Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- rule "command_and_control_sunburst_dst_ip"
- // https://github.com/fireeye/sunburst_countermeasures/blob/main/indicator_release/Indicator_Release_NBIs.csv
- // https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
- // https://github.com/sophos-cybersecurity/solarwinds-threathunt/blob/master/iocs.csv
- // https://us-cert.cisa.gov/ncas/alerts/aa20-352a
- when
- has_field("dst_ip_is_internal")
- AND
- to_string($message.dst_ip_is_internal) == "false"
- AND
- has_field("dst_ip")
- AND
- (
- to_string($message.dst_ip) == "13.59.205.66"
- OR
- to_string($message.dst_ip) == "54.193.127.66"
- OR
- to_string($message.dst_ip) == "54.215.192.52"
- OR
- to_string($message.dst_ip) == "34.203.203.23"
- OR
- to_string($message.dst_ip) == "139.99.115.204"
- OR
- to_string($message.dst_ip) == "5.252.177.25"
- OR
- to_string($message.dst_ip) == "5.252.177.21"
- OR
- to_string($message.dst_ip) == "204.188.205.176"
- OR
- to_string($message.dst_ip) == "51.89.125.18"
- OR
- to_string($message.dst_ip) == "167.114.213.199"
- OR
- to_string($message.dst_ip) == "98.225.248.37"
- OR
- to_string($message.dst_ip) == "13.57.184.217"
- OR
- to_string($message.dst_ip) == "18.217.225.111"
- OR
- to_string($message.dst_ip) == "18.220.219.143"
- OR
- to_string($message.dst_ip) == "20.141.48.154"
- OR
- to_string($message.dst_ip) == "34.219.234.134"
- OR
- to_string($message.dst_ip) == "196.203.11.89"
- OR
- to_string($message.dst_ip) == "3.87.182.149"
- OR
- to_string($message.dst_ip) == "3.16.81.254"
- OR
- to_string($message.dst_ip) == "184.72.1.3"
- OR
- to_string($message.dst_ip) == "184.72.21.54"
- OR
- to_string($message.dst_ip) == "184.72.48.22"
- OR
- to_string($message.dst_ip) == "184.72.101.22"
- OR
- to_string($message.dst_ip) == "184.72.113.55"
- OR
- to_string($message.dst_ip) == "184.72.145.34"
- OR
- to_string($message.dst_ip) == "184.72.209.33"
- OR
- to_string($message.dst_ip) == "184.72.212.52"
- OR
- to_string($message.dst_ip) == "184.72.224.3"
- OR
- to_string($message.dst_ip) == "184.72.229.1"
- OR
- to_string($message.dst_ip) == "184.72.240.3"
- OR
- to_string($message.dst_ip) == "184.72.245.1"
- OR
- // CIDR matches for ip's from the fireeye report
- // Potential for false positives
- cidr_match("144.86.226.0/24", to_ip($message.dst_ip))
- OR
- cidr_match("131.228.12.0/22", to_ip($message.dst_ip))
- OR
- cidr_match("96.31.172.0/24", to_ip($message.dst_ip))
- OR
- // CIDR matches from ip's observed in cisa report https://us-cert.cisa.gov/ncas/alerts/aa20-352a
- cidr_match("8.18.144.0/23", to_ip($message.dst_ip))
- )
- then
- set_field("threat_detected", true);
- set_field("threat_name", "command_and_control_sunburst_dst_ip");
- set_field("threat_desc", "Detected an outbound connection to a known sunburst c2 ip");
- set_field("threat_tactic", "command_and_control");
- set_field("threat_score", 10);
- end
Add Comment
Please, Sign In to add comment