This website www.ds4n6.io uses its own and third party cookies to collect information that helps to optimize your visit to their web pages. Cookies will not be used to collect personal information. You can either allow or reject their use. You can also change their settings at any time. You will find more information on our Cookie Policy page.

OK

DS4N6 Blog >> Solarwinds/Sunburst Campaign - MITRE ATTandCK Techniques

Solarwinds/Sunburst Campaign - MITRE ATT&CK Techniques

[13/04/21] April 13, 2021
Rafael Tenorio & Sergio Delgado - One eSecurity

The analysis of different reports, listed in the References section below, provides the following MITRE ATT&CK Techniques associated to the Campaign & Threat Actor:

ID TTP Name Solarwinds Flavor Reference
1 T1059 Command and Scripting Interpreter, UNC2452/Dark Halo/SolarStorm https://attack.mitre.org/techniques/T1059/
2 T1059.001 Command and Scripting Interpreter: PowerShell UNC2452 https://attack.mitre.org/techniques/T1059/001
3 T1059.003 Command and Scripting Interpreter: Windows Command Shell UNC2452 https://attack.mitre.org/techniques/T1059/003
4 T1059.005 Command and Scripting Interpreter: Visual Basic Sunburst / UNC2452 https://attack.mitre.org/techniques/T1059/005
5 T1105 Ingress Tool Transfer UNC2452/Dark Halo/SolarStorm https://attack.mitre.org/techniques/T1105/
6 T1218.011 Signed Binary Proxy Execution: Rundll32 UNC2452/Dark Halo/SolarStorm https://attack.mitre.org/techniques/T1218/011
7 T1195.002 Supply Chain Compromise UNC2452/Dark Halo/SolarStorm https://attack.mitre.org/techniques/T1195/002
8 T1070 Indicator Removal on Host UNC2452 https://attack.mitre.org/techniques/T1070/
9 T1070.006 Timestomp UNC2452 https://attack.mitre.org/techniques/T1070/006
10 T1098.002 Account Manipulation: Exchange Email Delegate Permissions UNC2452 https://attack.mitre.org/techniques/T1098/002/
11 T1098.001 Account Manipulation: Additional Cloud Credentials Solorigate https://attack.mitre.org/techniques/T1098/001/
12 T1606.001 Forge Web Credentials: Web Cookies UNC2452 https://attack.mitre.org/techniques/T1606/001/
13 T1606.002 Forge Web Credentials: SAML Tokens UNC2452 https://attack.mitre.org/techniques/T1606/002/
14 T1552.004 Unsecured Credentials: Private Keys UNC2452 https://attack.mitre.org/techniques/T1552/004/
15 T1484.002 Domain Policy Modification: Domain Trust Modification Solorigate https://attack.mitre.org/techniques/T1484/002/
16 T1071.001 Application Layer Protocol: Web Protocols Sunburst https://attack.mitre.org/techniques/T1071/001
17 T1071.004 Application Layer Protocol: DNS Sunburst https://attack.mitre.org/techniques/T1071/004
18 T1482 Domain Trust Discovery UNC2452 https://attack.mitre.org/techniques/T1482
19 T1132.001 Data Encoding: Standard Encoding Sunburst https://attack.mitre.org/techniques/T1132
20 T1005 Data from Local System Sunburst https://attack.mitre.org/techniques/T1005
21 T1001.001 Data Obfuscation: Junk Data Sunburst https://attack.mitre.org/techniques/T1001/001
22 T1001.002 Data Obfuscation: Steganography Sunburst https://attack.mitre.org/techniques/T1001/002
23 T1001.003 Data Obfuscation: Protocol Impersonation Sunburst https://attack.mitre.org/techniques/T1001/003
24 T1568 Dynamic Resolution Sunburst https://attack.mitre.org/techniques/T1568
25 T1573.001 Encrypted Channel: Symmetric Cryptography Sunburst https://attack.mitre.org/techniques/T1573/001
26 T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription UNC2452 https://attack.mitre.org/techniques/T1546/003
27 T1546.012 Event Triggered Execution: Image File Execution Options Injection Sunburst https://attack.mitre.org/techniques/T1546/012
28 T1083 File and Directory Discovery Sunburst / Sunspot https://attack.mitre.org/techniques/T1083
29 T1562.001 Impair Defenses: Disable or Modify Tools Sunburst https://attack.mitre.org/techniques/T1562/001
30 T1562.002 mpair Defenses: Disable Windows Event Logging UNC2452 https://attack.mitre.org/techniques/T1562/002
31 T1562.004 Impair Defenses: Disable or Modify System Firewall UNC2452 https://attack.mitre.org/techniques/T1562/004
32 T1070.004 File Deletion Sunburst / Sunspot https://attack.mitre.org/techniques/T1070/004
33 T1036 Masquerading Raindrop https://attack.mitre.org/techniques/T1036
34 T1036.004 Masquerade Task or Service UNC2452 https://attack.mitre.org/techniques/T1036/004
35 T1036.005 Masquerading: Match Legitimate Name or Location Sunburst / Teardrop / Sunspot / Raindrop https://attack.mitre.org/techniques/T1036/005
