Sunburst Response

rattmaul · January 11, 2021, 5:47pm

There is a lot of information on Sunburst out there. We wanted to create a dynamic post to track relevant and useful resources when responding to a potential sunburst breach. We will assume that you have run the Sunburst script and had hits. If not please see blog post here on how to run Extrahop Reveal(x) Sunburst Script:

Script Code Here:

Options for Script ( if you have a large environment or have trouble with timeouts try running this variables):

github.com

ExtraHop/code-examples/blob/main/sunburst/README.md

# SUNBURST

## sunburst_detect.py

This Python script searches the ExtraHop system for the following metrics.
* All DNS queries that reference the Command and Control domains associated with the SUNBURST backdoor attack, such as avsvmcloud[.]com.
* Every time that a device on your network contacted an IP address associated with the SUNBURST backdoor attack.

You must run the script with Python version 3.6 or later.

After you have downloaded the script and the threats.json file, run one of the following commands from the directory that you saved the script to.

Windows

```
py .\sunburst_detect.py -t HOST -a API_KEY
```

Linux and Mac OS X

This file has been truncated. show original

Once you have hits now what ? Lets walk through what to do if you have hits after running the Extrahop Reveal(x) script:

Review our Blog on how to use Extrahop Reveal(x) to look for Sunburst threat activity:
- https://www.extrahop.com/company/blog/2020/detect-and-respond-to-sunburst/

Video on I have Sunburst hits in Reveal(x) – what next?

