Sample rules
Command Execution via SolarWinds Process
- source: elastic
- technicques:
- T1059
- T1195
Description
A suspicious SolarWinds child process (Cmd.exe or Powershell.exe) was detected.
Detection logic
process where host.os.type == "windows" and event.type == "start" and process.name: ("cmd.exe", "powershell.exe") and
process.parent.name: (
"ConfigurationWizard*.exe",
"NetflowDatabaseMaintenance*.exe",
"NetFlowService*.exe",
"SolarWinds.Administration*.exe",
"SolarWinds.Collector.Service*.exe",
"SolarwindsDiagnostics*.exe"
)
Suspicious SolarWinds Child Process
- source: elastic
- technicques:
- T1106
- T1195
Description
A suspicious SolarWinds child process was detected, which may indicate an attempt to execute malicious programs.
Detection logic
process where host.os.type == "windows" and event.type == "start" and
process.parent.name: ("SolarWinds.BusinessLayerHost.exe", "SolarWinds.BusinessLayerHostx64.exe") and
not (
process.name : (
"APMServiceControl*.exe",
"ExportToPDFCmd*.Exe",
"SolarWinds.Credentials.Orion.WebApi*.exe",
"SolarWinds.Orion.Topology.Calculator*.exe",
"Database-Maint.exe",
"SolarWinds.Orion.ApiPoller.Service.exe",
"WerFault.exe",
"WerMgr.exe",
"SolarWinds.BusinessLayerHost.exe",
"SolarWinds.BusinessLayerHostx64.exe",
"SolarWinds.Topology.Calculator.exe",
"SolarWinds.Topology.Calculatorx64.exe",
"SolarWinds.APM.RealTimeProcessPoller.exe") and
process.code_signature.trusted == true
) and
not process.executable : ("?:\\Windows\\SysWOW64\\ARP.EXE", "?:\\Windows\\SysWOW64\\lodctr.exe", "?:\\Windows\\SysWOW64\\unlodctr.exe")