rule "command_and_control_sunburst_dst_hostname"
// https://github.com/fireeye/sunburst_countermeasures/blob/main/indicator_release/Indicator_Release_NBIs.csv
// https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
// https://github.com/sophos-cybersecurity/solarwinds-threathunt/blob/master/iocs.csv
when
has_field("dst_ip_is_internal")
AND
to_string($message.dst_ip_is_internal) == "false"
AND
has_field("dst_hostname")
AND
(
contains(to_string($message.dst_hostname), "avsvmcloud.com", true)
OR
contains(to_string($message.dst_hostname), "freescanonline.com", true)
OR
contains(to_string($message.dst_hostname), "deftsecurity.com", true)
OR
contains(to_string($message.dst_hostname), "thedoccloud.com", true)
OR
contains(to_string($message.dst_hostname), "websitetheme.com", true)
OR
contains(to_string($message.dst_hostname), "highdatabase.com", true)
OR
contains(to_string($message.dst_hostname), "incomeupdate.com", true)
OR
contains(to_string($message.dst_hostname), "databasegalore.com", true)
OR
contains(to_string($message.dst_hostname), "panhardware.com", true)
OR
contains(to_string($message.dst_hostname), "zupertech.com", true)
OR
contains(to_string($message.dst_hostname), "digitalcollege.org", true)
OR
contains(to_string($message.dst_hostname), "globalnetworkissues.com", true)
OR
contains(to_string($message.dst_hostname), "kubecloud.com", true)
OR
contains(to_string($message.dst_hostname), "lcomputers.com", true)
OR
contains(to_string($message.dst_hostname), "seobundlekit.com", true)
OR
contains(to_string($message.dst_hostname), "virtualwebdata.com", true)
OR
contains(to_string($message.dst_hostname), "webcodez.com", true)
)
then
set_field("threat_detected", true);
set_field("threat_name", "command_and_control_sunburst_dst_hostname");
set_field("threat_desc", "Detected an outbound connection to a known sunburst c2 domain");
set_field("threat_tactic", "command_and_control");
set_field("threat_score", 10);
end