The hypothesis is that the detection identifies potential compromise of systems running known-affected Orion software, which may indicate exposure to the Nobelium campaign. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage indicators of a supply chain attack before lateral movement and data exfiltration occur.
KQL Query
DeviceTvmSoftwareVulnerabilities
| where CveId == 'TVM-2020-0002'
| project DeviceId, DeviceName, SoftwareVendor, SoftwareName, SoftwareVersion
id: 720e10a2-d005-4d0d-bbae-0c31ed952d83
name: known-affected-software-orion[Nobelium]
description: |
This query was originally published in the threat analytics report, Solorigate supply chain attack. Please note that these attacks are currently known as the Nobelium campaign.
Microsoft detects the 2020 SolarWinds supply chain attack implant and its other components as part of a campaign by the Nobelium activity group. Nobelium is the threat actor behind the attack against SolarWinds, which was previously referred to as Solorigate.
Nobelium silently added malicious code to legitimate software updates for Orion, which is IT monitoring software provided by SolarWinds. In this way, malicious dynamic link libraries (DLLs) were distributed to SolarWinds customers.
The following query searches Threat and Vulnerability Management (TVM) data for Orion software known to be affected by the Nobelium campaign.
More Nobelium-related queries can be found listed under the See also section of this document.
References:
https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceTvmSoftwareVulnerabilities
tactics:
- Impact
tags:
- Nobelium
query: |
DeviceTvmSoftwareVulnerabilities
| where CveId == 'TVM-2020-0002'
| project DeviceId, DeviceName, SoftwareVendor, SoftwareName, SoftwareVersion
Scenario: Scheduled System Maintenance Job
Description: A legitimate scheduled job runs a script that uses orion in its name, such as orion-maintenance.ps1, which is used for routine system health checks.
Filter/Exclusion: process.name != "orion-maintenance.ps1" or check for process.parent_process_name == "task scheduler"
Scenario: Admin Task Using Orion for Network Monitoring
Description: A system administrator uses the Orion network monitoring tool (e.g., SolarWinds Orion) to configure and manage network devices.
Filter/Exclusion: process.name != "orion.exe" or check for process.user == "admin" and process.command_line contains "configure"
Scenario: Software Update or Patching Process
Description: A legitimate software update process for Orion (e.g., SolarWinds Orion) is being executed, which may involve temporary file creation or script execution.
Filter/Exclusion: process.name != "orion-updater.exe" or check for process.command_line contains "update"
Scenario: Log Analysis or Forensic Tool Using Orion
Description: A security analyst uses a tool named “Orion” (not related to SolarWinds) for log analysis or forensic investigation.
Filter/Exclusion: process.name != "orion-log-analyzer.exe" or check for process.user == "security_analyst"
Scenario: Custom Script for Inventory or Compliance
Description: A custom script named orion_inventory.sh or orion_compliance.ps1 is used to gather system inventory or ensure compliance with internal policies.
Filter/Exclusion: process.name != "orion_inventory.sh" or check for process.command_line contains "inventory" or "compliance"