https://github.com/subfission/sunburst-data-aggregation

Aggregation of threat intel sources for the SolarWinds Orion(SUNBURST) attack.
https://github.com/subfission/sunburst-data-aggregation

solarwinds solorigate sunburst threat-intelligence unc2452

Last synced: 3 months ago
JSON representation

Aggregation of threat intel sources for the SolarWinds Orion(SUNBURST) attack.

• Host: GitHub
• URL: https://github.com/subfission/sunburst-data-aggregation
• Owner: subfission
• License: gpl-3.0
• Created: 2020-12-17T00:52:50.000Z (over 5 years ago)
• Default Branch: main
• Last Pushed: 2020-12-28T17:22:32.000Z (over 5 years ago)
• Last Synced: 2025-11-10T01:02:00.397Z (7 months ago)
• Topics: solarwinds, solorigate, sunburst, threat-intelligence, unc2452
• Homepage:
• Size: 89.8 KB
• Stars: 5
• Watchers: 3
• Forks: 1
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# SUNBURST Data Aggregation

The following is an aggregation of threat intel sources for the **SolarWinds Orion** (**SUNBURST**) attack.

*Note: I do not own, maintain, or make no claim as to the validity or safety of these resources.*

## Open Source Resources

 1. [Mandiant SunBurst Countermeasures by FireEye](https://github.com/fireeye/sunburst_countermeasures)

 2. [Suburst DGA Domains Decoded](https://github.com/5u3e10px/Suburst-DGA-Domains-Decoded)

 3. [Decompile of the Solorwinds "SUNBURST" Trojan associated with Campaign UNC2452 by Shadow0ps](https://github.com/Shadow0ps/solorigate_sample_source)

 4. [Sunburst IOCs for Splunk Ingest by davisshannon](https://github.com/davisshannon/Splunk-Sunburst)

 5. [Various indicator lists and/or free research tools provided by Bambenek Labs](https://github.com/bambenek/research)

 6. [SunBurst DGA Decode Script by RedDrip7](https://github.com/RedDrip7/SunBurst_DGA_Decode)

 7. [SunBurst sample detonation review by ept-team](https://github.com/ept-team/sunburst)

 8. [Quick lookup files for SUNBURST Backdoor by rkovar](https://github.com/rkovar/sunburstlookups)

 9. [Alienvault OTX Threat Intel](https://otx.alienvault.com/pulse/5fd6df943558e0b56eaf3da8)

10. [Azure-Sentinel-Notebooks Guided Hunting - Solarwinds Post Compromise](https://github.com/Azure/Azure-Sentinel-Notebooks/blob/fdcc923d15d9aeb9f99bf78ed66d9fb0de29b3d6/Guided%20Investigation%20-%20Solarwinds%20Post%20Compromise%20Activity.ipynb)

11. [Credential Dumping Tool for SolarWinds Orion by mubix](https://github.com/mubix/solarflare)

12. [Powershell script to decode the DGA algorithm used in the SUNBURST backdoor by Truesec](https://github.com/Truesec/sunburst-decoder)

## News Media

- [FireEye Threat Research - Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor](https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html)

- [FireEye Shares Details of Recent Cyber Attack, Actions to Protect Community](https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html)

- [FireEye Identifies Killswitch for SolarWinds Malware as Victims Scramble to Respond](https://www.darkreading.com/attacks-breaches/fireeye-identifies-killswitch-for-solarwinds-malware-as-victims-scramble-to-respond/d/d-id/1339746)

- [DomainTools - Unraveling Network Infrastructure Linked to the SolarWinds Hack](https://www.domaintools.com/resources/blog/unraveling-network-infrastructure-linked-to-the-solarwinds-hack)

- [Hackers used SolarWinds' dominance against it in sprawling spy campaign](https://www.reuters.com/article/us-global-cyber-solarwinds/hackers-at-center-of-sprawling-spy-campaign-turned-solarwinds-dominance-against-it-idUSKBN28P2N8)

- [Microsoft - Ensuring customers are protected from Solorigate](https://www.microsoft.com/security/blog/2020/12/15/ensuring-customers-are-protected-from-solorigate/)

