Using Microsoft 365 Defender to protect against Solorigate - Microsoft Security Blog
Tags
cmtmf-attack-pattern: Masquerading Supply Chain Compromise
attack-pattern: Data Cloud Services - T1021.007 Credentials - T1589.001 Domains - T1583.001 Domains - T1584.001 Impersonation - T1656 Lsass Memory - T1003.001 Malware - T1587.001 Malware - T1588.001 Masquerading - T1655 Powershell - T1059.001 Rundll32 - T1218.011 Saml Tokens - T1606.002 Server - T1583.004 Server - T1584.004 Software - T1592.002 Supply Chain Compromise - T1474 Tool - T1588.002 Masquerading - T1036 Powershell - T1086 Rundll32 - T1085 Supply Chain Compromise - T1195 Windows Management Instrumentation - T1047 Masquerading Supply Chain Compromise
Show in Graph
Common Information
Type Value
UUID 3aaa5f3a-20e1-47ed-b67c-7a6f604e945a
Fingerprint 65512a116edeee1b
Analysis status DONE
Considered CTI value 0
Text language
Published Dec. 28, 2020, 9:25 a.m.
Added to db Sept. 26, 2022, 9:31 a.m.
Last updated Nov. 17, 2024, 6:54 p.m.
Headline Using Microsoft 365 Defender to protect against Solorigate
Title Using Microsoft 365 Defender to protect against Solorigate - Microsoft Security Blog
Detected Hints/Tags/Attributes 103/2/15
Source URLs
Redirection Url
Details Source https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/
URL Provider
Details Provider Source level domain
Details microsoft.com www.microsoft.com
Attributes
Details Type #Events CTI Value
Details Domain 107 
aka.ms
Details Domain 3 
raweventdata.target
Details Domain 50 
avsvmcloud.com
Details Domain 1 
targetdetails.name
Details Domain 17 
mail.read
Details Domain 1 
targetdetails.id
Details Domain 1 
keyevents.name
Details Domain 1 
solorigate.br
Details File 4 
raweventdata.tar
Details File 29 
orion.core
Details File 26 
businesslayer.dll
Details File 1018 
rundll32.exe
Details IPv4 1441 
127.0.0.1
Details IPv6 72 
::1
Details Url 8 
https://aka.ms/solorigate.