{"description": "Enterprise techniques used by SUNBURST, ATT&CK software S0559 (v2.5)", "name": "SUNBURST (S0559)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[SUNBURST](https://attack.mitre.org/software/S0559) communicated via HTTP GET or HTTP POST requests to third party servers for C2.(Citation: FireEye SUNBURST Backdoor December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071.004", "comment": "[SUNBURST](https://attack.mitre.org/software/S0559) used DNS for C2 traffic designed to mimic normal SolarWinds API communications.(Citation: FireEye SUNBURST Backdoor December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "[SUNBURST](https://attack.mitre.org/software/S0559) used VBScripts to initiate the execution of payloads.(Citation: Microsoft Deep Dive Solorigate January 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[SUNBURST](https://attack.mitre.org/software/S0559) used Base64 encoding in its C2 traffic.(Citation: FireEye SUNBURST Backdoor December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[SUNBURST](https://attack.mitre.org/software/S0559) collected information from a compromised host.(Citation: Microsoft Analyzing Solorigate Dec 2020)(Citation: FireEye SUNBURST Backdoor December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1001", "showSubtechniques": true}, {"techniqueID": "T1001.001", "comment": "[SUNBURST](https://attack.mitre.org/software/S0559) added junk bytes to its C2 over HTTP.(Citation: FireEye SUNBURST Backdoor December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1001.002", "comment": "[SUNBURST](https://attack.mitre.org/software/S0559) C2 data attempted to appear as benign XML related to .NET assemblies or as a faux JSON blob.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: FireEye SUNBURST Additional Details Dec 2020)(Citation: Symantec Sunburst Sending Data January 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1001.003", "comment": "[SUNBURST](https://attack.mitre.org/software/S0559) masqueraded its network traffic as the Orion Improvement Program (OIP) protocol.(Citation: FireEye SUNBURST Backdoor December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1568", "comment": "[SUNBURST](https://attack.mitre.org/software/S0559) dynamically resolved C2 infrastructure for randomly-generated subdomains within a parent domain.(Citation: FireEye SUNBURST Backdoor December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[SUNBURST](https://attack.mitre.org/software/S0559) encrypted C2 traffic using a single-byte-XOR cipher.(Citation: FireEye SUNBURST Backdoor December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1546", "showSubtechniques": true}, {"techniqueID": "T1546.012", "comment": "[SUNBURST](https://attack.mitre.org/software/S0559) created an Image File Execution Options (IFEO) Debugger registry value for the process dllhost.exe to trigger the installation of [Cobalt Strike](https://attack.mitre.org/software/S0154).(Citation: Microsoft Deep Dive Solorigate January 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1083", "comment": "[SUNBURST](https://attack.mitre.org/software/S0559) had commands to enumerate files and directories.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: Microsoft Analyzing Solorigate Dec 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.001", "comment": "[SUNBURST](https://attack.mitre.org/software/S0559) attempted to disable software security services following checks against a FNV-1a + XOR hashed hardcoded blocklist.(Citation: FireEye SUNBURST Additional Details Dec 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "comment": "[SUNBURST](https://attack.mitre.org/software/S0559) removed HTTP proxy registry values to clean up traces of execution.(Citation: Microsoft Deep Dive Solorigate January 2021)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[SUNBURST](https://attack.mitre.org/software/S0559) had a command to delete files.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: Microsoft Analyzing Solorigate Dec 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.007", "comment": "[SUNBURST](https://attack.mitre.org/software/S0559) also removed the firewall rules it created during execution.(Citation: Microsoft Deep Dive Solorigate January 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.009", "comment": "[SUNBURST](https://attack.mitre.org/software/S0559) removed IFEO registry values to clean up traces of persistence.(Citation: Microsoft Deep Dive Solorigate January 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[SUNBURST](https://attack.mitre.org/software/S0559) delivered different payloads, including [TEARDROP](https://attack.mitre.org/software/S0560) in at least one instance.(Citation: FireEye SUNBURST Backdoor December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[SUNBURST](https://attack.mitre.org/software/S0559) created VBScripts that were named after existing services or folders to blend into legitimate activities.