Microsoft open sources CodeQL queries used to hunt for Solorigate activity

Credit to Author: Eric Avena| Date: Thu, 25 Feb 2021 16:00:47 +0000

We are sharing the CodeQL queries that we used to analyze our source code at scale and rule out the presence of the code-level indicators of compromise (IoCs) and coding patterns associated with Solorigate so that other organizations may perform a similar analysis.

The post Microsoft open sources CodeQL queries used to hunt for Solorigate activity appeared first on Microsoft Security.

Read more

Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop

Credit to Author: Eric Avena| Date: Wed, 20 Jan 2021 17:30:01 +0000

One missing link in the complex Solorigate attack chain is the handover from the Solorigate DLL backdoor to the Cobalt Strike loader. How exactly does the jump from the Solorigate backdoor (SUNBURST) to the Cobalt Strike loader (TEARDROP, Raindrop, and others) happen? What code gets triggered, and what indicators should defenders look for?

The post Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop appeared first on Microsoft Security.

Read more

Increasing resilience against Solorigate and other sophisticated attacks with Microsoft Defender

Credit to Author: Eric Avena| Date: Thu, 14 Jan 2021 17:00:19 +0000

This blog is a guide for security administrators using Microsoft 365 Defender and Azure Defender to identify and implement security configuration and posture improvements that harden enterprise environments against Solorigate’s attack patterns.

The post Increasing resilience against Solorigate and other sophisticated attacks with Microsoft Defender appeared first on Microsoft Security.

Read more

Using Microsoft 365 Defender to protect against Solorigate

Credit to Author: Eric Avena| Date: Mon, 28 Dec 2020 17:25:16 +0000

This blog is a comprehensive guide for security operations and incident response teams using Microsoft 365 Defender to identify, investigate, and respond to the Solorigate attack if it’s found in your environment.

The post Using Microsoft 365 Defender to protect against Solorigate appeared first on Microsoft Security.

Read more

Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers

Credit to Author: Eric Avena| Date: Fri, 18 Dec 2020 22:15:14 +0000

We, along with the security industry and our partners, continue to investigate the extent of the Solorigate attack. While investigations are underway, we want to provide the defender community with intelligence to understand the scope, impact, remediation guidance, and product detections and protections we have built in as a result. While the full extent of…

The post Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers appeared first on Microsoft Security.

Read more