├── .gitignore
├── Exchange_Marauder
├── Exchange_Marauder.pdf
├── Exchange_Marauder.png
├── Exchange_Marauder.mindnode
├── Exchange_Marauder.md
└── Exchange_Marauder.opml
├── SOLORIGATE_SUNBURST
├── SOLORIGATE_SUNBURST.pdf
├── SOLORIGATE_SUNBURST.png
├── SOLORIGATE_SUNBURST.mindnode
├── SOLORIGATE_SUNBURST.md
└── SOLORIGATE_SUNBURST.opml
├── Pulse_Secure_CVE-2021-22893
├── Pulse Secure CVE-2021-22893.pdf
├── Pulse Secure CVE-2021-22893.png
├── Pulse Secure CVE-2021-22893.mindnode
├── Pulse Secure CVE-2021-22893.md
└── Pulse Secure CVE-2021-22893.opml
├── README.md
└── LICENSE
/.gitignore:
--------------------------------------------------------------------------------
1 | SONICWALL*
2 |
--------------------------------------------------------------------------------
/Exchange_Marauder/Exchange_Marauder.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jipegit/IncidentsMindMaps/HEAD/Exchange_Marauder/Exchange_Marauder.pdf
--------------------------------------------------------------------------------
/Exchange_Marauder/Exchange_Marauder.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jipegit/IncidentsMindMaps/HEAD/Exchange_Marauder/Exchange_Marauder.png
--------------------------------------------------------------------------------
/SOLORIGATE_SUNBURST/SOLORIGATE_SUNBURST.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jipegit/IncidentsMindMaps/HEAD/SOLORIGATE_SUNBURST/SOLORIGATE_SUNBURST.pdf
--------------------------------------------------------------------------------
/SOLORIGATE_SUNBURST/SOLORIGATE_SUNBURST.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jipegit/IncidentsMindMaps/HEAD/SOLORIGATE_SUNBURST/SOLORIGATE_SUNBURST.png
--------------------------------------------------------------------------------
/Exchange_Marauder/Exchange_Marauder.mindnode:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jipegit/IncidentsMindMaps/HEAD/Exchange_Marauder/Exchange_Marauder.mindnode
--------------------------------------------------------------------------------
/SOLORIGATE_SUNBURST/SOLORIGATE_SUNBURST.mindnode:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jipegit/IncidentsMindMaps/HEAD/SOLORIGATE_SUNBURST/SOLORIGATE_SUNBURST.mindnode
--------------------------------------------------------------------------------
/Pulse_Secure_CVE-2021-22893/Pulse Secure CVE-2021-22893.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jipegit/IncidentsMindMaps/HEAD/Pulse_Secure_CVE-2021-22893/Pulse Secure CVE-2021-22893.pdf
--------------------------------------------------------------------------------
/Pulse_Secure_CVE-2021-22893/Pulse Secure CVE-2021-22893.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jipegit/IncidentsMindMaps/HEAD/Pulse_Secure_CVE-2021-22893/Pulse Secure CVE-2021-22893.png
--------------------------------------------------------------------------------
/Pulse_Secure_CVE-2021-22893/Pulse Secure CVE-2021-22893.mindnode:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/jipegit/IncidentsMindMaps/HEAD/Pulse_Secure_CVE-2021-22893/Pulse Secure CVE-2021-22893.mindnode
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Cybersecurity Incidents Mind Maps
2 |
3 | * [Pulse Secure CVE-2021-22893](Pulse_Secure_CVE-2021-22893)
4 |
5 | * [Exchange Marauder](Exchange_Marauder)
6 |
7 | * [SOLORIGATE_SUNBURST](SOLORIGATE_SUNBURST)
--------------------------------------------------------------------------------
/Pulse_Secure_CVE-2021-22893/Pulse Secure CVE-2021-22893.md:
--------------------------------------------------------------------------------
1 | # Pulse Secure CVE-2021-22893
2 |
3 |
4 | ## Victims
5 |
6 | ### US
7 |
8 | ### EU
9 |
10 | ## Advisories
11 |
12 | ### PulseSecure
13 |
14 | - https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784/
15 |
16 | - https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB44755/?kA13Z000000fzZV
17 |
18 | ### CISA
19 |
20 | - https://us-cert.cisa.gov/ncas/alerts/aa21-110a
21 |
22 | ## Detection
23 |
24 | ### PulseSecure
25 |
