Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1134 | Access Token Manipulation |
SUNSPOT modified its security token to grants itself debugging privileges by adding |
|
Enterprise | T1565 | .001 | Data Manipulation: Stored Data Manipulation |
SUNSPOT created a copy of the SolarWinds Orion software source file with a |
Enterprise | T1140 | Deobfuscate/Decode Files or Information |
SUNSPOT decrypts SUNBURST, which was stored in AES128-CBC encrypted blobs.[1] |
|
Enterprise | T1480 | Execution Guardrails |
SUNSPOT only replaces SolarWinds Orion source code if the MD5 checksums of both the original source code file and backdoored replacement source code match hardcoded values.[1] |
|
Enterprise | T1083 | File and Directory Discovery |
SUNSPOT enumerated the Orion software Visual Studio solution directory path.[1] |
|
Enterprise | T1070 | .004 | Indicator Removal on Host: File Deletion |
Following the successful injection of SUNBURST, SUNSPOT deleted a temporary file it created named |
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
SUNSPOT was identified on disk with a filename of |
Enterprise | T1106 | Native API |
SUNSPOT used Windows API functions such as |
|
Enterprise | T1027 | Obfuscated Files or Information |
SUNSPOT encrypted log entries it collected with the stream cipher RC4 using a hard-coded key. It also uses AES128-CBC encrypted blobs for SUNBURST source code and data extracted from the SolarWinds Orion <MsBuild.exe process.[1] |
|
Enterprise | T1057 | Process Discovery |
SUNSPOT monitored running processes for instances of |
|
Enterprise | T1195 | .002 | Supply Chain Compromise: Compromise Software Supply Chain |
SUNSPOT malware was designed and used to insert SUNBURST into software builds of the SolarWinds Orion IT management product.[1] |
ID | Name | References |
---|---|---|
G0016 | APT29 |