Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- rule "command_and_control_sunburst_dst_hostname"
- // https://github.com/fireeye/sunburst_countermeasures/blob/main/indicator_release/Indicator_Release_NBIs.csv
- // https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
- // https://github.com/sophos-cybersecurity/solarwinds-threathunt/blob/master/iocs.csv
- when
- has_field("dst_ip_is_internal")
- AND
- to_string($message.dst_ip_is_internal) == "false"
- AND
- has_field("dst_hostname")
- AND
- (
- contains(to_string($message.dst_hostname), "avsvmcloud.com", true)
- OR
- contains(to_string($message.dst_hostname), "freescanonline.com", true)
- OR
- contains(to_string($message.dst_hostname), "deftsecurity.com", true)
- OR
- contains(to_string($message.dst_hostname), "thedoccloud.com", true)
- OR
- contains(to_string($message.dst_hostname), "websitetheme.com", true)
- OR
- contains(to_string($message.dst_hostname), "highdatabase.com", true)
- OR
- contains(to_string($message.dst_hostname), "incomeupdate.com", true)
- OR
- contains(to_string($message.dst_hostname), "databasegalore.com", true)
- OR
- contains(to_string($message.dst_hostname), "panhardware.com", true)
- OR
- contains(to_string($message.dst_hostname), "zupertech.com", true)
- OR
- contains(to_string($message.dst_hostname), "digitalcollege.org", true)
- OR
- contains(to_string($message.dst_hostname), "globalnetworkissues.com", true)
- OR
- contains(to_string($message.dst_hostname), "kubecloud.com", true)
- OR
- contains(to_string($message.dst_hostname), "lcomputers.com", true)
- OR
- contains(to_string($message.dst_hostname), "seobundlekit.com", true)
- OR
- contains(to_string($message.dst_hostname), "virtualwebdata.com", true)
- OR
- contains(to_string($message.dst_hostname), "webcodez.com", true)
- )
- then
- set_field("threat_detected", true);
- set_field("threat_name", "command_and_control_sunburst_dst_hostname");
- set_field("threat_desc", "Detected an outbound connection to a known sunburst c2 domain");
- set_field("threat_tactic", "command_and_control");
- set_field("threat_score", 10);
- end
Add Comment
Please, Sign In to add comment