Solorigate and beyond
A major incident that closed out 2020 was the supply chain compromise of SolarWinds along with other related activity tracked under the names “Solorigate,” “UNC2452,” “Dark Halo,” and multiple malware families. The SolarWinds compromise will almost certainly continue to be a challenge for defenders to respond to throughout 2021, due to its complexity and downstream effects on other organizations. It’s important to remember that this is now a series of incidents and TTPs that reaches far beyond just SolarWinds. Each organization should evaluate how they can best protect themselves based on the TTPs that are likely to affect them. For example, a company that makes software should be concerned about monitoring the integrity of their build processes, which may not be a concern for other organizations.
For organizations that have endpoint visibility, here is one detection opportunity (beyond searching for atomic indicators like hashes) for follow-on exploitation to the SolarWinds compromise. There are plenty of other opportunities for both endpoint and network detection, many of which have been helpfully compiled by MITRE.
Renamed AdFind execution
ATT&CK technique(s): T1036.003 Masquerading: Rename System Utilities, T1036.005 Masquerading: Match Legitimate Name or Location, T1069.002 Permission Groups Discovery: Domain Groups, T1482 Domain Trust Discovery
ATT&CK tactic(s): Execution, Defense Evasion
Details: Microsoft reported that the adversaries behind Solorigate used a renamed version of AdFind for domain enumeration. The following example provided by Microsoft shows AdFind renamed as
csrss.exe in an apparent attempt to masquerade as the Client Server Runtime Subsystem process, as this command identifies domain administrators.