36 T1112 Modify Registry Sunburst / Teardrop https://attack.mitre.org/techniques/T1112
37 T1027 Obfuscated Files or Information Sunburst / Teardrop / Sunspot https://attack.mitre.org/techniques/T1027
38 T1027.002 Software Packing Raindrop https://attack.mitre.org/techniques/T1027/002
39 T1027.003 Steganography Raindrop https://attack.mitre.org/techniques/T1027/003
40 T1027.005 Indicator Removal from Tools Sunburst https://attack.mitre.org/techniques/T1027/005
41 T1057 Process Discovery Sunburst / Teardrop / Sunspot https://attack.mitre.org/techniques/T1057
42 T1012 Query Registry Sunburst / Teardrop https://attack.mitre.org/techniques/T1012
43 T1518.001 Software Discovery: Security Software Discovery Sunburst https://attack.mitre.org/techniques/T1518/001
44 T1553.002 Subvert Trust Controls: Code Signing Sunburst https://attack.mitre.org/techniques/T1553/002
45 T1082 System Information Discovery Sunburst https://attack.mitre.org/techniques/T1082
46 T1016 System Network Configuration Discovery Sunburst https://attack.mitre.org/techniques/T1016
47 T1033 System Owner/User Discovery Sunburst https://attack.mitre.org/techniques/T1033
48 T1007 System Service Discovery Sunburst https://attack.mitre.org/techniques/T1007
49 T1497.003 Virtualization/Sandbox Evasion: Time Based Evasion Sunburst / Raindrop https://attack.mitre.org/techniques/T1497/003
50 T1497.001 Virtualization/Sandbox Evasion: System Checks Sunburst https://attack.mitre.org/techniques/T1497/001
51 T1047 Windows Management Instrumentation Sunburst https://attack.mitre.org/techniques/T1047
52 T1543.003 Create or Modify System Process: Windows Service Teardrop https://attack.mitre.org/techniques/T1543/003
53 T1140 Deobfuscate/Decode Files or Information Teardrop / Sunspot / Raindrop https://attack.mitre.org/techniques/T1140
54 T1134 Access Token Manipulation Sunspot https://attack.mitre.org/techniques/T1134
55 T1565.001 Data Manipulation: Stored Data Manipulation Sunspot https://attack.mitre.org/techniques/T1565/001
56 T1480 Execution Guardrails Sunspot https://attack.mitre.org/techniques/T1480
57 T1106 Native API Sunspot https://attack.mitre.org/techniques/T1106
58 T1087 Account Discovery UNC2452 https://attack.mitre.org/techniques/T1087
59 T1560 Archive Collected Data: Archive via Utility UNC2452 https://attack.mitre.org/techniques/T1560/001
60 T1555 Credentials from Password Stores UNC2452 https://attack.mitre.org/techniques/T1555
61 T1074.002 Data Staged: Remote Data Staging UNC2452 https://attack.mitre.org/techniques/T1074/002
62 T1587.001 Develop Capabilities: Malware UNC2452 https://attack.mitre.org/techniques/T1587/001
63 T1114.002 Email Collection: Remote Email Collection UNC2452 https://attack.mitre.org/techniques/T1114/002
64 T1048.002 Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol UNC2452 https://attack.mitre.org/techniques/T1048/002
65 T1190 Exploit Public-Facing Application UNC2452 https://attack.mitre.org/techniques/T1190
66 T1003.006 OS Credential Dumping: DCSync UNC2452 https://attack.mitre.org/techniques/T1003/006
67 T1069 Permission Groups Discovery UNC2452 https://attack.mitre.org/techniques/T1069
68 T1090.001 Proxy: Internal Proxy UNC2452 https://attack.mitre.org/techniques/T1090/001
69 T1021.006 Remote Services: Windows Remote Management UNC2452 https://attack.mitre.org/techniques/T1021/006
70 T1018 Remote System Discovery UNC2452 https://attack.mitre.org/techniques/T1018
71 T1053.005 Scheduled Task/Job: Scheduled Task UNC2452 https://attack.mitre.org/techniques/T1053/005
72 T1550 Use Alternate Authentication Material UNC2452 https://attack.mitre.org/techniques/T1550/
73 T1550.004 Web Session Cookie UNC2452 https://attack.mitre.org/techniques/T1550/004
74 T1078 Valid Accounts UNC2452 https://attack.mitre.org/techniques/T1078

References

ID URL
75 https://www.fireeye.com/blog/threat-research/2020/12/sunburst-additional-technical-details.html
76 https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
77 https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/
78 https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
79 https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/
80 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
81 https://gist.github.com/KyleHanslovan/0c8a491104cc55d6e4bd9bff7214a99e
82 SOLARWINDS – A SANS Lightning Summit
83 https://medium.com/mitre-attack/identifying-unc2452-related-techniques-9f7b6c7f3714
84 SUNBURST
85 TEARDROP
86 Sunspot
87 Raindrop
88 UNC2452 aka Solorigate , Dark Halo , SUNSPOT