Solar Winds Supply Chain Attack consists of alerts that detect domains, IP addresses and file checksums(hash) confirmed to be a part of an attack on the SolarWinds Orion products.
Release version: 5.0.2
Release Date: December 30, 2020
Supported On: Logpoint v6.7.4 and later
Download: SolarWinds_Supply_Chain_Attack_5.0.2.pak
SHA256: 237ac73d685ed4a07e4dbd1c0f32c2740cecd4ae82e83d715c96b0fa539851ac
Package Details
Solar Winds Supply Chain Attack consists of the following components:
- Alert Packages:
- LP_SolarWinds Orion API Authentication Bypass CVE-2020-10148 Attempt
- LP_SolarWinds Supply Chain Compromise IoC Domain Match
- LP_SolarWinds Supply Chain Compromise IoC Hash Match
- LP_SolarWinds Supply Chain Compromise IoC IP Match
- LP_SolarWinds Supply Chain Compromise Suspicious File Drop
- LP_SolarWinds Supply Chain Compromise Malicious Image Load
- LP_SolarWinds Supply Chain Compromise IoC Snort Rule Match
- LP_SolarWinds Supply Chain Compromise Suspicious Process Creations
- KB List
- SOLARWINDS_DOMAINS
- SOLARWINDS_URLS
- SOLARWINDS_IPS
- SOLARWINDS_HASHES
Enhancement
Added a new alert rule LP_SolarWinds Orion API Authentication Bypass CVE-2020-10148 Attempt.
Installation
To install Solar Winds Supply Chain Attack:
- Download the .pak file from the Download link above.
- Go to Settings >> System Settings from the navigation bar and click Applications.
- Click Import.
- Browse to the downloaded .pak file.
- Click Upload.
KB List Usage
- SOLARWINDS_DOMAINS: It contains a list of all domain IoC like deftsecurity.com and databasegalore.com.
- SOLARWINDS_URLS: It contains a list of URLs. It is an extension of a domain. If the domain is deftsecurity.com, the entry in this list will be *deftsecurity.com*.
- SOLARWINDS_IPS: It contains a list of all IPs.
- SOLARWINDS_HASHES: It contains a list of all available hashes like MD5, SHA1, or SHA256.
Required Log Source
- Windows
- Sysmon
- Firewall
- Web Proxy
- Antivirus
- Email Security
-
Snort
-
Suricata
- DNS Server
Changes in the Previous Versions
Changes in Solar Winds Supply Chain Attack v5.0.1
Release Date: August 01, 2022
Supported On: Logpoint v6.0.0 and later
Solar Winds Supply Chain Attack has been upgraded to support Logpoint v6.0.0
Enhancements
- Added a new alert package in the Package Detail section above.
- The KB List has now been updated to include an added indicator of compromise.
Support
If you have any queries or require assistance, create a support ticket.
Best regards,
Comments
Article is closed for comments.