Data hosted with ♥ by Pastebin.com - Download Raw - See Original
  1. rule "command_and_control_sunburst_dst_ip"
  2. // https://github.com/fireeye/sunburst_countermeasures/blob/main/indicator_release/Indicator_Release_NBIs.csv
  3. // https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
  4. // https://github.com/sophos-cybersecurity/solarwinds-threathunt/blob/master/iocs.csv
  5. // https://us-cert.cisa.gov/ncas/alerts/aa20-352a
  6. when
  7. has_field("dst_ip_is_internal")
  8. AND
  9. to_string($message.dst_ip_is_internal) == "false"
  10. AND
  11. has_field("dst_ip")
  12. AND
  13. (
  14. to_string($message.dst_ip) == "13.59.205.66"
  15. OR
  16. to_string($message.dst_ip) == "54.193.127.66"
  17. OR
  18. to_string($message.dst_ip) == "54.215.192.52"
  19. OR
  20. to_string($message.dst_ip) == "34.203.203.23"
  21. OR
  22. to_string($message.dst_ip) == "139.99.115.204"
  23. OR
  24. to_string($message.dst_ip) == "5.252.177.25"
  25. OR
  26. to_string($message.dst_ip) == "5.252.177.21"
  27. OR
  28. to_string($message.dst_ip) == "204.188.205.176"
  29. OR
  30. to_string($message.dst_ip) == "51.89.125.18"
  31. OR
  32. to_string($message.dst_ip) == "167.114.213.199"
  33. OR
  34. to_string($message.dst_ip) == "98.225.248.37"
  35. OR
  36. to_string($message.dst_ip) == "13.57.184.217"
  37. OR
  38. to_string($message.dst_ip) == "18.217.225.111"
  39. OR
  40. to_string($message.dst_ip) == "18.220.219.143"
  41. OR
  42. to_string($message.dst_ip) == "20.141.48.154"
  43. OR
  44. to_string($message.dst_ip) == "34.219.234.134"
  45. OR
  46. to_string($message.dst_ip) == "196.203.11.89"
  47. OR
  48. to_string($message.dst_ip) == "3.87.182.149"
  49. OR
  50. to_string($message.dst_ip) == "3.16.81.254"
  51. OR
  52. to_string($message.dst_ip) == "184.72.1.3"
  53. OR
  54. to_string($message.dst_ip) == "184.72.21.54"
  55. OR
  56. to_string($message.dst_ip) == "184.72.48.22"
  57. OR
  58. to_string($message.dst_ip) == "184.72.101.22"
  59. OR
  60. to_string($message.dst_ip) == "184.72.113.55"
  61. OR
  62. to_string($message.dst_ip) == "184.72.145.34"
  63. OR
  64. to_string($message.dst_ip) == "184.72.209.33"
  65. OR
  66. to_string($message.dst_ip) == "184.72.212.52"
  67. OR
  68. to_string($message.dst_ip) == "184.72.224.3"
  69. OR
  70. to_string($message.dst_ip) == "184.72.229.1"
  71. OR
  72. to_string($message.dst_ip) == "184.72.240.3"
  73. OR
  74. to_string($message.dst_ip) == "184.72.245.1"
  75. OR
  76. // CIDR matches for ip's from the fireeye report
  77. // Potential for false positives
  78. cidr_match("144.86.226.0/24", to_ip($message.dst_ip))
  79. OR
  80. cidr_match("131.228.12.0/22", to_ip($message.dst_ip))
  81. OR
  82. cidr_match("96.31.172.0/24", to_ip($message.dst_ip))
  83. OR
  84. // CIDR matches from ip's observed in cisa report https://us-cert.cisa.gov/ncas/alerts/aa20-352a
  85. cidr_match("8.18.144.0/23", to_ip($message.dst_ip))
  86. )
  87.  
  88. then
  89. set_field("threat_detected", true);
  90. set_field("threat_name", "command_and_control_sunburst_dst_ip");
  91. set_field("threat_desc", "Detected an outbound connection to a known sunburst c2 ip");
  92. set_field("threat_tactic", "command_and_control");
  93. set_field("threat_score", 10);
  94.  
  95. end