Solarwinds Sunburst Detection using Checkpoint

Stop the Press...

Here is some useful syntax to detect Solarwinds Orion exploits CVE-2020-14005 & CVE-2020-13169 (Sunburst) when using Checkpoint Smartevent.

Paste this into your smartlog viewer to verify if you have been effected, run it from the beginning of December 2020 initially then all of time to be sure.

"solartrackingsystem.net" OR "virtualdataserver.com" OR "avsvmcloud.com" OR "freescanonline.com" OR "databasegalore.com" OR "digitalcollege.org" OR "incomeupdate.com" OR "deftsecurity.com" OR "highdatabase.com" OR "websitetheme.com" OR "thedoccloud.com" OR "panhardware.com" OR "avsvmcloud.com" OR "lcomputers.com" OR "zupertech.com" OR "kubecloud.com" OR "webcodez.com" OR "13.59.205.66" OR "54.193.127.66" OR "54.215.192.52" OR "34.203.203.23" OR "139.99.115.204" OR "5.252.177.25" OR "5.252.177.21" OR "204.188.205.176" OR "51.89.125.18" OR "167.114.213.199" OR "avsvmcloud.com" OR *sunburst* OR *sunburs*

If your smartlog shows indicators please contact us immediately.

Also attached is a report you can run in Smartlog, how to use the report:

  1. Download & Virus Scan the file - trust no one
  2. Extract the file Sunburst_Attack_update24_12_20.cpr file to your desktop
  3. Import the report to SmartView application (SmartConsole or Web)
  4. Go to Report TAB
  5. Double click on the report and define the time of query to start from 1.12.2020

The report has been downloaded and attached to this blog on 25/12/2020 and is up to date at that point. You can check the following link for bug fixes, information or further updates, you will require a Checkpoint signon to do so:

https://community.checkpoint.com/t5/SmartEvent/Sunburst-Report/m-p/106253/thread-id/12

click here to download the Sunburst.7z file.

Posted in Checkpoint on Dec 25, 2020