From 32a44ecde6804fdba5e9fc80646814b3fae9356b Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Mon, 9 Feb 2026 14:31:21 +0100 Subject: [PATCH 01/15] solarwinds_expl --- .../disable_defender_antivirus_registry.yml | 5 +++-- ...able_defender_blockatfirstseen_feature.yml | 5 +++-- .../disable_windows_behavior_monitoring.yml | 5 +++-- ...s_powershell_process___encoded_command.yml | 5 +++-- ...eduled_task_deleted_or_created_via_cmd.yml | 5 +++-- ...ution_policy_to_unrestricted_or_bypass.yml | 5 +++-- ...system_information_discovery_detection.yml | 5 +++-- ..._tool_execution_from_non_shell_process.yml | 5 +++-- .../windows_disableantispyware_registry.yml | 5 +++-- .../windows_file_download_via_powershell.yml | 5 +++-- .../windows_group_discovery_via_net.yml | 5 +++-- ...ttp_network_communication_from_msiexec.yml | 5 +++-- ...stry_disable_windefender_notifications.yml | 5 +++-- .../windows_msiexec_remote_download.yml | 5 +++-- ...ows_process_execution_from_programdata.yml | 5 +++-- ...scheduled_task_with_highest_privileges.yml | 5 +++-- ...scheduled_task_with_suspicious_command.yml | 5 +++-- ..._service_creation_using_registry_entry.yml | 5 +++-- ...ws_task_scheduler_event_action_started.yml | 5 +++-- stories/solarwinds_active_exploitation.yml | 21 +++++++++++++++++++ 20 files changed, 78 insertions(+), 38 deletions(-) create mode 100644 stories/solarwinds_active_exploitation.yml diff --git a/detections/endpoint/disable_defender_antivirus_registry.yml b/detections/endpoint/disable_defender_antivirus_registry.yml index c58c85a830..bf2cd19f8a 100644 --- a/detections/endpoint/disable_defender_antivirus_registry.yml +++ b/detections/endpoint/disable_defender_antivirus_registry.yml @@ -1,7 +1,7 @@ name: Disable Defender AntiVirus Registry id: aa4f695a-3024-11ec-9987-acde48001122 -version: 13 -date: '2025-05-02' +version: 14 +date: '2026-02-09' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP @@ -58,6 +58,7 @@ rba: threat_objects: [] tags: analytic_story: + - SolarWinds Active Exploitation - Windows Registry Abuse - CISA AA24-241A - IcedID diff --git a/detections/endpoint/disable_defender_blockatfirstseen_feature.yml b/detections/endpoint/disable_defender_blockatfirstseen_feature.yml index 4cb606226c..deb90877a9 100644 --- a/detections/endpoint/disable_defender_blockatfirstseen_feature.yml +++ b/detections/endpoint/disable_defender_blockatfirstseen_feature.yml @@ -1,7 +1,7 @@ name: Disable Defender BlockAtFirstSeen Feature id: 2dd719ac-3021-11ec-97b4-acde48001122 -version: 11 -date: '2025-05-02' +version: 12 +date: '2026-02-09' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP @@ -56,6 +56,7 @@ rba: threat_objects: [] tags: analytic_story: + - SolarWinds Active Exploitation - Azorult - CISA AA23-347A - IcedID diff --git a/detections/endpoint/disable_windows_behavior_monitoring.yml b/detections/endpoint/disable_windows_behavior_monitoring.yml index 7f194c39fc..35c819c51e 100644 --- a/detections/endpoint/disable_windows_behavior_monitoring.yml +++ b/detections/endpoint/disable_windows_behavior_monitoring.yml @@ -1,7 +1,7 @@ name: Disable Windows Behavior Monitoring id: 79439cae-9200-11eb-a4d3-acde48001122 -version: 18 -date: '2026-01-20' +version: 19 +date: '2026-02-09' author: Teoderick Contreras, Splunk, Steven Dick status: production type: TTP @@ -59,6 +59,7 @@ rba: threat_objects: [] tags: analytic_story: + - SolarWinds Active Exploitation - Windows Defense Evasion Tactics - CISA AA23-347A - Revil Ransomware diff --git a/detections/endpoint/malicious_powershell_process___encoded_command.yml