Ensuring customers are protected from Solorigate

Microsoft is monitoring a dynamic threat environment surrounding the discovery of a sophisticated attack that included compromised binaries from a legitimate software. These binaries, which are related to the SolarWinds Orion Platform, could be used by attackers to remotely access devices. On Sunday, December 13, Microsoft released detections that alerted customers to the presence of these malicious binaries, with the recommendation to isolate and investigate the devices.

It is important to understand that these binaries represent a significant threat to customer environments. Customers should consider any device with the binary as compromised and should already be investigating devices with this alert. Starting on Wednesday, December 16 at 8:00 AM PST, Microsoft Defender Antivirus will begin blocking the known malicious SolarWinds binaries. This will quarantine the binary even if the process is running. We also realize this is a server product running in customer environments, so it may not be simple to remove the product from service. Nevertheless, Microsoft continues to recommend that customers isolate and investigate these devices:

  1. Immediately isolate the affected device. If has been launched, it is likely that the device is under complete attacker control.
  2. Identify the accounts that have been used on the affected device and consider these accounts compromised. Reset passwords or decommission the accounts.
  3. Investigate how the affected endpoint might have been compromised.
  4. Investigate the device timeline for indications of lateral movement activities using one of the compromised accounts. Check for additional tools that attackers might have dropped to enable credential access, lateral movement, and other attack activities.

If service interruption is not possible, customers must take the action below to exclude SolarWinds binaries. This should be a temporary change that you should revert as soon as you update binaries from the provider or complete your investigation.

For Microsoft Defender Antivirus via GPO Instructions:

PATH: Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus (or Windows Defender Antivirus) > Threats > Specify threat alert levels at which default action should not be taken when detected.

Value name: 2147771206

Value: 6

For SCEP via instructions:

PATH: Computer Configuration > Administrative Templates > Windows Components > Endpoint Protection > Threats > Specify threat alert levels at which default action should not be taken when detected.

Value name: 2147771206

Value: 6

Note: If you don't see the “Endpoint Protection” section, see: Manage Endpoint Protection using Group Policies – Configuration Manager | Microsoft Docs

For Microsoft Defender Antivirus and SCEP via SCCM Instructions:

PATH: Assets and Compliance, Endpoint Protection > Antimalware Policies > Threat overrides > Enter Threat name: :MSIL/Solorigate.BR!dha

PATH: Assets and Compliance, Endpoint Protection > Antimalware PoliciesThreat overrides > Enter Threat name: :MSIL/Solorigate.BR!dha

Override action: Allow

For MDAV via MEM using PowerShell Instructions:

  1.  Create a PowerShell script with the following content:

Set-MpPreference -ThreatIDDefaultAction_Ids 2147771206 -ThreatIDDefaultAction_Actions 6

  1. Name the script as follows: Allow_SolarWinds.ps1
  2. Save it to a temporary location, such as C:Temp.
  3. Go to https://endpoint.microsoft.com and sign in.
  4. Browse to Devices > Windows > PowerShell .
  5. Select +Add, and then specify the following settings:

Name: Allow SolarWinds temporarily

Description: Allow SolarWinds temporarily while patching

  1. Select Next, and then browse to where you saved the PowerShell script (for example, C:TempAllow_SolarWinds.ps1).
  2. Run the script using the following settings:

Run this script using the logged on credentials: No

Enforce script signature check: No

Run script in 64-bit PowerShell Host: Yes

  1. Select Next.
  2. For Scope tag, use .
  3. Select Next.
  4. For assignment, choose Select groups to include, and then select the security group that has your Windows 10 devices.
  5. Choose Select, and then choose Next.
  6. Review your settings, and then select Add.

Note: For MEM (Intune) PowerShell script , review: C:ProgramDataMicrosoft Intune Management ExtensionLogsIntuneManagementExtension.log

For manual Microsoft Defender Antivirus via PowerShell Instructions:

Launch PowerShell as Admin

Set-MpPreference -ThreatIDDefaultAction_Ids 2147771206 -ThreatIDDefaultAction_Actions 6

For manual SCEP via PowerShell Instructions:

Launch PowerShell as Admin

Import-Module “$env:ProgramFilesMicrosoft Security ClientMpProviderMpProvider.psd1”

Set-MProtPreference -ThreatIDDefaultAction_Ids 2147771206 -ThreatIDDefaultAction_Actions 6

For Automatic remediation exclusions:

Go to Settings > IndicatorsFile Hashes, and add the specific file hashes for the affected DLLs, select response action as Allow and Save.

Alternate exclusion option by path:

C:Program Files (x86)SolarWindsOrion

            OR

Note: If you configure exclusions based on folder location, make sure you remove this exclusion AS SOON AS POSSIBLE after you get remediated binaries from the vendor. Otherwise, you are leaving a place on your devices for future attacks.

Note for Microsoft Defender Antivirus in passive mode:

  • If EDR in block mode is enabled and Microsoft Defender AV is in passive mode with third-party antivirus product, Microsoft Defender Antivirus will take action if not excluded per instructions provided
  • If EDR in block mode is not enabled and Microsoft Defender Antivirus is in passive mode with third-party antivirus product, Microsoft Defender Antivirus will alert but no remediation action will take place.

Microsoft has been communicating with SolarWinds regarding this incident. SolarWinds has released updates to help customers mitigate this issue and has provided further customer recommendations and updated binaries for their product. More information is available at https://www.solarwinds.com/securityadvisory.

For more information and guidance from Microsoft, read:

The post Ensuring customers are protected from Solorigate appeared first on Microsoft Security.

 

This article was originally published by Microsoft's Core Infrastructure and Security Blog. You can find the original article here.