← Library
splApache-2.0from splunk/security_content

Sunburst Correlation DLL and Network Event

The following analytic identifies the loading of the malicious SolarWinds.Orion.Core.BusinessLayer.dll by SolarWinds.BusinessLayerHost.exe and subsequent DNS queries to avsvmcloud.com. It uses Sysmon EventID 7 for DLL loading and Event ID 22 for DNS queries, correlating these events within a 12-14 day period. This activity is significant as it indicates potential Sunburst malware infection, a known supply chain attack. If confirmed malicious, this could lead to unauthorized network access, data exfiltration, and further compromise of the affected systems.

Quality
67
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/sunburst_correlation_dll_and_network_event.yml
`sysmon`
(
    EventCode=7
    ImageLoaded=*SolarWinds.Orion.Core.BusinessLayer.dll
)
OR
(
    EventCode=22
    QueryName=*avsvmcloud.com
)
| eventstats dc(EventCode) AS dc_events
| where dc_events=2
| stats count min(_time) as firstTime
              max(_time) as lastTime
    by Image ImageLoaded dest
       loaded_file loaded_file_path original_file_name
       process_exec process_guid process_hash
       process_id process_name process_path
       service_dll_signature_exists service_dll_signature_verified signature
       signature_id user_id vendor_product
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `sunburst_correlation_dll_and_network_event_filter`
Sunburst Correlation DLL and Network Event · SPL rule | DetectionLint