SUNBURST Backdoor: What to look for in your logs now – Interview with an incident responder

Yesterday, FireEye published a report about a global intrusion campaign that utilized a backdoor planted in SolarWinds Orion. Attackers gained access to the download servers of Orion. They managed to infect signed installers downloaded by Orion users who had all reason to believe that the packages are safe and had not been tampered with.

With this information out in the world, teams are scrambling to investigate if their environments are affected by this breach.

Today, I’m talking to Eric Capuano, CTO and Founder, of Recon InfoSec. Eric has years of experience in digital forensics, incident response, and the defense of computer networks. Recon InfoSec is also behind OpenSOCSOCX, and the Network Defense Range training.

Lennart Koopmann:Eric, thanks for taking the time to talk to me today. What do you think should be the very first step people should take to find out if they might be affected by SUNBURST? We can’t prescribe a plan, but maybe there are some things that everyone should start with?

Eric Capuano:The first thing to do is immediately query for known indicators of compromise in your environment. FireEye has published a very solid list of initial indicators for this campaign, and these can easily be converted to sweeping queries in Graylog. However, simply querying for these indicators is not enough on its own. It is highly advisable to craft a pipeline rule that will proactively watch for the presence of these indicators from this point forward. The FireEye indicators can be found here. While these IOCs are a great start, it is likely that this actor will not cease operations simply because of these initial threat intel reports. Expect new IOCs to emerge over the coming days and weeks, and keep your pipeline rules updated accordingly.

My team has decided to publish a couple pipeline rules containing the network based indicators that we currently know about. We will continue to update these as we add new IOCs to our own pipeline rules. Those rules can be viewed here:


Keep in mind, field names may need to be adjusted according to your own normalization standards.

Koopmann:If someone has reason to believe that they could be affected, what’s next? Would there be any traces in logs that can tell if the backdoor was activated or even if someone exfiltrated data?

Capuano:If you have sysmon in your environment (which we highly recommend!), then you can leverage event ID 3, or even just firewall traffic logs, to look for any systems communicating with the known network indicators such as those found here. It is also wise to begin scrutinizing all process creation events (event ID 4688 or Sysmon event ID 1) on your SolarWinds Orion system to look for unusual process activity. Leverage the Graylog “Top Values” (this feature is called “Quick Values” in earlier releases of Graylog) to look for least frequently occurring processes/command line arguments on the potentially affected system(s).

Koopmann:It looks like this is very sophisticated malware that goes to great lengths to hide its own presence and activity. The fact that it was undetected for so long until the attackers decided to pivot into Fireeye and challenge their world-class blue team shows that it was very well designed. Can you think of any lessons to learn from SUNBURST to improve security posture?

Capuano:It certainly sends a strong message that we need as much visibility as we can get from every single data source in our environments. We can gain this visibility very easily with tools like Sysmon and Graylog. We must also come to terms with the fact that no product vendor is immune to sophisticated supply chain attacks, so even though your organization might be “doing everything right”, you may fall victim to someone else’s supply chain compromise. Ensure that you have the highest level of visibility on key systems like Network Monitoring tools, Configuration/Patch Management tools, Domain Controllers, and all other critical terrain. These are the systems that generally have the highest level of access to the rest of the environment and should be treated as such.

‍Thank you very much, Eric! I’m sure this is a busy week for you and your team.

Get the Monthly Tech Blog Roundup

Subscribe to the latest in log management, security, and all things Graylog blog delivered to your inbox once a month.