Sunburst Response

There is a lot of information on Sunburst out there. We wanted to create a dynamic post to track relevant and useful resources when responding to a potential sunburst breach. We will assume that you have run the Sunburst script and had hits. If not please see blog post here on how to run Extrahop Reveal(x) Sunburst Script:

Script Code Here:

Options for Script ( if you have a large environment or have trouble with timeouts try running this variables):

Once you have hits now what ? Lets walk through what to do if you have hits after running the Extrahop Reveal(x) script:

Video on I have Sunburst hits in Reveal(x) – what next?

Investigate the hits

  • Focus on the devices that communicated to known Sunburst IP addresses ( The hits in the Extrahop Reveal(x) script)

  • Ensure these devices are in Advanced Analysis ( Full Layer 7 Analysis)

  • Look at DNS Logs ( Reveal(x) Records and/or Native DNS Server Logs) for queries made by clients who were listed as hits in the Sunburst Scripts ( specific C2 Domains referenced in Extrahop and Fireeye Blogs)

    • This is the part of the sunburst attack recon that audits for targets of interest ( Does the attacker want to attack you?)
    • Just because you have hits to known DNS C2 domains does not mean you are compromised-- only that you were being audited as a target of interest
  • Look for HTTP/ HTTPS for commands sent ( Attack moves from passive recon to active exploit )

    • Devices that had Orion Agents running and you have confirmed DNS C2 activity-- look for HTTP /HTTPS exploit activity to known Sunburst C2 domains
      • You may need full packet capture to completely audit for compromised connections ( details on HTTP payload analysis in Fireeye post)
      • Extrahop Reveal(x) decryption can help ensure that malicious payloads are not being transferred securely ( decrypt SSL transactions of Certificates you own)
      • If you have active HTTP transactions to known C2 domains for Sunburst on devices that were running infected Orion Agents (Domains in Extrahop Sunburst Script) it is fair to assume that the malware has transitioned from passive to active mode and that you have been breached
  • C2 Activity Map

    • Run a time comparison in Extrahop Reveal(x) on potentially infected devices to audit communications for unusual connections
  • This attack could have been going on since March 2020

    • Look for detections on the devices going back to March that may include:
      • Command and Control Beaconing
      • Privilege Escalation
      • Cobalt Strike
      • Unusual Login Activity
    • Perform Active Directory Audit using Extrahop Reveal(x)
      • According to CISA Alert (AA20-352A)
        • SolarWinds Orion typically leverages a significant number of highly privileged accounts and access to perform normal business functions. Successful compromise of one of these systems can therefore enable further action and privileges in any environment where these accounts are trusted
        • More details here:
    • Audit Devices with Sunburst Hits for Impossible Login Activity:
      • The adversary is using a complex network of IP addresses to obscure their activity, which can result in a detection opportunity referred to as “impossible travel.” Impossible travel occurs when a user logs in from multiple IP addresses that are a significant geographic distance apart (i.e., a person could not realistically travel between the geographic locations of the two IP addresses during the time period between the logins). Note: implementing this detection opportunity can result in false positives if legitimate users apply virtual private network (VPN) solutions before connecting into networks
  • If you believe you have been exposed follow these steps from the CISA Alert ( AA20-352A)

    • Step 1
      • Forensically image system memory and/or host operating systems hosting all instances of affected versions of SolarWinds Orion. Analyze for new user or service accounts, privileged or otherwise.
      • Analyze stored network traffic for indications of compromise, including new external DNS domains to which a small number of agency hosts (e.g., SolarWinds systems) have had connections.
        • Review all DNS connections from compromised devices as far back as March in Extrahop Reveal(x)
    • Step 2
      • Affected organizations should immediately disconnect or power down affected all instances of affected versions of SolarWinds Orion from their network.
      • Additionally:
        • Block all traffic to and from hosts, external to the enterprise, where any version of SolarWinds Orion software has been installed.
        • Identify and remove all threat actor-controlled accounts and identified persistence mechanisms.
          • Audit all transactions to breeched hosts in Extrahop Reveal(x) including DNS and all routable IP communications
    • Step 3
    • Engage Extrahop Reveal(x) Advisor Services for assistance on Sunburst Response

Related Reference Links for more information on Sunburst

Microsoft guide for sunburst:

Fireeye Additional Details:

Solarwinds Backdoor Incident Response Playbook:

Crowdstrike Azure AD tool :

Homeland Security Solarwinds Code Compromise:

Cybersecurity & Infastructure Agency

Sentinel One Open Source Attack Assessment Tool

NY Times Article on Possible Team City/ Jet Brains Breach:

Extrahop Video Series on Sunburst