26 | - Pulse Connect Secure Integrity Tool
27 |
28 | ## implants
29 |
30 | ### SLOWPULSE, RADIALPULSE, PULSECHECK, THINBLOOD, PULSEJUMP, HARDPULSE
31 |
32 | - FireEye
33 |
34 | - https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html
35 |
36 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2020 Jean-Philippe
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/Pulse_Secure_CVE-2021-22893/Pulse Secure CVE-2021-22893.opml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | Pulse Secure CVE-2021-22893
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
--------------------------------------------------------------------------------
/Exchange_Marauder/Exchange_Marauder.md:
--------------------------------------------------------------------------------
1 | # Exchange Marauder
2 |
3 |
4 | ## Tools
5 |
6 | ### Vulnerability Scanners
7 |
8 | - Triage
9 |
10 | - https://github.com/dpaulson45/HealthChecker#download
11 |
12 | - Microsoft
13 |
14 | - https://github.com/GossiTheDog/scanning/blob/main/http-vuln-exchange.nse
15 |
16 | - https://github.com/microsoft/CSS-Exchange/blob/main/Security/http-vuln-cve2021-26855.nse
17 |
18 | ### Detection / Hunting
19 |
20 | - Rapid7
21 |
22 | - https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day/
23 |
24 | - CrowdStrike
25 |
26 | - https://www.crowdstrike.com/blog/falcon-complete-stops-microsoft-exchange-server-zero-day-exploits/
27 |
28 | - FireEye
29 |
30 | - https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html
31 |
32 | - Microsoft
33 |
34 | - 365-Defender-Hunting-Queries
35 |
36 | - https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Execution/exchange-iis-worker-dropping-webshell.md
37 |
38 | - IOC Feed
39 |
40 | - https://github.com/Azure/Azure-Sentinel/tree/master/Sample%20Data/Feeds
41 |
42 | - https://github.com/microsoft/CSS-Exchange/blob/main/Security/src/Test-ProxyLogon.ps1
43 |
44 | - CERT-LV
45 |
46 | - https://github.com/cert-lv/exchange_webshell_detection/blob/main/detect_webshells.ps1
47 |
48 | - Neo23x0
49 |
50 | - https://github.com/Neo23x0/signature-base/blob/master/yara/apt_hafnium.yar#L172
51 |
52 | - Unit221b
53 |
54 | - https://checkmyowa.unit221b.com/
55 |
56 | - Trustedsec
57 |
58 | - https://github.com/trustedsec/defensive-scripts
59 |
60 | ### Mitigation
61 |
62 | - Microsoft
63 |
64 | - https://github.com/microsoft/CSS-Exchange/blob/main/Security/src/ExchangeMitigations.ps1
65 |
66 | - https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/
67 |
68 | ### Remediation
69 |
70 | - Microsoft
71 |
72 | - https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download
73 |
74 | ## Attribution
75 |
76 | ### Microsoft
77 |
78 | - https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/
79 |
80 | - HAFNIUM
81 |
82 | ## Implants
83 |
84 | ### ChinaChopper
85 |
86 | - https://twitter.com/jhencinski/status/1367225483407089665
87 |
88 | - https://twitter.com/noottrak/status/1367276764741963780
89 |
90 | ## Emulation
91 |
92 | ### Praetorian
93 |
94 | - https://www.praetorian.com/blog/reproducing-proxylogon-exploit/
95 |
96 | ## Exploits
97 |
98 | ### CVE-2021-26855
99 |
100 | - jsdryan
101 |
102 | - https://github.com/jsdryan/CVE-2021-26855/blob/main/CVE-2021-26855.go
103 |
104 | - Rapid7
105 |
106 | - https://github.com/rapid7/metasploit-framework/blob/f7fe97a1458df7b45562013af3a70f5bd0a8cf7b/modules/auxiliary/gather/exchange_proxylogon_collector.rb
107 |
108 | ### Information Gathering
109 |
110 | - https://github.com/sophoslabs/metasploit_gather_exchange
111 |
112 | ### CVE-2021-26855 & CVE-2021-27065
113 |
114 | - https://github.com/hausec/ProxyLogon
115 |
116 | - https://gitlab.com/gvillegas/ohwaa/
117 |
118 | ## Security Advisories
119 |
120 | ### Microsoft
121 |
122 | - https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/
123 |
124 | - CVE-2021-26855
125 | CVE-2021-26857
126 | CVE-2021-26858
127 | CVE-2021-27065
128 |
129 | - https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/
130 |
