- #ORION SOLARWINDS CHANGE MONITORING HOW TO#
- #ORION SOLARWINDS CHANGE MONITORING UPDATE#
- #ORION SOLARWINDS CHANGE MONITORING FULL#
If servers or accounts involved in federated authentication (e.g. Bloodhound can also be used to map out access of any potentially impacted accounts.Evaluate local system authentication logs for anomalous activity from compromised accounts.domain controllers, A ctive Directory Federation Services, and A zure A ctive D irectory Connect server s ) to which they had access. Identify high-value attack paths for potentially compromised accountsįor all potentially compromised accounts listed above, identify other high-value systems (e.g. The following table can be used to document all potentially impacted accounts : Username EventCode 4624) to the server and any local or service accounts. The se include all administrative logins (e.g. All other accounts used on the affected SolarWinds Orion Servers.A ll accounts SolarWinds used for network monitoring, this includes W indows local accounts, domain accounts, SNMP, SSH, etc.Įnsure that snapshotting processes also capture memory.Ī lightweight forensic acquisition can also be performed using the “Forensic snapshot” feature of Sophos EDR. If possible, s napshot all affected hosts with impac ted versions of Orion installed. Note : The attacks communicate to C2 via TLS so a file hash hit is unlikely unless you intercept TLS. If you have additional network telemetry the following searches may also be of use: SIEM Searches Sophos has also blocked all associated IP and domain indicators for its XG and SG cu stomers. Sophos EDR/OSquery : Detection queries Network indicators Sophos has also blocked all associated IP and domain indicators for its customers. SophosLabs contains both detections for the malicious component and the additional signature that indicate active exploitation. Sophos Intercept X / Central Endpoint Protection : Warning: check your configuration for exclusions. Identify malicious SolarWinds components Endpoint indicators Note : Y ou may only see outbound connection from your main SolarWinds instance not pollers. The follow ing Zeek IDS searches may also help: SIEM Searches. SolarWinds can be detected via network monitoring by looking for call-homes made by its updating service. PS C:\Windows\system32> Get- FileHash C:\Orion\.dll | Format-List Labs detections: List of detections and IOCs
#ORION SOLARWINDS CHANGE MONITORING HOW TO#
Application Control is an optional setting – read the Help Guide for instructions on how to enable it, and add SolarWinds to the list of apps you want to block. Sophos Application Control detects all version s of SolarWinds Orion as “ SolarWinds MSP Agent ”. Detect ion and analy sis Hunt for impacted SolarWinds instance s Endpoint queries
#ORION SOLARWINDS CHANGE MONITORING FULL#
If you find evidence of malicious activity or if you are not able to arrive at some of the baseline conclusions described here, Sophos recommends initiating your full incident response procedures or reaching out for external assistance. Ability to determine that n o active malicious activity occurred relating to the vulnerable component based upon currently available IOCs and detections.Ability to determine that n o accounts used by SolarWinds, nor accounts used to access the SolarWinds Orion server had full domain administrative rights.Assume adversary had the capability and network access to maintain a C2 channel to SolarWinds Orion server.Assume adversary had access to all accounts and credentials utili z ed by SolarWinds Orion server and the capability to assume the identity of any administrative or related accounts.Ability to establish when the vulnerable component was introduced into the environment and log coverage for that period.This response process may need to be customized for your environment and is based upon the following assumptions : As more information becomes availabl e about the threat, recommended steps may change or be updated. The information presented may not be complete or eliminate all threats, but we expect will be effective based on our experience. Last updated T12:18Z – view the changelog belowįor security teams who have SolarWinds in their environment looking to initiate incident response, we’re providing the following playbook, based upon our initial understanding of the threat, as an aid to help you investigate any potential attack. Check back here and GitHub regularly for further updates.
#ORION SOLARWINDS CHANGE MONITORING UPDATE#
** We will continue to update this article with additional information as it becomes available.