Snort demo: Finding SolarWinds Sunburst indicators of compromise
Introduction to SolarWinds and Sunburst
The SolarWinds hack is one of the biggest security incidents of recent years. After cyberthreat actors gained access to SolarWinds’ network, they implanted a backdoor into the code of the company’s Orion network monitoring product. This provided them with access to the networks of tens of thousands of SolarWinds customers once they installed the update.
Sunburst is one of several malware variants associated with the SolarWinds hack. After detecting and reporting on the incident, FireEye published a collection of indicators of compromise (IoCs) for detecting the breach.
In a Cyber Work podcast, Infosec’s Principal Security Researcher Keatron Evans demonstrated how to identify devices compromised with Sunburst using the IoCs provided by FireEye. Learn how to use Snort to detect Sunburst in this video.
Learn Digital Forensics
Inside a Snort rule
The dataset of IoCs provided by FireEye is formatted as a collection of Snort rules. An example of one of these Snort rules is:
alert tcp any any -> any any (msg:"APT.Backdoor.MSIL.SUNBURST"; content:"T "; offset:2; depth:3; content:"Host:"; content:"deftsecurity.com"; within:100; sid:77600853; rev:1;)
It’s not necessary to understand how Snort rules work and are written to use these for detecting the Sunburst malware on a system. However, understanding the basics of how Snort rules are formatted is a useful skill. The rule above:
- Looks for TCP traffic
- Examines TCP connections from any IP address and any port to any IP address and any port
- Prints the message APT.Backdoor.MSIL.SUNBURST on finding a match
- Looks for the string deftsecurity.com within the hostname
This is one of several examples of a Snort rule that can be used to detect the Sunburst malware. To maximize the effectiveness of Snort for detecting the malware, it’s a good idea to check all computers against all rules.
The domains listed in these Snort rules are no longer live as Microsoft has sinkholed DNS requests to these domains. This means that the malware cannot use these domains to communicate with their command and control servers.
However, malware installed on a computer may still be trying to beacon out to these domains, making them a useful tool for identifying compromised computers on a network. Since the Sunburst malware can move laterally through a network, a single compromised machine may have spread the infection to other computers. Using these IoCs, it is possible to identify additional compromised systems that need to be cleaned of the malware as well.
Building rulesets in Snort
The Snort rules provided by FireEye are designed to be used with Snort, an open-source intrusion detection system. To look for Sunburst malware infections on a computer, download Snort from snort.org and install it on a computer.
After the installation is complete, navigate to the installation folder. As part of the installation process, Snort will create a rules directory containing a set of Snort rulelists. These rulelists are text files containing detection rules formatted like the samples provided by FireEye.
Adding new rules to Snort is as simple as creating a new rulelist file or adding rules to an existing list. To add Sunburst detection rules to Snort, add the rules from FireEye’s list on Github to the Snort rules directory.
Detecting Sunburst malware with Snort
After adding the Sunburst malware rules to Snort’s rulesets, navigate to the bin folder within the Snort install directory. To run Snort, it is necessary to have administrator-level access on the machine being analyzed.
Once within the Snort bin directory, run the following command:
snort -A console -i1 -c c:\Snort\etc\snort.conf -l c:\snort\log -K pcap
This command uses a few different flags to specify what Snort should be doing. The meanings of these flags are:
- -A console: Send alerts to the console
- -i1: Monitor traffic on interface one. You can see a list of the available interfaces with snort -W.
- -c: Identifies the configuration file that Snort should use (ensures new rules are used)
- -l: Defines location where any alerts should be logged
- -K pcap: Instructs Snort to log alerts as packet capture files (pcaps)
After running this command, Snort will initialize and begin monitoring traffic on the specified interface. If any traffic matching a Snort rule is detected, an alert will be printed to the terminal. If this occurs, then it is likely that the system is infected with the Sunburst malware and should be investigated further.
In addition to printing an alert in the terminal, Snort will also log the traffic that matched the rule as a pcap file in the log folder within the Snort directory. This packet can be opened using Wireshark or similar network monitoring tools to see more details about the malware’s command and control traffic.
Learn Digital Forensics
Detecting Sunburst with Snort
The SolarWinds supply chain breach affected a number of different organizations. By working through the process described in Keatron’s Cyber Work Podcast episode, you can learn to use Snort and the IoCs provided by FireEye to detect Sunburst infections.
Sources:
Sunburst Countermeasures, FireEye
Snort demo: Finding SolarWinds Sunburst Indicators of Compromise (IOCs), Infosec Cyber Work Podcast
Downloads, Snort