Adversaries may be leveraging compromised software or infrastructure associated with the Nobelium campaign to establish persistent access within an Azure environment. SOC teams should proactively hunt for this behavior to identify and mitigate potential supply chain compromises before they lead to data exfiltration or lateral movement.
KQL Query
DeviceTvmSoftwareVulnerabilities
| where SoftwareVendor == 'solarwinds'
| where SoftwareName startswith 'orion'
| summarize dcount(DeviceName) by SoftwareName
| sort by dcount_DeviceName desc
id: ee0f4b76-c9dc-4d54-96c2-78145d6a0fe0
name: possible-affected-software-orion[Nobelium]
description: |
This query was originally published in the threat analytics report, Solorigate supply chain attack. Please note that these attacks are currently known as the Nobelium campaign.
Microsoft detects the 2020 SolarWinds supply chain attack implant and its other components as part of a campaign by the Nobelium activity group. Nobelium is the threat actor behind the attack against SolarWinds, which was previously referred to as Solorigate.
Nobelium silently added malicious code to legitimate software updates for Orion, which is IT monitoring software provided by SolarWinds. In this way, malicious dynamic link libraries (DLLs) were distributed to SolarWinds customers.
The following query retrieves an inventory of SolarWinds Orion software use in your organization, organized by product name and ordered by how many devices the software is installed on.
More Nobelium-related queries can be found listed under the See also section of this document.
References:
https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceTvmSoftwareVulnerabilities
tactics:
- Impact
tags:
- Nobelium
query: |
DeviceTvmSoftwareVulnerabilities
| where SoftwareVendor == 'solarwinds'
| where SoftwareName startswith 'orion'
| summarize dcount(DeviceName) by SoftwareName
| sort by dcount_DeviceName desc
Scenario: Legitimate scheduled job for system maintenance
Description: A scheduled task runs a script that uses msiexec to install a legitimate patch or update.
Filter/Exclusion: Exclude processes where the command line includes msiexec /i with a known valid patch file path (e.g., C:\Windows\Temp\patch.msi).
Scenario: Admin performing a software deployment using Microsoft Endpoint Configuration Manager (MECM)
Description: An administrator uses MECM to deploy software, which may trigger the rule due to the use of msiexec.
Filter/Exclusion: Exclude processes initiated from the MECM console or with a command line containing msiexec /package with a known enterprise software package.
Scenario: User installing a legitimate third-party application via MSI package
Description: A user installs a third-party application (e.g., Adobe Reader) using an MSI installer, which may trigger the rule.
Filter/Exclusion: Exclude processes where the MSI file is located in a known enterprise software repository or has a known publisher (e.g., Adobe, Microsoft).
Scenario: System update via Windows Update or Windows Server Update Services (WSUS)
Description: A system update is initiated through WSUS, which may use msiexec to install updates.
Filter/Exclusion: Exclude processes where the command line includes msiexec /update or where the update is sourced from a known WSUS server.
Scenario: PowerShell script using MSI installer for configuration
Description: A PowerShell script uses msiexec to install or configure a legitimate application, such as a database or middleware.
Filter/Exclusion: Exclude processes where the script is located in a known enterprise script repository or where the MSI file is signed by