hack
- TRUESEC - The SolarWinds Orion SUNBURST supply-chain Attack
- Twitter #UNC2452
- Twitter #SUNBURST
- Twitter #SolarWindsOrion
- Twitter #solarwinds123
- Twitter #solorigate
- Twitter #SolarWindsHack
- Emergency Directive 21-01
- Security Advisory - Active Exploitation of SolarWinds Software
- Alert (AA20-352A) Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations
- Elastic Security provides free and open protections for SUNBURST
- Finding SUNBURST backdoor with Zeek logs & Corelight
- Using Splunk to Detect Sunburst Backdoor
- Microsoft - Important steps for customers to protect themselves from recent nation-state cyberattacks
- SANS Emergency Webcast: What you need to know about the SolarWinds Supply-Chain Attack
- Corelight: Finding SolarWinds / SUNBURST backdoors with Zeek & Corelight
Please use this to protect yourself and your assets. Feel free to add pull requests for additional resources.