Logo
Sign in
  1. Logpoint Service Desk
  2. Products Hub
  3. Marketplace

Solar Winds Supply Chain Attack

Avatar Manjul Bhattarai
May 08, 2024 05:38
Follow

Solar Winds Supply Chain Attack consists of alerts that detect domains, IP addresses and file checksums(hash) confirmed to be a part of an attack on the SolarWinds Orion products.

Release version: 5.0.2

Release Date: December 30, 2020

Supported On:  Logpoint v6.7.4 and later

Download: SolarWinds_Supply_Chain_Attack_5.0.2.pak

SHA256: 237ac73d685ed4a07e4dbd1c0f32c2740cecd4ae82e83d715c96b0fa539851ac

Package Details

Solar Winds Supply Chain Attack consists of the following components:

  1. Alert Packages:
    • LP_SolarWinds Orion API Authentication Bypass CVE-2020-10148 Attempt
    • LP_SolarWinds Supply Chain Compromise IoC Domain Match
    • LP_SolarWinds Supply Chain Compromise IoC Hash Match
    • LP_SolarWinds Supply Chain Compromise IoC IP Match
    • LP_SolarWinds Supply Chain Compromise Suspicious File Drop
    • LP_SolarWinds Supply Chain Compromise Malicious Image Load
    • LP_SolarWinds Supply Chain Compromise IoC Snort Rule Match
    • LP_SolarWinds Supply Chain Compromise Suspicious Process Creations
  2. KB List
    • SOLARWINDS_DOMAINS
    • SOLARWINDS_URLS
    • SOLARWINDS_IPS
    • SOLARWINDS_HASHES

Enhancement

Added a new alert rule LP_SolarWinds Orion API Authentication Bypass CVE-2020-10148 Attempt.  

Installation 

To install Solar Winds Supply Chain Attack:

  1. Download the .pak file from the Download link above. 
  2. Go to Settings >> System Settings from the navigation bar and click Applications.
  3. Click Import.
  4. Browse to the downloaded .pak file.
  5. Click Upload. 

KB List Usage

  • SOLARWINDS_DOMAINS: It contains a list of all domain IoC like deftsecurity.com and databasegalore.com.
  • SOLARWINDS_URLS: It contains a list of URLs. It is an extension of a domain. If the domain is deftsecurity.com, the entry in this list will be *deftsecurity.com*. 
  • SOLARWINDS_IPS: It contains a list of all IPs.
  • SOLARWINDS_HASHES: It contains a list of all available hashes like MD5, SHA1, or SHA256.

Required Log Source

  • Windows
  • Sysmon
  • Firewall
  • Web Proxy
  • Antivirus
  • Email Security

  • Snort

  • Suricata

  • DNS Server

Changes in the Previous Versions

 

Changes in Solar Winds Supply Chain Attack v5.0.1

Release Date: August 01, 2022

Supported On: Logpoint v6.0.0 and later

Solar Winds Supply Chain Attack has been upgraded to support Logpoint v6.0.0

Enhancements

  • Added a new alert package in the Package Detail section above.  
  • The KB List has now been updated to include an added indicator of compromise.

Support

If you have any queries or require assistance, create a support ticket.

Best regards,

Logo_Dark.png

Comments

Article is closed for comments.

Related articles

  • VMware ESX/ESXi
  • Logpoint Agent Collector
  • SonicWall Firewall
  • Template injection in Search Template
  • Ransomware Analytics
Was this article helpful?
2 out of 2 found this helpful
Privacy policy    EULA    Terms of service   
Copyright © , Logpoint. All rights reserved.

Note: We use cookies that are essential for the smooth functioning of our website.