131 | - https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901
132 |
133 | ### CISA
134 |
135 | - https://us-cert.cisa.gov/ncas/alerts/aa20-352a
136 |
137 | ### https://proxylogon.com
138 |
139 | - CVE-2021-26855
140 |
141 | - CVE-2021-27065
142 |
143 | ## Incidents
144 |
145 | ### Volexity
146 |
147 | - https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
148 |
149 | ### Microsoft
150 |
151 | - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
152 |
153 | - TTP
154 |
155 | - Command & Control
156 |
157 | - https://github.com/cobbr/Covenant
158 |
159 | - Exfiltration
160 |
161 | - MEGA
162 |
163 | - Execution
164 |
165 | - Nishang
166 |
167 | - https://github.com/samratashok/nishang
168 |
169 | ### Truesec
170 |
171 | - https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/
172 |
173 | ### RedCanary
174 |
175 | - https://redcanary.com/blog/microsoft-exchange-attacks/
176 |
177 | ### PaloAlto Unit42
178 |
179 | - https://unit42.paloaltonetworks.com/china-chopper-webshell/
180 |
181 | ### DomainTools
182 |
183 | - https://www.domaintools.com/resources/blog/examining-exchange-exploitation-and-its-lessons-for-defenders
184 |
185 | ### ESET
186 |
187 | - https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/
188 |
189 |
--------------------------------------------------------------------------------
/Exchange_Marauder/Exchange_Marauder.opml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | Exchange_Marauder
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 |
101 |
102 |
103 |
104 |
--------------------------------------------------------------------------------
/SOLORIGATE_SUNBURST/SOLORIGATE_SUNBURST.md:
--------------------------------------------------------------------------------
1 | # SOLORIGATE
2 |
3 |
4 | ## Attribution
5 |
6 | ### https://www.recordedfuture.com/solarwinds-attribution/
7 |
8 | ### https://www.domaintools.com/resources/blog/the-devils-in-the-details-sunburst-attribution
9 |
10 | ### KAZUAR / TURLA
11 |
12 | ### https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/
13 |
14 | ### https://www.gov.uk/government/news/russia-uk-exposes-russian-involvement-in-solarwinds-cyber-compromise
15 |
16 | ### https://www.gov.uk/government/news/russia-uk-and-us-expose-global-campaigns-of-malign-activity-by-russian-intelligence-services
17 |
18 | ### Support
19 |
20 | - https://www.consilium.europa.eu/en/press/press-releases/2021/04/15/declaration-by-the-high-representative-on-behalf-of-the-european-union-expressing-solidarity-with-the-united-states-on-the-impact-of-the-solarwinds-cyber-operation/
21 |
22 | - https://www.nato.int/cps/en/natohq/official_texts_183168.htm
23 |
24 | ## Victims
25 |
26 | ### FireEye
27 |
28 | - Breach Investigation
29 |
30 | - https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html
31 |
32 | - Initial discovery
33 |
34 | - https://news.yahoo.com/hackers-last-year-conducted-a-dry-run-of-solar-winds-breach-215232815.html
35 |
36 | - https://www.fireeye.com/blog/threat-research/2020/12/sunburst-additional-technical-details.html
37 |
38 | - Remediation & Hardening
39 |
40 | - https://www.fireeye.com/blog/threat-research/2021/01/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452.html
41 |
42 | ### Microsoft
43 |
44 | - Solorigate Resources Center 🧭 READ FIRST
45 |
46 | - https://msrc-blog.microsoft.com/2020/12/21/december-21st-2020-solorigate-resource-center/
47 |
48 | - Breach Investigation
49 |
50 | - https://msrc-blog.microsoft.com/2020/12/31/microsoft-internal-solorigate-investigation-update/
51 |
52 | - Impact
53 |
54 | - https://msrc-blog.microsoft.com/2021/02/18/microsoft-internal-solorigate-investigation-final-update/
55 |
56 | - Advisory
57 |
58 | - https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/
59 |
60 | - Guidance & Best Practices
61 |
62 | - https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
63 |
64 | - https://techcommunity.microsoft.com/t5/azure-active-directory-identity/understanding-quot-solorigate-quot-s-identity-iocs-for-identity/ba-p/2007610
