Business

How to Detect and Search for SolarWinds IOCs in LogRhythm

Published

on

LogRhythm Labs has gathered up the indicators of compromise (IOCs) from CISA, Volexity, and FireEye associated with the recent SolarWinds supply chain attack and made them available in  GitHub repository for your convenience. Feel free to download and import the IOC files into your LogRhythm deployment for investigations and real-time analytics.

Please note that new information on this advanced persistent threat (APT) activity will likely be released for weeks, if not months, given the scope of the attack. Although we will occasionally update our GitHub repository, we cannot guarantee the timeliness or accuracy of the information released by other parties. We advise you to review the sources discussed in this article on your own for the most updated information. In this blog post, we discuss how these IOCs were extracted and the threat hunting opportunities within the LogRhythm NextGen SIEM Platform.

TL;DR

Intel to Detect Indicators of Compromise

FireEye recently reported on a compromise involving a supply chain attack using SolarWinds. This report comes on the heels of FireEye recently disclosing that they too have been compromised by a threat actor. FireEye published IOCs that we shared along with details on how to use them in LogRhythm here.

Keep reading to learn how to apply the threat intelligence shared by FireEye, CISA, and Volexity to threat hunt for adversarial activity in your environment.

FireEye Sunburst Countermeasures GitHub Repository

FireEye’s “Sunburst Countermeasures” GitHub repository contains a list of IOCs. The following are ways you can use the IOCs in your LogRhythm deployment.

All-snort.rules

If you are running Snort in your environment and bringing in the logs to your SIEM, you can use the list here against the ThreatName field to search, event, or alert for occurrences of the malware in your environment.

Please see Appendix A for the regular expression used to extract the threat name from the Snort rules.

Indicator_Release Files

There are two indicator_release files in the GitHub repository containing hashes and network indicators. We will walk through extracting the IOCs from one of the files with Excel and the other using SED.

Indicator_Release_Hashes.csv

Save the file locally and use Excel to open the file to use in a LogRhythm list.

  • Under the appropriate column (SHA256, SHA1, MD5), select the hashes to copy to the LogRhythm list.
Figure 1: indicator_release_hashes.csv in Excel
  • Copy selected hashes and paste them into Notepad.
  • Save the Notepad file as something like “FE_SW_Hashes.txt”
  • In the LogRhythm Client Console, select “List Manager”
  • Create a new general value list named something like “FE_SW_Hashes”
  • In the “List Items” tab, select “Import Items”, and import the text file you saved earlier.
Figure 2: LogRhythm list with imported hashes
  • Click the “Additional Settings” tab and place a checkmark in “Hash”.
Figure 3: Setting the Use Context of the LogRhythm list to Hash
  • Click “OK” when done.

Indicator_Release_NBIs.csv

  • Save the file locally and use this “one liner” to extract the domain names to be used in a list.
  • Import the list as a pattern match into the LogRhythm SIEM.
  • Use the LogRhythm SIEM and list to search fields that contain domain name information.

Please see Appendix A for the sed command used to extract the domain names from Indicator_Release_NBIs.csv.

Cybersecurity and Infrastructure Security Agency (CISA) STIX Feed

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also released an alert regarding the APT activity related to the SolarWinds supply chain compromise. The alert includes a feed of IOCs in Structured Threat Information Expression (STIX™) format. The STIX feed is convenient for LogRhythm customers because they can leverage LogRhythm’s Threat Intelligence Service to ingest the IOCs, create LogRhythm lists for each type of IOC, and regularly check the feed for updates. It’s easy to pull the CISA IOCs by adding a custom STIX feed to the Threat Intelligence Service and pasting the feed’s URL into the STIX Indicator Endpoint field:

Figure 4: Adding the CISA IOC feed to the LogRhythm Threat Intelligence Service

Once the feed is enabled, it will configure by default to update every 12 hours. You can click the Download Now button to immediately download the feed data.

Figure 5: The LogRhythm Threat Intelligence Service with the custom STIX feed

The Threat Intelligence Service automatically creates LogRhythm lists corresponding to each of the IOC types provided in the feed and configures the list to import any updates resulting from the feed’s periodic check.

Figure 6: LogRhythm lists automatically created by the Threat Intelligence Service
Figure 7: List of Hashes automatically created by the Threat Intelligence Service

You can use the lists for retroactive threat hunts or as criteria for AI Engine rules. Note that you may need to confirm the Use Contexts of the list to ensure you can search for them against the metadata fields you require. In this case, we need to add the Use Context of Hash manually.

Figure 8: Adding the Hash Use Context to the generated list
Figure 9: Searching for logs containing the hashes imported from CISA

Locating CNAME Responses to DNS Queries

The CISA and Volexity reports mention that organizations running the compromised builds of Orion will likely see DNS queries originating from their Orion server for avsvmcloud[.]com. Of particular interest is whether the queries produced CNAME responses. Per CISA: “If additional Canonical Name record (CNAME) resolutions associated with the avsvmcloud[.]com domain are observed, possible additional adversary action leveraging the back door has occurred.” [1]

How do you find CNAME responses to DNS queries? The exact answer will depend on the log source type and how it’s parsed. Let’s look at an example using Microsoft Sysmon logging a query to finance.yahoo.com. Below is a screen shot from Wireshark showing that a DNS query for finance.yahoo.com returned a CNAME record (an alias to another DNS name) to edge.gycpi.b.yahoodns.net as well as its associated IP address 69.147.71.254.

