From 09e5bf04f4af8d6fdf24c29221c746357f96ff96 Mon Sep 17 00:00:00 2001 From: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Date: Wed, 8 Apr 2026 09:25:05 -0300 Subject: [PATCH] [Rule Deprecation] SUNBURST Command and Control Activity (#5928) --- .../command_and_control_sunburst_c2_activity_detected.toml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml index 53c16e9ff..180d73293 100644 --- a/rules/windows/command_and_control_sunburst_c2_activity_detected.toml +++ b/rules/windows/command_and_control_sunburst_c2_activity_detected.toml @@ -2,7 +2,7 @@ creation_date = "2020/12/14" integration = ["endpoint"] maturity = "production" -updated_date = "2025/02/03" +updated_date = "2026/04/07" [transform] [[transform.osquery]] @@ -40,10 +40,10 @@ from = "now-9m" index = ["logs-endpoint.events.network-*"] language = "eql" license = "Elastic License v2" -name = "SUNBURST Command and Control Activity" +name = "Deprecated - SUNBURST Command and Control Activity" note = """## Triage and analysis -### Investigating SUNBURST Command and Control Activity +### Investigating Deprecated - SUNBURST Command and Control Activity SUNBURST is a trojanized version of a digitally signed SolarWinds Orion plugin called SolarWinds.Orion.Core.BusinessLayer.dll. The plugin contains a backdoor that communicates via HTTP to third-party servers. After an initial dormant period of up to two weeks, SUNBURST may retrieve and execute commands that instruct the backdoor to transfer files, execute files, profile the system, reboot the system, and disable system services. The malware's network traffic attempts to blend in with legitimate SolarWinds activity by imitating the Orion Improvement Program (OIP) protocol, and the malware stores persistent state data within legitimate plugin configuration files. The backdoor uses multiple obfuscated blocklists to identify processes, services, and drivers associated with forensic and anti-virus tools.