The hypothesis is that the detected behavior indicates an adversary is establishing command and control communication associated with the Nobelium campaign, leveraging compromised Azure environments to exfiltrate data and maintain persistence. SOC teams should proactively hunt for this behavior to identify and mitigate potential Nobelium-related attacks before they escalate to data exfiltration or lateral movement.
KQL Query
DeviceEvents
| where ActionType == "DnsQueryResponse" //DNS Query Response
and AdditionalFields has ".avsvmcloud"
id: 4417c444-6ff7-47db-bde0-b6b9ef1b9080
name: c2-lookup-response[Nobelium]
description: |
This query was originally published in the threat analytics report, Solorigate supply chain attack. Please note that these attacks are currently known as the Nobelium campaign.
Microsoft detects the 2020 SolarWinds supply chain attack implant and its other components as part of a campaign by the Nobelium activity group. Nobelium is the threat actor behind the attack against SolarWinds, which was previously referred to as Solorigate.
Nobelium silently added malicious code to legitimate software updates for Orion, which is IT monitoring software provided by SolarWinds. In this way, malicious dynamic link libraries (DLLs) were distributed to SolarWinds customers.
The following query detects events when Nobelium received a DNS response after launching a lookup request to known command-and-control infrastructure.
More Nobelium-related queries can be found listed under the See also section of this document.
References:
https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceEvents
tactics:
- Command and control
tags:
- Nobelium
query: |
DeviceEvents
| where ActionType == "DnsQueryResponse" //DNS Query Response
and AdditionalFields has ".avsvmcloud"
| Sentinel Table | Notes |
|---|---|
DeviceEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled system updates
Description: A system update process may trigger a C2 lookup due to the use of known infrastructure or tools associated with the Nobelium campaign.
Filter/Exclusion: process.name != "Windows Update" or process.parent.name != "svchost.exe"
Scenario: Admin task using PowerShell for configuration management
Description: An administrator may use PowerShell to configure network settings or manage services, which could inadvertently match the Nobelium C2 pattern.
Filter/Exclusion: process.name != "powershell.exe" or process.args not contains "configure"
Scenario: Use of legitimate remote management tools (e.g., Microsoft Remote Desktop, TeamViewer)
Description: Remote access tools may be used in a legitimate enterprise environment and could trigger the rule due to similar network behavior.
Filter/Exclusion: process.name not in ("mstsc.exe", "teamviewer.exe")
Scenario: Scheduled backup job using rsync or similar tools
Description: A backup job using rsync or another file transfer tool may trigger the rule due to network activity resembling C2 communication.
Filter/Exclusion: process.name != "rsync.exe" or process.args not contains "backup"
Scenario: Legitimate use of cloud infrastructure (e.g., AWS, Azure) for internal services
Description: Internal services hosted on cloud platforms may use IPs or domains that match the Nobelium C2 list, leading to false positives.
Filter/Exclusion: ip.src not in ("10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16") or `domain not contains “aws” or