Sunburst Correlation DLL and Network Event

The following analytic identifies the loading of the malicious SolarWinds.Orion.Core.BusinessLayer.dll by SolarWinds.BusinessLayerHost.exe and subsequent DNS queries to avsvmcloud.com. It uses Sysmon EventID 7 for DLL loading and Event ID 22 for DNS queries, correlating these events within a 12-14 day period. This activity is significant as it indicates potential Sunburst malware infection, a known supply chain attack. If confirmed malicious, this could lead to unauthorized network access, data exfiltration, and further compromise of the affected systems.