Graylog: command_and_control_sunburst_dst_hostname

gistfile1.txt

rule "command_and_control_sunburst_dst_hostname"
// Written by Recon InfoSec SOC Team
//
// https://github.com/fireeye/sunburst_countermeasures/blob/main/indicator_release/Indicator_Release_NBIs.csv
// https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
// https://github.com/sophos-cybersecurity/solarwinds-threathunt/blob/master/iocs.csv
when
  has_field("dst_ip_is_internal")
  AND
  to_string($message.dst_ip_is_internal) == "false"
  AND
  has_field("dst_hostname")
  AND
    (
    contains(to_string($message.dst_hostname), "avsvmcloud.com", true)
    OR
    contains(to_string($message.dst_hostname), "freescanonline.com", true)
    OR
    contains(to_string($message.dst_hostname), "deftsecurity.com", true)
    OR
    contains(to_string($message.dst_hostname), "thedoccloud.com", true)
    OR
    contains(to_string($message.dst_hostname), "websitetheme.com", true)
    OR
    contains(to_string($message.dst_hostname), "highdatabase.com", true)
    OR
    contains(to_string($message.dst_hostname), "incomeupdate.com", true)
    OR
    contains(to_string($message.dst_hostname), "databasegalore.com", true)
    OR
    contains(to_string($message.dst_hostname), "panhardware.com", true)
    OR
    contains(to_string($message.dst_hostname), "zupertech.com", true)
    )
 
then
  set_field("threat_detected", true);
  set_field("threat_name", "command_and_control_sunburst_dst_hostname");
  set_field("threat_desc", "Detected an outbound connection to a known sunburst c2 domain");
  set_field("threat_tactic", "command_and_control");
  set_field("threat_score", 10);
end