b/detections/endpoint/malicious_powershell_process___encoded_command.yml index 16dfa5d218..5785757046 100644 --- a/detections/endpoint/malicious_powershell_process___encoded_command.yml +++ b/detections/endpoint/malicious_powershell_process___encoded_command.yml @@ -1,7 +1,7 @@ name: Malicious PowerShell Process - Encoded Command id: c4db14d9-7909-48b4-a054-aa14d89dbb19 -version: 18 -date: '2025-10-24' +version: 19 +date: '2026-02-09' author: David Dorsey, Michael Haag, Splunk, SirDuckly, GitHub Community status: production type: Hunting @@ -48,6 +48,7 @@ references: - https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ tags: analytic_story: + - SolarWinds Active Exploitation - CISA AA22-320A - Hermetic Wiper - Sandworm Tools diff --git a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml index b1f9307a3b..6c3b662384 100644 --- a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml +++ b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml @@ -1,7 +1,7 @@ name: Scheduled Task Deleted Or Created via CMD id: d5af132c-7c17-439c-9d31-13d55340f36c -version: 23 -date: '2025-12-10' +version: 24 +date: '2026-02-09' author: Bhavin Patel, Splunk status: production type: TTP @@ -74,6 +74,7 @@ rba: threat_objects: [] tags: analytic_story: + - SolarWinds Active Exploitation - ShrinkLocker - AgentTesla - CISA AA24-241A diff --git a/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml b/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml index 571aefe081..36712ba154 100644 --- a/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml +++ b/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml @@ -1,7 +1,7 @@ name: Set Default PowerShell Execution Policy To Unrestricted or Bypass id: c2590137-0b08-4985-9ec5-6ae23d92f63d -version: 18 -date: '2026-01-30' +version: 19 +date: '2026-02-09' author: Steven Dick, Patrick Bareiss, Splunk status: production type: TTP @@ -62,6 +62,7 @@ rba: type: registry_path tags: analytic_story: + - SolarWinds Active Exploitation - HAFNIUM Group - Hermetic Wiper - Credential Dumping diff --git a/detections/endpoint/system_information_discovery_detection.yml b/detections/endpoint/system_information_discovery_detection.yml index dd7f00d69d..853b6dc0c7 100644 --- a/detections/endpoint/system_information_discovery_detection.yml +++ b/detections/endpoint/system_information_discovery_detection.yml @@ -1,7 +1,7 @@ name: System Information Discovery Detection id: 8e99f89e-ae58-4ebc-bf52-ae0b1a277e72 -version: 12 -date: '2025-11-20' +version: 13 +date: '2026-02-09' author: Patrick Bareiss, Splunk status: production type: TTP @@ -76,6 +76,7 @@ rba: threat_objects: [] tags: analytic_story: + - SolarWinds Active Exploitation - Windows Discovery Techniques - Gozi Malware - Medusa Ransomware diff --git a/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml b/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml index 2897aff8a0..7dc856925c 100644 --- a/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml +++ b/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml @@ -1,7 +1,7 @@ name: Windows Cmdline Tool Execution From Non-Shell Process id: 2afa393f-b88d-41b7-9793-623c93a2dfde -version: 8 -date: '2025-12-04' +version: 9 +date: '2026-02-09' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -92,6 +92,7 @@ tags: - FIN7 - Water Gamayun - Tuoni + - SolarWinds Active Exploitation asset_type: Endpoint mitre_attack_id: - T1059.007 diff --git a/detections/endpoint/windows_disableantispyware_registry.yml b/detections/endpoint/windows_disableantispyware_registry.yml index 