security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Rule Deprecation] SUNBURST Command and Control Activity (#5928)

Browse Source
This commit is contained in:
Jonhnathan
2026-04-08 09:25:05 -03:00
committed by GitHub
parent 9999336f5e
commit 09e5bf04f4
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/command_and_control_sunburst_c2_activity_detected.toml
+3 -3
View File
@@ -2,7 +2,7 @@
creation_date = "2020/12/14"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/02/03"
updated_date = "2026/04/07"
[transform]
[[transform.osquery]]
@@ -40,10 +40,10 @@ from = "now-9m"
index = ["logs-endpoint.events.network-*"]
language = "eql"
license = "Elastic License v2"
name = "SUNBURST Command and Control Activity"
name = "Deprecated - SUNBURST Command and Control Activity"
note = """## Triage and analysis
### Investigating SUNBURST Command and Control Activity
### Investigating Deprecated - SUNBURST Command and Control Activity
SUNBURST is a trojanized version of a digitally signed SolarWinds Orion plugin called SolarWinds.Orion.Core.BusinessLayer.dll. The plugin contains a backdoor that communicates via HTTP to third-party servers. After an initial dormant period of up to two weeks, SUNBURST may retrieve and execute commands that instruct the backdoor to transfer files, execute files, profile the system, reboot the system, and disable system services. The malware's network traffic attempts to blend in with legitimate SolarWinds activity by imitating the Orion Improvement Program (OIP) protocol, and the malware stores persistent state data within legitimate plugin configuration files. The backdoor uses multiple obfuscated blocklists to identify processes, services, and drivers associated with forensic and anti-virus tools.