65 |
66 | - https://www.microsoft.com/security/blog/2020/12/21/advice-for-incident-responders-on-recovery-from-systemic-identity-compromises/
67 |
68 | - Detection
69 |
70 | - cf. Hunting / Detection
71 |
72 | - Hardening
73 |
74 | - https://www.microsoft.com/security/blog/2020/12/15/ensuring-customers-are-protected-from-solorigate/
75 |
76 | - https://techcommunity.microsoft.com/t5/azure-active-directory-identity/protecting-microsoft-365-from-on-premises-attacks/ba-p/1751754
77 |
78 | - https://www.microsoft.com/security/blog/2021/01/14/increasing-resilience-against-solorigate-and-other-sophisticated-attacks-with-microsoft-defender/
79 |
80 | - Policy
81 |
82 | - https://blogs.microsoft.com/on-the-issues/2020/12/17/cyberattacks-cybersecurity-solarwinds-fireeye/
83 |
84 | ### Unnamed Think Tank
85 |
86 | - https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
87 |
88 | ### Solarwinds
89 |
90 | - https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/
91 |
92 | ### Malwarebytes
93 |
94 | - https://blog.malwarebytes.com/malwarebytes-news/2021/01/malwarebytes-targeted-by-nation-state-actor-implicated-in-solarwinds-breach-evidence-suggests-abuse-of-privileged-access-to-microsoft-office-365-and-azure-environments/
95 |
96 | ### FidelisSecurity
97 |
98 | - https://fidelissecurity.com/threatgeek/data-protection/ongoing-analysis-solarwinds-impact/
99 |
100 | ### Qualys & Palo Alto Networks
101 |
102 | - https://www.forbes.com/sites/thomasbrewster/2021/01/25/solarwinds-hacks-virginia-regulator-and-5-billion-cybersecurity-firm-confirmed-as-targets/
103 |
104 | ### Mimecast
105 |
106 | - https://www.mimecast.com/blog/important-update-from-mimecast/
107 |
108 | - https://www.mimecast.com/blog/important-security-update/
109 |
110 | - https://www.mimecast.com/incident-report/
111 |
112 | ### Google
113 |
114 | - https://cloud.google.com/blog/products/identity-security/how-were-helping-reshape-software-supply-chain-ecosystem-securely
115 |
116 | ### Failed attempts
117 |
118 | - CrowdStrike
119 |
120 | - Cf. CrowdStrike Reporting Tool for Azure blog post
121 |
122 | ### List from Stage2 pDNS
123 |
124 | ## Hunting / Detection
125 |
126 | ### Hunting w/ Sentinel
127 |
128 | - https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095
129 |
130 | ### Detection & IR w/ Microsoft 365 Defender
131 |
132 | - https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/
133 |
134 | ### Microsoft Defender for Identity
135 |
136 | - https://techcommunity.microsoft.com/t5/microsoft-security-and/microsoft-defender-for-identity-expands-support-to-ad-fs-servers/ba-p/2058511
137 |
138 | ### Azure AD Monitor
139 |
140 | - https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-workbook-to-help-you-assess-solorigate-risk/ba-p/2010718
141 |
142 | ### Hunting w/ Splunk
143 |
144 | - https://www.splunk.com/en_us/blog/security/sunburst-backdoor-detections-in-splunk.html
145 |
146 | ### Yara
147 |
148 | - https://github.com/fireeye/red_team_tool_countermeasures
149 |
150 | ### ATT&CK
151 |
152 | - https://medium.com/mitre-attack/identifying-unc2452-related-techniques-9f7b6c7f3714
153 |
154 | - https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach
155 |
156 | ### Zeek
157 |
158 | - https://corelight.blog/2020/12/22/detecting-sunburst-solarigate-activity-in-retrospect-with-zeek-a-practical-example/
159 |
160 | ### CrowdStrike Reporting Tool for Azure
161 |
162 | - https://www.crowdstrike.com/blog/crowdstrike-launches-free-tool-to-identify-and-help-mitigate-risks-in-azure-active-directory/
163 |
164 | - https://github.com/CrowdStrike/CRT
165 |
166 | ### CISA - Sparrow
167 |
168 | - https://github.com/cisagov/Sparrow
169 |
170 | - https://www.crowdstrike.com/blog/crowdstrike-launches-free-tool-to-identify-and-help-mitigate-risks-in-azure-active-directory/
171 |
172 | ### Host - C2 match
173 |
174 | - https://www.trustedsec.com/blog/risingsun-decoding-sunburst-c2-to-identify-infected-hosts-without-network-telemetry/
175 |
