Mirrors/keyboardcrunch-sentinelone-queries
1
0
Fork 0
mirror of https://github.com/keyboardcrunch/sentinelone-queries synced 2026-06-08 17:07:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

Adding query for sunburst campaign

Browse Source
This commit is contained in:
keyboardcrunch
2020-12-13 21:48:38 -06:00
parent fad7b95528
commit f87ab44340
1 changed files with 17 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
queries/apt/sunburst_campaign.yml
+17
View File
@@ -0,0 +1,17 @@
title: Sunburst Campaign
description: Sunburst campaign IOCs documented by FireEye used in supply chain attack using trojanized SolarWinds Orion software.
author: keyboardcrunch
date: 13/12/2020
modified:
mitre:
tactic:
technique:
subtechnique:
operating_system: windows
query: DstIp In ("13.59.205.66","54.193.127.66","54.215.192.52","34.203.203.23","139.99.115.204","5.252.177.25","5.252.177.21","204.188.205.176","51.89.125.18","167.114.213.199") OR DnsRequest In Contains ("freescanonline.com","deftsecurity.com","freescanonline.com","thedoccloud.com","websitetheme.com","highdatabase.com","incomeupdate.com","databasegalore.com","panhardware.com","zupertech.com") OR Sha256 In ("d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600","53f8dfc65169ccda021b72a62e0c22a4db7c4077f002fa742717d41b3c40f2c7","019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134","ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6","32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77","292327e5c94afa352cc5a02ca273df543f2020d0e76368ff96c84f4e90778712","c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71")
false_positives:
tags:
- UNC2452
- SolarWinds
references:
- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html