(Citation: Microsoft Deep Dive Solorigate January 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[SUNBURST](https://attack.mitre.org/software/S0559) had commands that allow an attacker to write or delete registry keys, and was observed stopping services by setting their HKLM\\SYSTEM\\CurrentControlSet\\services\\\\[service_name]\\\\Start registry entries to value 4.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: Microsoft Analyzing Solorigate Dec 2020) It also deleted previously-created Image File Execution Options (IFEO) Debugger registry values and registry keys related to HTTP proxy to clean up traces of its activity.(Citation: Microsoft Deep Dive Solorigate January 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[SUNBURST](https://attack.mitre.org/software/S0559) obfuscated collected system information using a FNV-1a + XOR algorithm.(Citation: FireEye SUNBURST Backdoor December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.005", "comment": "[SUNBURST](https://attack.mitre.org/software/S0559) source code used generic variable names and pre-obfuscated strings, and was likely sanitized of developer comments before being added to [SUNSPOT](https://attack.mitre.org/software/S0562).(Citation: CrowdStrike SUNSPOT Implant January 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.015", "comment": "[SUNBURST](https://attack.mitre.org/software/S0559) strings were compressed and encoded in Base64.(Citation: Microsoft Analyzing Solorigate Dec 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[SUNBURST](https://attack.mitre.org/software/S0559) collected a list of process names that were hashed using a FNV-1a + XOR algorithm to check against similarly-hashed hardcoded blocklists.(Citation: FireEye SUNBURST Backdoor December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1012", "comment": "[SUNBURST](https://attack.mitre.org/software/S0559) collected the registry value HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid from compromised hosts.(Citation: FireEye SUNBURST Backdoor December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[SUNBURST](https://attack.mitre.org/software/S0559) checked for a variety of antivirus/endpoint detection agents prior to execution.(Citation: Microsoft Analyzing Solorigate Dec 2020)(Citation: FireEye SUNBURST Additional Details Dec 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1553", "showSubtechniques": true}, {"techniqueID": "T1553.002", "comment": "[SUNBURST](https://attack.mitre.org/software/S0559) was digitally signed by SolarWinds from March - May 2020.(Citation: FireEye SUNBURST Backdoor December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "[SUNBURST](https://attack.mitre.org/software/S0559) used Rundll32 to execute payloads.(Citation: Microsoft Deep Dive Solorigate January 2021) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[SUNBURST](https://attack.mitre.org/software/S0559) collected hostname and OS version.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: Microsoft Analyzing Solorigate Dec 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[SUNBURST](https://attack.mitre.org/software/S0559) collected all network interface MAC addresses that are up and not loopback devices, as well as IP address, DHCP configuration, and domain information.(Citation: FireEye SUNBURST Backdoor December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[SUNBURST](https://attack.mitre.org/software/S0559) collected the username from a compromised host.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: Microsoft Analyzing Solorigate Dec 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1007", "comment": "[SUNBURST](https://attack.mitre.org/software/S0559) collected a list of service names that were hashed using a FNV-1a + XOR algorithm to check against similarly-hashed hardcoded blocklists.(Citation: FireEye SUNBURST Backdoor December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1124", "comment": "[SUNBURST](https://attack.mitre.org/software/S0559) collected device `UPTIME`.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: Microsoft Analyzing Solorigate Dec 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.001", "comment": "[SUNBURST](https://attack.mitre.org/software/S0559) checked the domain name of the compromised host to verify it was running in a real environment.(Citation: Microsoft Analyzing Solorigate Dec 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497.003", "comment": "[SUNBURST](https://attack.mitre.org/software/S0559) remained dormant after initial access for a period of up to two weeks.(Citation: FireEye SUNBURST Backdoor December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1047", "comment": "[SUNBURST](https://attack.mitre.org/software/S0559) used the WMI query Select * From Win32_SystemDriver to retrieve a driver listing.(Citation: FireEye SUNBURST Backdoor December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by SUNBURST", "color": "#66b1ff"}]}