This website uses its own and third party cookies to collect information that helps to optimize your visit to their web pages. Cookies will not be used to collect personal information. You can either allow or reject their use. You can also change their settings at any time. You will find more information on our Cookie Policy page.


DS4N6 Blog >> Threat Hunting with ML - Part 2 - Detecting the Solarwinds/Sunburst Campaign

Threat Hunting with ML - Part 2 - Detecting the Solarwinds/Sunburst Campaign

370x370_jess-garcia.jpg [20/05/21] May 20, 2021
Jess Garcia - One eSecurity
Twitter: j3ssgarcia - LinkedIn: garciajess

[ Full blog post series available here ]

Photo by Selvan B on Unsplash

In Part 1 of this blog post series, we presented the possibility to Hunt for Anomalies at scale, together with the need of a metrics mechanism, an Anomaly Classification/Score, which would allow us to classify the data from more to less anomalous, thus allowing us to plan our analysis resources.

In this blog post we will focus on a specific case study: the detection via Threat Hunting of an intrusion associated to a an unknown threat, for which we have no IOCs. As an example, we will use the recent Solarwinds/Sunburst case.

The Big Question

We will try to answer the following question:

  • Would we have been able to detect a Solarwinds/Sunburst-related intrusion if we would have had a Threat Hunting process in place but no IOCs?

The Hunting Methodology

As a Hunt methodology, we are going to define the following:

  • Beyond Threat Actor/Campaign-based IOCs Hunting, our Threat Hunting Team will do anomaly-based hunting for the Top 5 Techniques most used by our adversaries.

In order to define those Top 5 techniques we will be hunting for, we will use the Red Canary Top 20 Threat Report 2020 (Note: The 2020 report is no longer online, the report page is regularly updated with the latest report).

The 2020 Top 5 techniques outlined in that report are:

ID Technique ID* Name % of Total Threat
1 T1055 Process Injection 17%
2 T1053 Scheduled Task/Jobs 13%
3 T1021 Windows Admin Shares 13%
4 T1086 PowerShell 12%
5 T1105 Remote File Copy 9%

*: MITRE ATT&CK Enterprise Technique

We will also assume that we only have analyst resources to review the Top 100 anomalies found in each category. This means that:

  • If the Solarwinds/Sunburst intrusion uses any of those Top 5 techniques, and the activity associated to them is detected as anomalous scoring in the Top 100, then our analysts would be able to detect the intrusion.

That is, our analysts would be able to identify that the activity observed was malicious and they would therefore conduct a full blown investigation which we will assume would allow them succeed in detecting the intrusion.

If, on the other hand, the anomalies are below the Top 100 mark, they wouldn't be able to detect the intrusion.

The Solarwinds/Sunburst Campaign

We will not elaborate about the Solarwinds/Sunburst Campaign here. We just want to know which ones of the Top 5 Techniques selected have actually been used in the Solarwinds/Sunburst Campaign.

Out of the long list of Techniques used in the Campaign, which you can find here, we can confirm that the campaign made use of 4 of the 5 top techniques:

ID Technique ID* Name % of Total Threats
2 T1053 Scheduled Task/Jobs 13%
3 T1021 Windows Admin Shares 13%
4 T1086 PowerShell 12%
5 T1105 Remote File Copy 9%

For the purpose of this analysis we will select T1053.005, which is used by the actor in this campaign, and at the same time it was Red Canary Top 2 in the 2020 Threat Report, (at the time at which the Solarwinds/Sunburst Campaign was taking place).

EventCacheManager - The Solarwinds/Sunburst Scheduled Task

The Solarwinds/Sunburst Campaign Scheduled Task, EventCacheManager, has been documented in multiple Threat Reports (e.g. FireEye or Volexity).

It was used for lateral movement and created via PowerShell:

$scheduler = New-Object -ComObject (“Schedule.Service”);
$folder = $scheduler.GetFolder(“\Microsoft\Windows\SoftwareProtectionPlatform”);
$task = $folder.GetTask(“EventCacheManager”);
$definition = $task.Definition;
$definition.Settings.ExecutionTimeLimit = “PT0S”;
echo “Done” C:\Windows\system32\cmd.exe /C schtasks /create /F /tn “\Microsoft\Windows\SoftwareProtectionPlatform\EventCacheManager” /tr “C:\Windows\SoftwareDistribution\EventCacheManager.exe” /sc ONSTART /ru system /S [machine_name]

In summary, the task characteristics are:

Task Name \Microsoft\Windows\SoftwareProtectionPlatform\EventCacheManager
Task File C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\EventCacheManager
File Executed C:\Windows\SoftwareDistribution\EventCacheManager.exe
Task User SYSTEM
Task Schedule Type ONSTART (The task runs every time the system starts).

Detection Strategy

Once selected the artifacts (Task Scheduler event logs and C:\Windows\System32\Tasks file listing), how will detect the malicious Solarwinds/Sunburst Scheduled Task?

As we discussed previously, the idea is to run some type of Anomaly Detection mechanism on the selected artifacts and sort the results by a certain Anomaly Score, so the most anomalous events are at the top of the list. If the EventCacheManager task is listed in the Top 100 anomalies, then we can conclude that, after further investigation, our Threat Hunting Team would have successfully identified the intrusion after following the leads.

And what will be that Anomaly Detection mechanism that you are talking about?

Well, we will unveil that mystery in the upcoming parts of this blog post series!

Stay Tuned and contact us if you have any comment or question!

Closing Remark: Reality Bites

The scenario we are introducing here, the detection of the Solarwinds/Sunburst Campaign via Machine Learning Anomaly Detection, the rhetoric question asked, and the assumption that a well trained analyst would have detected the Solarwinds/Sunburst Campaign using this methodology are obviously a simplification introduced for the sake of framing the discussion and providing a fun and familiar case scenario on which we could apply the concepts proposed.

Detecting and fully unveiling an extremely sophisticated operation like the Solarwinds/Sunburst one is typically not as simple as detecting an anomalous Scheduled Task. There are many factors (technical, technological, operational, procedural, policy, resourcing, budget, etc.) that contribute to the overall detection capabilities of an organization, and therefore their real detection capabilities are a combination of those factors.

I want to acknowledge from here the amazing work carried out by so many colleagues, DFIR companies and teams (with a special mention to the Microsoft Intelligence Center - MSTIC) in the dissection of all the components of this Campaign and its associated NOBELIUM Threat Actor.

Said that, I hope the approach and technology proposed in these posts (and under the DS4N6 initiative as a whole), in the context of a solid Threat Hunting strategy, will help in the detection of similar future campaigns.

[ Full blog post series available here ]