How Falcon Complete Stopped a SolarWinds Serv-U Exploit Campaign
Tags
cmtmf-attack-pattern: Process Injection
attack-pattern: Data Component Object Model - T1559.001 Exploits - T1587.004 Exploits - T1588.005 Malware - T1587.001 Malware - T1588.001 Powershell - T1059.001 Process Injection - T1631 Scheduled Task - T1053.005 Server - T1583.004 Server - T1584.004 Software - T1592.002 Vulnerabilities - T1588.006 Powershell - T1086 Process Injection - T1055 Remote Access Tools - T1219 Scheduled Task - T1053
Show in Graph
Common Information
Type Value
UUID dd9d3d77-978d-45e5-88ec-5c54ac7b0c10
Fingerprint bc791b8fed6a8749
Analysis status DONE
Considered CTI value 0
Text language
Published Oct. 21, 2021, 9:47 a.m.
Added to db Sept. 26, 2022, 9:33 a.m.
Last updated Nov. 18, 2024, 12:28 p.m.
Headline Stopping GRACEFUL SPIDER: Falcon Complete’s Fast Response to Recent SolarWinds Serv-U Exploit Campaign
Title How Falcon Complete Stopped a SolarWinds Serv-U Exploit Campaign
Detected Hints/Tags/Attributes 73/2/12
Source URLs
Redirection Url
Details Source https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-solarwinds-serv-u-exploit-campaign/
URL Provider
Details Provider Source level domain
Details crowdstrike.com www.crowdstrike.com
Attributes
Details Type #Events CTI Value
Details CVE 17 
cve-2021-35211
Details File 212 
winlogon.exe
Details File 6 
sysinfo.exe
Details File 1122 
svchost.exe
Details File 3 
serv-u.exe
Details File 478 
lsass.exe
Details File 1260 
explorer.exe
Details IPv4 1 
46.161.40.87
Details IPv4 1 
179.60.150.26
Details IPv4 2 
179.60.150.32
Details IPv4 3 
45.129.137.232
Details Windows Registry Key 7 
HKLM\Software\Classes\CLSID