176 | ### Generic Playbook
177 |
178 | - https://www.trustedsec.com/blog/solarwinds-backdoor-sunburst-incident-response-playbook/
179 |
180 | ### Microsoft IOC
181 |
182 | - https://github.com/microsoft/mstic/tree/master/Indicators/May21-NOBELIUM
183 |
184 | ## Security Advisory
185 |
186 | ### https://www.solarwinds.com/securityadvisory
187 |
188 | ### https://us-cert.cisa.gov/ncas/alerts/aa21-008a
189 |
190 | ### https://us-cert.cisa.gov/ncas/alerts/aa20-352a
191 |
192 | ### https://cyber.dhs.gov/ed/21-01/
193 |
194 | ### https://us-cert.cisa.gov/ncas/analysis-reports/ar21-027a
195 |
196 | ### https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2451159/nsa-cybersecurity-advisory-malicious-actors-abuse-authentication-mechanisms-to/
197 |
198 | ### Cf. Victims / Microsoft / Advisory
199 |
200 | ### https://us-cert.cisa.gov/ncas/current-activity/2021/03/17/ttp-table-detecting-apt-activity-related-solarwinds-and-active
201 |
202 | ### https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2573391/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabili/
203 |
204 | ## Implants
205 |
206 | ### SUNBURST
207 |
208 | - FireEye
209 |
210 | - https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
211 |
212 | - Microsoft
213 |
214 | - https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/
215 |
216 | - Mcafee
217 |
218 | - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/additional-analysis-into-the-sunburst-backdoor/
219 |
220 | - CadoSecurity
221 |
222 | - https://www.cadosecurity.com/post/responding-to-solarigate
223 |
224 | - SentinelOne
225 |
226 | - https://labs.sentinelone.com/solarwinds-sunburst-backdoor-inside-the-stealthy-apt-campaign/
227 |
228 | - Truesec
229 |
230 | - https://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/
231 |
232 | - ReversingLabs
233 |
234 | - https://blog.reversinglabs.com/blog/sunburst-the-next-level-of-stealth
235 |
236 | - Prevasio
237 |
238 | - https://blog.prevasio.com/2020/12/sunburst-backdoor-deeper-look-into.html
239 |
240 | - GuidePoint Security
241 |
242 | - https://www.guidepointsecurity.com/analysis-of-the-solarwinds-supply-chain-attack/
243 |
244 | - RedDrip Team, QiAnXin Technology
245 |
246 | - https://twitter.com/reddrip7/status/1341654583886508037
247 |
248 | - Netresec
249 |
250 | - https://www.netresec.com/?page=Blog&month=2020-12&post=Reassembling-Victim-Domain-Fragments-from-SUNBURST-DNS
251 |
252 | - https://www.netresec.com/?page=Blog&month=2021-01&post=Robust-Indicators-of-Compromise-for-SUNBURST
253 |
254 | - Symantec
255 |
256 | - Cf. teardrop analysis
257 |
258 | - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-sunburst-sending-data
259 |
260 | - Kaspersky
261 |
262 | - https://securelist.com/sunburst-backdoor-kazuar/99981/
263 |
264 | - « do not infect » domain hashes
265 |
266 | - https://pastebin.com/KD4f4w5V
267 |
268 | - https://twitter.com/craiu/status/1341005999273091077
269 |
270 | - DNS Infrastructure
271 |
272 | - Kaspersky
273 |
274 | - https://securelist.com/sunburst-connecting-the-dots-in-the-dns-requests/99862/
275 |
276 | - Netresec
277 |
278 | - https://www.netresec.com/?page=Blog&month=2020-12&post=Reassembling-Victim-Domain-Fragments-from-SUNBURST-DNS
279 |
280 | - https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS
281 |
282 | - https://www.netresec.com/?page=Blog&month=2021-01&post=Twenty-three-SUNBURST-Targets-Identified
283 |
284 | - https://www.netresec.com/?page=Blog&month=2021-02&post=Targeting-Process-for-the-SolarWinds-Backdoor
285 |
286 | - Cloudflare
287 |
288 | - https://blog.cloudflare.com/a-quirk-in-the-sunburst-dga-algorithm/
289 |
290 | - RedDrip Team, QiAnXin Technology
291 |
292 | - https://twitter.com/reddrip7/status/1339168187619790848
293 |
294 | - DomainTools
295 |
296 | - https://www.domaintools.com/resources/blog/continuous-eruption-further-analysis-of-the-solarwinds-supply-incident
297 |
298 | - https://pastebin.com/T0SRGkWq
299 |
300 | - https://www.domaintools.com/resources/blog/change-in-perspective-on-the-utility-of-sunburst-related-network-indicators
