forked from sar2901/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathnobelium_group.yml
28 lines (28 loc) · 1.44 KB
/
nobelium_group.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
name: NOBELIUM Group
id: 758196b5-2e21-424f-a50c-6e421ce926c2
version: 2
date: '2020-12-14'
author: Patrick Bareiss, Michael Haag, Splunk
description: Sunburst is a trojanized updates to SolarWinds Orion IT monitoring and
management software. It was discovered by FireEye in December 2020. The actors behind
this campaign gained access to numerous public and private organizations around
the world.
narrative: This Analytic Story supports you to detect Tactics, Techniques and Procedures
(TTPs) of the NOBELIUM Group. The threat actor behind sunburst compromised the SolarWinds.Orion.Core.BusinessLayer.dll,
is a SolarWinds digitally-signed component of the Orion software framework that
contains a backdoor that communicates via HTTP to third party servers. The detections
in this Analytic Story are focusing on the dll loading events, file create events
and network events to detect This malware.
references:
- https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
- https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
tags:
analytic_story: NOBELIUM Group
category:
- Adversary Tactics
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Advanced Threat Detection