All of the color combination used for the website are inside the "Backgrounds" folder. Please check the mock-up to see which color to use.
View ATT&CK progression
Click to view Vectra coverage
Vectra NDR
EDR
SEIM
1 Supply Chain Compromise
2 Validate Environment
3 Identify C2 Domain
4 Establish Initial C2 Tunnel
5 Establish Full-featured C2 Tunnel
6 Domain Recon
7 Get Domain Admin
8 Steal SAML Signing Certificate
9 Admin Access to Azure AD
A SolarWinds Orion software update package is compromised with a malicious binary named SUNBURST. More than 18,000 organizations install the trojanized update.
SUNBURST activates 12-14 days after the trojanized update has been installed and validates that analysis tools and antivirus engine components are not present.
SUNBURST performs DNS lookups to a subdomain of avsvmcloud[.]com encoded with information about the specific local environment. A CNAME response back to the request will initiate a custom HTTPS tunnel included in the compromised binary.
The custom HTTPS tunnel connects out from the compromised server, allowing attackers to perform local reconnaissance and install additional software like Teardrop - an in-memory dropper and custom versions of Cobalt Strike.
Once the custom Cobalt Strike HTTPS C2 is downloaded and installed, attackers gain richer features for hands-on-keyboard progression that drives the rest of the attack.
Attackers identify a path to gain domain admin with tools like ADfind and AD reconnaissance techniques similar to Bloodhound.
Attackers leverage service or admin accounts present on the server and Windows admin tools that support remote code execution to move laterally from the SolarWinds system deeper into the network.
Attackers leverage Domain Admin credentials to move to the ADFS server and steal the SAML signing certificate.
Using the stolen certificate to forge new SAML tokens, attackers can access Azure AD with admin permissions.
1 Vectra NDR + SEIM
2 Vectra NDR + EDR
1 Vectra NDR + SEIM
2 Vectra NDR + EDR
4 Vectra NDR + SEIM
5 Vectra NDR + EDR
6 Vectra NDR
7 Vectra NDR
8 Vectra NDR
9 Vectra NDR
2 Vectra NDR + EDR
3 EDR
5 Vectra NDR + EDR
1 Vectra NDR + SEIM
4 Vectra NDR + SEIM
See threats. Stop Breaches earlier in the ATT&CK matrix.
View all
See threats. Stop Breaches earlier in the ATT&CK matrix.
See threats. Stop Breaches earlier in the ATT&CK matrix.
See threats. Stop Breaches earlier in the ATT&CK matrix.
See threats. Stop Breaches earlier in the ATT&CK matrix.
See threats. Stop Breaches earlier in the ATT&CK matrix.
2 Vectra NDR + EDR
3 EDR
5 Vectra NDR + EDR
See threats. Stop Breaches earlier in the ATT&CK matrix.
1 Vectra NDR + SEIM
4 Vectra NDR + SEIM
Vectra network detection and response (NDR)
Endpoint detection and response (EDR)
Security event and information management (SEIM)
2 Vectra NDR + EDR
10 Modify Federation Trust for long term access
11 Modify Credentials and OAuth Applications for Persistent Access to O365
12 Access Email Data
To gain persistent access to Azure AD, attackers can add new domains or modifying the trusted Certificate Authorities so that they allow attacker-owned signing certificates to be used.
Attackers can directly access email in specific user accounts or leverage native O365 tools like eDiscovery and Power Automate to harvest specific data.
Attackers gain access to applications (e.g. email archiving) that have access to organization emails by adding new credentials and modifying permissions.
March 2020
Dec 2020
3 Identify C2 Domain
4 Establish Initial C2 Tunnel
5 Establish Full-featured C2 Tunnel
6 Domain Recon
7 Get Domain Admin
8 Steal SAML Signing Certificate
9 Admin Access to Azure AD
10 Modify Federal Trust
11 Modify Credentials for Access to O365
12 Access Email Data
• Vectra Threat Intelligence • Custom models and metadata-based hunting
• HTTPS Hidden Tunnel
• HTTPS Hidden Tunnel
• Suspicious LDAP Query • RPC Recon
• Suspicious Remote Execution • Privileged Access Anomalies
• Suspicious Remote Execution • Privileged Access Anomalies
• Suspicious Sign-on
• Suspicious Azure AD Operation
• Redundant Access Creation
• Suspicious Sign-On • Suspicious Email Forwarding • Suspicious Transport Rule • eDiscovery Search • Suspicious Power Automate
10 Modify Federal Trust
11 Modify Credentials for Access to O365
12 Access Email Data
Mar 2020
Dec 2020
1 Vectra NDR + SEIM
2 Vectra NDR + EDR
See threats. Stop Breaches earlier in the ATT&CK matrix.
1 Supply Chain Compromise
2 Validate Environment
3 Indentify C2 Domain
4 Establish Initial C2 Tunnel
5 Establish Full-featured C2 Tunnel
6 Domain Recon
7 Get Domain Admin
8 Steal SAML Signing Certificate
9 Admin Access to Azure AD
10 Modify Federal Trust
11 Modify Credentials for Access to O365
12 Access Email Data
1 Initial Access
2 Execution
3 Persistence
4 Privilege Escalation
5 Credential Access
6 Discovery
7 Lateral movement
8 Command & Control
9 Exfiltration