301 |
302 | - Prevasio
303 |
304 | - https://blog.prevasio.com/2020/12/sunburst-backdoor-part-ii-dga-list-of.html
305 |
306 | - https://blog.prevasio.com/2020/12/sunburst-backdoor-part-iii-dga-security.html
307 |
308 | - « DGA » Decoder
309 |
310 | - RedDrip Team, QiAnXin Technology
311 |
312 | - https://github.com/RedDrip7/SunBurst_DGA_Decode
313 |
314 | - igosha
315 |
316 | - https://github.com/2igosha/sunburst_dga
317 |
318 | - Symantec
319 |
320 | - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-attacks-stealthy-attackers-attempted-evade-detection
321 |
322 | - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-unique-dga
323 |
324 | - VriesHD
325 |
326 | - https://vrieshd.medium.com/finding-sunburst-victims-and-targets-by-using-passivedns-osint-68f5704a3cdc
327 |
328 | - FNV-1a-XOR Hashes
329 |
330 | - https://twitter.com/tychotithonus/status/1340474080831688707?s=21
331 |
332 | - https://docs.google.com/spreadsheets/d/1u0_Df5OMsdzZcTkBDiaAtObbIOkMa5xbeXdKk_k0vWs/htmlview
333 |
334 | - Deobfuscated RE
335 |
336 | - https://github.com/ITAYC0HEN/SUNBURST-Cracked/blob/main/OrionImprovementBusinessLayer_modified.cs
337 |
338 | ### TEARDROP
339 |
340 | - Symantec
341 |
342 | - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sunburst-supply-chain-attack-solarwinds
343 |
344 | - CheckPoint
345 |
346 | - https://research.checkpoint.com/2020/sunburst-teardrop-and-the-netsec-new-normal/
347 |
348 | - https://twitter.com/_cpresearch_/status/1339952318717063168
349 |
350 | - PaloAltoNetworks
351 |
352 | - https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline/
353 |
354 | - IOC
355 |
356 | - https://twitter.com/theenergystory/status/1346096298311741440
357 |
358 | - Microsoft
359 |
360 | - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
361 |
362 | ### SUNSPOT
363 |
364 | - CrowdStrike
365 |
366 | - https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/
367 |
368 | ### RAINDROP
369 |
370 | - Symantec
371 |
372 | - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware
373 |
374 | - Microsoft
375 |
376 | ### CobaltStrike
377 |
378 | - Microsoft
379 |
380 | ### GoldMax / SUNSHUTTLE
381 |
382 | - Microsoft
383 |
384 | - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
385 |
386 | - FireEye
387 |
388 | - https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html
389 |
390 | - CISA
391 |
392 | - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a
393 |
394 | ### Goldfinger, Sibot
395 |
396 | ### EnvyScout, BoomBox, NativeZone
397 |
398 | - Microsoft
399 |
400 | - **https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/**
401 |
402 | ### FoggyWeb
403 |
404 | - Microsoft
405 |
406 | - https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/
407 |
408 |
--------------------------------------------------------------------------------
/SOLORIGATE_SUNBURST/SOLORIGATE_SUNBURST.opml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | SOLORIGATE_SUNBURST
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
52 |
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 |
76 |
77 |
78 |
79 |
80 |
81 |
82 |
83 |
84 |
85 |
86 |
87 |
88 |
89 |
90 |
91 |
92 |
93 |
94 |
95 |
96 |
97 |
98 |
99 |
100 |
101 |
102 |
103 |
104 |
105 |
106 |
107 |
108 |
109 |
110 |
111 |
112 |
113 |
114 |
115 |
116 |
117 |
118 |
119 |
120 |
121 |
122 |
123 |
124 |
125 |
126 |
127 |
128 |
129 |
130 |
131 |
132 |
133 |
134 |
135 |
136 |
137 |
138 |
139 |
140 |
141 |
142 |
143 |
144 |
145 |
146 |
147 |
148 |
149 |
150 |
151 |
152 |
153 |
154 |
155 |
156 |
157 |
158 |
159 |
160 |
161 |
162 |
163 |
164 |
165 |
166 |
167 |
168 |
169 |
170 |
171 |
172 |
173 |
174 |
175 |
176 |
177 |
178 |
179 |
180 |
181 |
182 |
183 |
184 |
185 |
186 |
187 |
188 |
189 |
190 |
191 |
192 |
193 |
194 |
195 |
196 |
197 |
198 |
199 |
200 |
201 |
202 |
203 |
204 |
205 |
206 |
207 |
208 |
209 |
210 |
211 |
212 |
--------------------------------------------------------------------------------