This website uses its own and third party cookies to collect information that helps to optimize your visit to their web pages. Cookies will not be used to collect personal information. You can either allow or reject their use. You can also change their settings at any time. You will find more information on our Cookie Policy page.


DS4N6 Blog >> Solarwinds/Sunburst Campaign - MITRE ATTandCK Techniques

Solarwinds/Sunburst Campaign - MITRE ATT&CK Techniques

[13/04/21] April 13, 2021
Rafael Tenorio & Sergio Delgado - One eSecurity

The analysis of different reports, listed in the References section below, provides the following MITRE ATT&CK Techniques associated to the Campaign & Threat Actor:

ID TTP Name Solarwinds Flavor Reference
1 T1059 Command and Scripting Interpreter, UNC2452/Dark Halo/SolarStorm
2 T1059.001 Command and Scripting Interpreter: PowerShell UNC2452
3 T1059.003 Command and Scripting Interpreter: Windows Command Shell UNC2452
4 T1059.005 Command and Scripting Interpreter: Visual Basic Sunburst / UNC2452
5 T1105 Ingress Tool Transfer UNC2452/Dark Halo/SolarStorm
6 T1218.011 Signed Binary Proxy Execution: Rundll32 UNC2452/Dark Halo/SolarStorm
7 T1195.002 Supply Chain Compromise UNC2452/Dark Halo/SolarStorm
8 T1070 Indicator Removal on Host UNC2452
9 T1070.006 Timestomp UNC2452
10 T1098.002 Account Manipulation: Exchange Email Delegate Permissions UNC2452
11 T1098.001 Account Manipulation: Additional Cloud Credentials Solorigate
12 T1606.001 Forge Web Credentials: Web Cookies UNC2452
13 T1606.002 Forge Web Credentials: SAML Tokens UNC2452
14 T1552.004 Unsecured Credentials: Private Keys UNC2452
15 T1484.002 Domain Policy Modification: Domain Trust Modification Solorigate
16 T1071.001 Application Layer Protocol: Web Protocols Sunburst
17 T1071.004 Application Layer Protocol: DNS Sunburst
18 T1482 Domain Trust Discovery UNC2452
19 T1132.001 Data Encoding: Standard Encoding Sunburst
20 T1005 Data from Local System Sunburst
21 T1001.001 Data Obfuscation: Junk Data Sunburst
22 T1001.002 Data Obfuscation: Steganography Sunburst
23 T1001.003 Data Obfuscation: Protocol Impersonation Sunburst
24 T1568 Dynamic Resolution Sunburst
25 T1573.001 Encrypted Channel: Symmetric Cryptography Sunburst
26 T1546.003 Event Triggered Execution: Windows Management Instrumentation Event Subscription UNC2452
27 T1546.012 Event Triggered Execution: Image File Execution Options Injection Sunburst
28 T1083 File and Directory Discovery Sunburst / Sunspot
29 T1562.001 Impair Defenses: Disable or Modify Tools Sunburst
30 T1562.002 mpair Defenses: Disable Windows Event Logging UNC2452
31 T1562.004 Impair Defenses: Disable or Modify System Firewall UNC2452
32 T1070.004 File Deletion Sunburst / Sunspot
33 T1036 Masquerading Raindrop
34 T1036.004 Masquerade Task or Service UNC2452
35 T1036.005 Masquerading: Match Legitimate Name or Location Sunburst / Teardrop / Sunspot / Raindrop
36 T1112 Modify Registry Sunburst / Teardrop
37 T1027 Obfuscated Files or Information Sunburst / Teardrop / Sunspot
38 T1027.002 Software Packing Raindrop
39 T1027.003 Steganography Raindrop
40 T1027.005 Indicator Removal from Tools Sunburst
41 T1057 Process Discovery Sunburst / Teardrop / Sunspot
42 T1012 Query Registry Sunburst / Teardrop
43 T1518.001 Software Discovery: Security Software Discovery Sunburst
44 T1553.002 Subvert Trust Controls: Code Signing Sunburst
45 T1082 System Information Discovery Sunburst
46 T1016 System Network Configuration Discovery Sunburst
47 T1033 System Owner/User Discovery Sunburst
48 T1007 System Service Discovery Sunburst
49 T1497.003 Virtualization/Sandbox Evasion: Time Based Evasion Sunburst / Raindrop
50 T1497.001 Virtualization/Sandbox Evasion: System Checks Sunburst
51 T1047 Windows Management Instrumentation Sunburst
52 T1543.003 Create or Modify System Process: Windows Service Teardrop
53 T1140 Deobfuscate/Decode Files or Information Teardrop / Sunspot / Raindrop
54 T1134 Access Token Manipulation Sunspot
55 T1565.001 Data Manipulation: Stored Data Manipulation Sunspot
56 T1480 Execution Guardrails Sunspot
57 T1106 Native API Sunspot
58 T1087 Account Discovery UNC2452
59 T1560 Archive Collected Data: Archive via Utility UNC2452
60 T1555 Credentials from Password Stores UNC2452
61 T1074.002 Data Staged: Remote Data Staging UNC2452
62 T1587.001 Develop Capabilities: Malware UNC2452
63 T1114.002 Email Collection: Remote Email Collection UNC2452
64 T1048.002 Exfiltration Over Alternative Protocol: Exfiltration Over Asymmetric Encrypted Non-C2 Protocol UNC2452
65 T1190 Exploit Public-Facing Application UNC2452
66 T1003.006 OS Credential Dumping: DCSync UNC2452
67 T1069 Permission Groups Discovery UNC2452
68 T1090.001 Proxy: Internal Proxy UNC2452
69 T1021.006 Remote Services: Windows Remote Management UNC2452
70 T1018 Remote System Discovery UNC2452
71 T1053.005 Scheduled Task/Job: Scheduled Task UNC2452
72 T1550 Use Alternate Authentication Material UNC2452
73 T1550.004 Web Session Cookie UNC2452
74 T1078 Valid Accounts UNC2452