Special thanks to Bryan, Glyer, Burrell (MSTIC), Rob Mead, Florio, Feuerstein, Ramin Nafisi, Michael Matonis. Thanks to the MSTIC and M365 teams for collaborating to deliver this content in a timely manner.
Security teams should leverage this hunting workbook as part of their workflow in investigating this attack. Importantly, if you have recently rotated ADFS key material this workbook can be useful in identifying attacker logon activity if they logon with old key material. There are many things in this workbook that threat hunters would find useful and the workbook is complimentary to the hunting methods shared below. To make it easier for security teams to visualize and monitor their environments for this attack the MSTIC team has shared a SolarWinds Post Compromise hunting workbook via Azure Sentinel and Azure Sentinel GitHub. Links to these IOC’s are listed in the reference section at the end. Azure Sentinel customers are encouraged to review advisories and IOC’s shared by Microsoft MSRC and security partners to search on specific IOC’s in their environment using Azure Sentinel. The goal of this article is post-compromise investigation strategies and is focused on TTPs and not focused on specific IOCs. Updated Users of Microsoft 365 Defender can also hunt and detect on similar items in this blog, but tailored towards investigation using Microsoft 365 Defender to protect against Solorigate. Updated For Identity Vendors and their customers to understand the Solorigate identity related attack components the Identity team at Microsoft has produced a blog has been created to walk thru this information. Ĭurrent advice for incident responders on recovery from systemic identity compromises has been provided by Microsoft Detection and Response Team.Īzure AD Identity admins who want to gain further visibility and understanding related to the identity implications of this attack on their environment can use the newly released Sensitive Operations Report workbook. This blog post contains guidance and generic approaches to hunt for attacker activity (TTPs) in data that is available by default in Azure Sentinel or can be onboarded to Azure Sentinel.Ĭurrently known in depth attack details have been provided by the M365 and MSTIC teams via the deep dive analysis blog. Azure Sentinel has made it easy to collect data from multiple data sources across different environments both on-prem and cloud with the goal of connecting that data together more easily. Being able to analyze all the data from a single point makes it easier to spot trends and attacks. Relevant security data required for hunting and investigating such a complex attack is produced in multiple locations - cloud, on-premises and across multiple security tools and product logs. This threat actor is believed to be highly sophisticated and motivated. This attack is also known as Solorigate or Sunburst. Microsoft recently blogged about the Recent Nation-State Cyber Attacks that has impacted high value targets both across the government and private sector.
In addition, the SolarWinds post compromise hunting workbook has been updated to include a number of new sections.īlog sections have been marked with Updated and include the date they were last updated. Settings > Manage Nodes > Palo Alto > Select All > Edit Properties > Tick Communication > Select Device Template ‘Palo Alto5050 – Set’ > Submit.MSTIC has released a number of new hunting and detection queries for Azure Sentinel based on additional observations as well as research released by partners and the wider community. Settings > All Settings > NCM Settings > Advanced > Device Templates > Search ‘Palo Alto’ > Select ‘PaloAlto5050’ > Click Copy > Change Template Name ‘PaloAlto5050 – Set’ > Remove the XML information and then Copy and Paste the XML below > Click Save Ĭhange the Template being used on the Palo Alto Nodes
Download “Set” Command backup for Palo Alto