- [Solorigate: SolarWinds Orion Platform Contained a Backdoor Since March 2020 (SUNBURST)](https://www.tenable.com/blog/solorigate-solarwinds-orion-platform-contained-a-backdoor-since-march-2020-sunburst)

- [The SolarWinds Perfect Storm: Default Password, Access Sales and More](https://threatpost.com/solarwinds-default-password-access-sales/162327/)

- [Rapid7 - SolarWinds SUNBURST Backdoor Supply Chain Attack: What You Need to Know](https://blog.rapid7.com/2020/12/14/solarwinds-sunburst-backdoor-supply-chain-attack-what-you-need-to-know/)

- [Unit42 - Threat Brief: SolarStorm and SUNBURST Customer Coverage](https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/)

- [Dark Halo Leverages SolarWinds Compromise to Breach Organizations](https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/)

- [Talos - Threat Advisory: SolarWinds supply chain attack](https://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html)

- [Cnet - SolarWinds hack hits major tech companies and hospital system: What you need to know](https://www.cnet.com/news/solarwinds-hack-hits-major-tech-companies-and-hospital-system-what-you-need-to-know/)

- [ZDNet - A second hacking group has targeted SolarWinds systems](https://www.zdnet.com/article/a-second-hacking-group-has-targeted-solarwinds-systems/)

- [Cisco targeted in SolarWinds attack as Microsoft uncovers a second hacking group](https://siliconangle.com/2020/12/20/cisco-targeted-solarwinds-attack-microsoft-uncovers-second-hacking-group/)

- [Bloomberg - SolarWinds Adviser Warned of Lax Security Years Before Hack](https://www.bloomberg.com/news/articles/2020-12-21/solarwinds-adviser-warned-of-lax-security-years-before-hack)

- [TRUESEC - The SolarWinds Orion SUNBURST supply-chain Attack](https://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/)

## Social Media

- [Twitter #UNC2452](https://twitter.com/hashtag/UNC2452)

- [Twitter #SUNBURST](https://twitter.com/hashtag/SUNBURST)

- [Twitter #SolarWindsOrion](https://twitter.com/hashtag/SolarWindsOrion)

- [Twitter #solarwinds123](https://twitter.com/hashtag/solarwinds123)

- [Twitter #solorigate](https://twitter.com/hashtag/solorigate)

- [Twitter #SolarWindsHack](https://twitter.com/hashtag/SolarWindsHack)

## Cybersecurity and Infrastructure Security Agency (CISA)

- [Emergency Directive 21-01](https://cyber.dhs.gov/ed/21-01/)

- [Security Advisory - Active Exploitation of SolarWinds Software](https://us-cert.cisa.gov/ncas/current-activity/2020/12/13/active-exploitation-solarwinds-software)

- [Alert (AA20-352A) Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations](https://us-cert.cisa.gov/ncas/alerts/aa20-352a)

## Vendor Security Resources

- [Elastic Security provides free and open protections for SUNBURST](https://www.elastic.co/blog/elastic-security-provides-free-and-open-protections-for-sunburst)

- [Finding SUNBURST backdoor with Zeek logs & Corelight](https://corelight.blog/2020/12/15/finding-sunburst-backdoor-with-zeek-logs-and-corelight/)

- [Using Splunk to Detect Sunburst Backdoor](https://www.splunk.com/en_us/blog/security/sunburst-backdoor-detections-in-splunk.html)

- [Microsoft - Important steps for customers to protect themselves from recent nation-state cyberattacks](https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/)

- [SANS Emergency Webcast: What you need to know about the SolarWinds Supply-Chain Attack](https://www.youtube.com/watch?v=qP3LQNsjKWw)

- [Corelight: Finding SolarWinds / SUNBURST backdoors with Zeek & Corelight](https://www.youtube.com/watch?v=zGlxC-nGEzE)

## Hotfix

- [SolarWinds Hotfix 2](https://support.solarwinds.com/SuccessCenter/s/article/Orion-Platform-2020-2-1-Hotfix-2?language=en_US)

Please use this to protect yourself and your assets.  Feel free to add pull requests for additional resources.