Investigate the hits

Focus on the devices that communicated to known Sunburst IP addresses ( The hits in the Extrahop Reveal(x) script)
Ensure these devices are in Advanced Analysis ( Full Layer 7 Analysis)
Look at DNS Logs ( Reveal(x) Records and/or Native DNS Server Logs) for queries made by clients who were listed as hits in the Sunburst Scripts ( specific C2 Domains referenced in Extrahop and Fireeye Blogs)
- This is the part of the sunburst attack recon that audits for targets of interest ( Does the attacker want to attack you?)
  - This is the recon mode for Sunburst to catalog on what they want to exploit
  - The output of the Extrahop script will give you specific time periods to look for(when potential C2 transactions occurred)
    - Reference the listed C2 domains on Extrahop Blog & Fireeye post (These are the same list that script runs)
      - https://www.fireeye.com/blog/threat-research/2020/12/sunburst-additional-technical-details.html
- Just because you have hits to known DNS C2 domains does not mean you are compromised-- only that you were being audited as a target of interest
Look for HTTP/ HTTPS for commands sent ( Attack moves from passive recon to active exploit )
- Devices that had Orion Agents running and you have confirmed DNS C2 activity-- look for HTTP /HTTPS exploit activity to known Sunburst C2 domains
  - You may need full packet capture to completely audit for compromised connections ( details on HTTP payload analysis in Fireeye post)
    - https://www.fireeye.com/blog/threat-research/2020/12/sunburst-additional-technical-details.html
  - Extrahop Reveal(x) decryption can help ensure that malicious payloads are not being transferred securely ( decrypt SSL transactions of Certificates you own)
  - If you have active HTTP transactions to known C2 domains for Sunburst on devices that were running infected Orion Agents (Domains in Extrahop Sunburst Script) it is fair to assume that the malware has transitioned from passive to active mode and that you have been breached
    - Refer to mitigation steps in CISA Alert (AA20-352A) below if you believe you have been breached:
      - https://us-cert.cisa.gov/ncas/alerts/aa20-352a
C2 Activity Map
- Run a time comparison in Extrahop Reveal(x) on potentially infected devices to audit communications for unusual connections
This attack could have been going on since March 2020
- Look for detections on the devices going back to March that may include:
  - Command and Control Beaconing
  - Privilege Escalation
  - Cobalt Strike
  - Unusual Login Activity
- Perform Active Directory Audit using Extrahop Reveal(x)
  - According to CISA Alert (AA20-352A)
    - SolarWinds Orion typically leverages a significant number of highly privileged accounts and access to perform normal business functions. Successful compromise of one of these systems can therefore enable further action and privileges in any environment where these accounts are trusted
    - More details here:
      - https://us-cert.cisa.gov/ncas/alerts/aa20-352a
- Audit Devices with Sunburst Hits for Impossible Login Activity:
  - The adversary is using a complex network of IP addresses to obscure their activity, which can result in a detection opportunity referred to as “impossible travel.” Impossible travel occurs when a user logs in from multiple IP addresses that are a significant geographic distance apart (i.e., a person could not realistically travel between the geographic locations of the two IP addresses during the time period between the logins). Note: implementing this detection opportunity can result in false positives if legitimate users apply virtual private network (VPN) solutions before connecting into networks
    - https://us-cert.cisa.gov/ncas/alerts/aa20-352a
    - Look for Extrahop Reveal(x) Unusual Login Activity
If you believe you have been exposed follow these steps from the CISA Alert ( AA20-352A)
- Step 1
  - Forensically image system memory and/or host operating systems hosting all instances of affected versions of SolarWinds Orion. Analyze for new user or service accounts, privileged or otherwise.
  - Analyze stored network traffic for indications of compromise, including new external DNS domains to which a small number of agency hosts (e.g., SolarWinds systems) have had connections.
    - Review all DNS connections from compromised devices as far back as March in Extrahop Reveal(x)
- Step 2
  - Affected organizations should immediately disconnect or power down affected all instances of affected versions of SolarWinds Orion from their network.
  - Additionally:
    - Block all traffic to and from hosts, external to the enterprise, where any version of SolarWinds Orion software has been installed.
    - Identify and remove all threat actor-controlled accounts and identified persistence mechanisms.
      - Audit all transactions to breeched hosts in Extrahop Reveal(x) including DNS and all routable IP communications
- Step 3
  - Only after all known threat actor-controlled accounts and persistence mechanisms have been removed:
    - Treat all hosts monitored by the SolarWinds Orion monitoring software as compromised by threat actors and assume that the threat actor has deployed further persistence mechanisms.
    - Rebuild hosts monitored by the SolarWinds Orion monitoring software using trusted sources.
    - Reset all credentials used by or stored in SolarWinds software. Such credentials should be considered compromised.
    - Take actions to remediate kerberoasting, including—as necessary or appropriate—engaging with a third party with experience eradicating APTs from enterprise networks. For Windows environments, refer to the following Microsoft’s documentation on kerberoasting: https://techcommunity.microsoft.com/t5/microsoft-security-and/detecting-ldap-based-kerberoasting-with-azure-atp/ba-p/462448.
      - This goes back to above recommendation perform a deep dive audit of all Active Directory data using Extrahop Reveal(x)
      - Ensure no super user accounts exist ( root, admin, SU etc)
    - Require use of multi-factor authentication. If not possible, use long and complex passwords (greater than 25 characters) for service principal accounts, and implement a good rotation policy for these passwords.
    - Replace the user account by group Managed Service Account (gMSA), and implement Group Managed Service Accounts: https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview.
    - Set account options for service accounts to support AES256_CTS_HMAC_SHA1_96 and not support DES, RC4, or AES128 bit encryption.
      - Audit encryption standards in Extrahop Reveal(x) to ensure using the appropriate encryption
    - Define the Security Policy setting for Network Security: Configure Encryption types allowed for Kerberos. Set the allowable encryption types to AES256_HMAC_SHA1 and Future encryption types: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.
      - Audit encryption standards in Extrahop Reveal(x) to ensure using the appropriate encryption
    - See Microsoft’s documentation on how to reset the Kerberos Ticket Granting Ticket password twice: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password.
- Engage Extrahop Reveal(x) Advisor Services for assistance on Sunburst Response
  - https://www.extrahop.com/company/blog/2020/get-the-most-out-of-reavealx-with-advisor/
  - https://assets.extrahop.com/datasheets/revealx-advisor.pdf

Related Reference Links for more information on Sunburst

Microsoft guide for sunburst:

https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/

Fireeye Additional Details:

Solarwinds Backdoor Incident Response Playbook:

Crowdstrike Azure AD tool :

Homeland Security Solarwinds Code Compromise:

https://cyber.dhs.gov/ed/21-01/

Cybersecurity & Infastructure Agency

https://us-cert.cisa.gov/ncas/alerts/aa20-352a

Sentinel One Open Source Attack Assessment Tool

NY Times Article on Possible Team City/ Jet Brains Breach:

Extrahop Video Series on Sunburst