Figure 10: Microsoft Sysmon logging query to finance.yahoo.com

DNS queries are logged by Microsoft Sysmon as Event ID 22. We can search for the query in LogRhythm with the following criteria:

Figure 11: Searching for DNS queries in LogRhythm

The search returns the following log:

Figure 12: Log returned from the search in LogRhythm

Note that the Sysmon log includes the process that initiated the DNS query (chrome.exe), the query that was performed (finance.yahoo.com), and the response (type: 5 edge.gycpi.b.yahoodns.net;69.147.71.254;69.147.71.253). The response type of 5 indicates that this is a CNAME response.

If your Orion server had Microsoft Sysmon installed and was logging DNS queries, you could perform the same search for the Object Name of avsvmcloud[.]com and review the logs for type 5 responses.

Leverage Volexity’s Observations in Your SIEM

Volexity recently published a blog that references “Dark Halo” as the threat actor related to the SolarWinds compromise. Their blog focuses on the attacker’s goal, and methods used to achieve those goals, which ultimately was exfiltration of email. Dark Halo was observed using mostly PowerShell commands. The following are methods you can use to search or alert in your SIEM based on Volexity’s observations.

PowerShell and Command Line Logging

In order to use the references of PowerShell and Command Line logging to search in the LogRhythm SIEM, you will need to configure your endpoint logging first. It’s never too late to configure your endpoint logging, so if you haven’t yet, we highly recommend that you do so. You can learn more about our PowerShell guidance and how to detect PowerShell usage here in our MITRE ATT&CK Module. If you haven’t deployed the module yet, we recommend reviewing our RhythmWorld presentation, “Deploying the MITRE ATT&CK Module” for guidance on how to do so.

Detecting Suspicious PowerShell Usage: Parent Process is CMD.EXE

Detecting suspicious use of PowerShell from the example in Volexity’s blog is to note that CMD.EXE is invoking PowerShell.EXE with a command. The fastest way to detect suspicious PowerShell usage is searching Events for our AIE rules in the MITRE ATT&CK Module named “Execution : PowerShell” or “T1059.001:PowerShell”. Another method of searching is to look for Parent Process Name is CMD.EXE and Process Name is PowerShell.exe. In some environments it may be normal for powershell.exe to be invoked by CMD.EXE. We have provided guidance in two different Community posts on how to determine if PowerShell usage is normal in your environment. You can view them here and here.

Detecting Volexity’s Command Line IOCs

Volexity has published an appendix of their IOCs at the bottom of their blog. Appendix B contains their list of observed PowerShell commands used. The following are steps you can take to leverage these commands in your threat hunt using the LogRhythm Web Console.

  • On the Dashboard, click on “Search…”
  • Select “Command” is sql:% and the name from the IOC list%
    • Example: sql:%Get-AcceptedDomain%
  • Click on “Value” and repeat the previous step until all IOCs have been added.
  • Your search criteria will look something like this:
Figure 13: Searching for command lines observed by Volexity
  • Click on “Advanced…”
  • Name the search something like “Volexity:DarkHalo:Commands”
  • Change the Read Permission to “Public All Users”
  • Change Write Permission to “Public Global Administrator”
  • You may want to modify “Maximum Results” based on your environment.
  • Your saved search should look something like this:
Figure 14: Creating a saved search from the Volexity command line observations
  • Save your search.
  • Before searching, we will modify the time frame. We know that the SolarWinds modified binaries occurred around March. Set the time frame starting March 2020 to present.
    • Note: You may want to search in smaller time slices depending on the number of results.
  • Your search should look something like this:
Figure 15: Volexity command line search with expanded date range
  • Click on “Search” to execute the search.

Analyzing Your Search Results with the Default Analyze (7.6) Dashboard

Viewing your results in the Default Analyze Dashboard should look something like this:

Figure 16: Volexity command line search results in LogRhythm 7.6 Default Analyze dashboard Part 1
Figure 17: Volexity command line search results in LogRhythm 7.6 Default Analyze dashboard Part 2

Most notable off the bat are User (Origin) and Top Host (Impacted). You can start your filtering by excluding known users and known systems that should be executing the commands. A quick way to exclude is by Alt + Double Click something you want to exclude.

You can also hunt by using the process of elimination by filtering on a user, and reviewing the commands issued to determine if they appear “normal” or are more in line with what the Volexity blog listed.

LogRhythm Labs wants to make sure LogRhythm customers have usable intel to help detect IOCs and defend their organization against attacks. Make sure to subscribe to the LogRhythm blog for updates when we publish new posts.

Appendix A

Regular expressions used to extract IOCs from the FireEye repository

FileIndicatorRegular Expression
All-snort.rulesThreatNamegrep -o -P ‘(?<=msg:”)(([^”])*)(?=”;)’ all-snort.rules | sort | uniq > FE_SW_Snort.txt
Indicator_Release_NBIs.csv Domain Namessed ‘s/[][]//g’ Indicator_Release_NBIs.csv | cut -d “,” -f 3 > FE_SW_nbi.txt

Source: https://logrhythm.com/blog/how-to-detect-and-search-for-solarwinds-iocs-in-logrhythm/?&web_view=true

Click to comment
Exit mobile version