Mirrors/keyboardcrunch-sentinelone-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/sentinelone-queries synced 2026-06-08 17:07:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

updated iocs

Browse Source
This commit is contained in:
keyboardcrunch
2020-12-13 22:46:00 -06:00
parent f87ab44340
commit 2a0c1adc13
1 changed files with 3 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
queries/apt/sunburst_campaign.yml
+3 -2
View File
@@ -1,5 +1,5 @@
title: Sunburst Campaign title: Sunburst Campaign
description: Sunburst campaign IOCs documented by FireEye used in supply chain attack using trojanized SolarWinds Orion software. description: Sunburst campaign IOCs documented by FireEye and Microsoft used in supply chain attack against SolarWinds Orion software.
author: keyboardcrunch author: keyboardcrunch
date: 13/12/2020 date: 13/12/2020
modified: modified:
@@ -8,10 +8,11 @@ mitre:
technique: technique:
subtechnique: subtechnique:
operating_system: windows operating_system: windows
query: DstIp In ("13.59.205.66","54.193.127.66","54.215.192.52","34.203.203.23","139.99.115.204","5.252.177.25","5.252.177.21","204.188.205.176","51.89.125.18","167.114.213.199") OR DnsRequest In Contains ("freescanonline.com","deftsecurity.com","freescanonline.com","thedoccloud.com","websitetheme.com","highdatabase.com","incomeupdate.com","databasegalore.com","panhardware.com","zupertech.com") OR Sha256 In ("d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600","53f8dfc65169ccda021b72a62e0c22a4db7c4077f002fa742717d41b3c40f2c7","019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134","ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6","32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77","292327e5c94afa352cc5a02ca273df543f2020d0e76368ff96c84f4e90778712","c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71") query: DstIp In ("13.59.205.66","54.193.127.66","54.215.192.52","34.203.203.23","139.99.115.204","5.252.177.25","5.252.177.21","204.188.205.176","51.89.125.18","167.114.213.199") OR DnsRequest In Contains ("avsvmcloud.com","freescanonline.com","deftsecurity.com","freescanonline.com","thedoccloud.com","websitetheme.com","highdatabase.com","incomeupdate.com","databasegalore.com","panhardware.com","zupertech.com") OR Sha256 In ("d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600","53f8dfc65169ccda021b72a62e0c22a4db7c4077f002fa742717d41b3c40f2c7","019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134","ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6","32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77","292327e5c94afa352cc5a02ca273df543f2020d0e76368ff96c84f4e90778712","c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71","dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b","eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed","c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77","ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c","019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134","ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6")
false_positives: false_positives:
tags: tags:
- UNC2452 - UNC2452
- SolarWinds - SolarWinds
references: references:
- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
- https://isc.sans.edu/forums/diary/SolarWinds+Breach+Used+to+Infiltrate+Customer+Networks+Solarigate/26884/