5459705433..5121f62b96 100644 --- a/detections/endpoint/windows_disableantispyware_registry.yml +++ b/detections/endpoint/windows_disableantispyware_registry.yml @@ -1,7 +1,7 @@ name: Windows DisableAntiSpyware Registry id: 23150a40-9301-4195-b802-5bb4f43067fb -version: 8 -date: '2025-05-02' +version: 9 +date: '2026-02-09' author: Rod Soto, Jose Hernandez, Michael Haag, Splunk status: production type: TTP @@ -55,6 +55,7 @@ rba: threat_objects: [] tags: analytic_story: + - SolarWinds Active Exploitation - Azorult - Ryuk Ransomware - Windows Registry Abuse diff --git a/detections/endpoint/windows_file_download_via_powershell.yml b/detections/endpoint/windows_file_download_via_powershell.yml index 861f4551c6..1cc64e49a9 100644 --- a/detections/endpoint/windows_file_download_via_powershell.yml +++ b/detections/endpoint/windows_file_download_via_powershell.yml @@ -1,7 +1,7 @@ name: Windows File Download Via PowerShell id: 58c4e56c-b5b8-46a3-b5fb-6537dca3c6de -version: 6 -date: '2025-12-16' +version: 7 +date: '2026-02-09' author: Michael Haag, Nasreddine Bencherchali, Splunk status: production type: Anomaly @@ -109,6 +109,7 @@ tags: - XWorm - Tuoni - StealC Stealer + - SolarWinds Active Exploitation asset_type: Endpoint mitre_attack_id: - T1059.001 diff --git a/detections/endpoint/windows_group_discovery_via_net.yml b/detections/endpoint/windows_group_discovery_via_net.yml index a989331cef..f8bf210051 100644 --- a/detections/endpoint/windows_group_discovery_via_net.yml +++ b/detections/endpoint/windows_group_discovery_via_net.yml @@ -1,7 +1,7 @@ name: Windows Group Discovery Via Net id: c5c8e0f3-147a-43da-bf04-4cfaec27dc44 -version: 5 -date: '2025-10-24' +version: 6 +date: '2026-02-09' author: Michael Haag, Mauricio Velazco, Splunk status: production type: Hunting @@ -45,6 +45,7 @@ references: - https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/ tags: analytic_story: + - SolarWinds Active Exploitation - Windows Discovery Techniques - Windows Post-Exploitation - Graceful Wipe Out Attack diff --git a/detections/endpoint/windows_http_network_communication_from_msiexec.yml b/detections/endpoint/windows_http_network_communication_from_msiexec.yml index 74e01c813c..9a89ba3778 100644 --- a/detections/endpoint/windows_http_network_communication_from_msiexec.yml +++ b/detections/endpoint/windows_http_network_communication_from_msiexec.yml @@ -1,7 +1,7 @@ name: Windows HTTP Network Communication From MSIExec id: b0fd38c7-f71a-43a2-870e-f3ca06bcdd99 -version: 7 -date: '2025-09-16' +version: 8 +date: '2026-02-09' author: Michael Haag, Splunk status: production type: Anomaly @@ -86,6 +86,7 @@ tags: - Windows System Binary Proxy Execution MSIExec - Water Gamayun - Cisco Network Visibility Module Analytics + - SolarWinds Active Exploitation asset_type: Endpoint mitre_attack_id: - T1218.007 diff --git a/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml b/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml index c2c90cb545..9b852774f1 100644 --- a/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml +++ b/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml @@ -1,7 +1,7 @@ name: Windows Modify Registry Disable WinDefender Notifications id: 8e207707-ad40-4eb3-b865-3a52aec91f26 -version: 8 -date: '2025-05-02' +version: 9 +date: '2026-02-09' author: Teoderick Contreras, Splunk status: production type: TTP @@ -62,6 +62,7 @@ tags: analytic_story: - CISA AA23-347A - RedLine Stealer + - SolarWinds Active Exploitation asset_type: Endpoint atomic_guid: - 12e03af7-79f9-4f95-af48-d3f12f28a260 diff --git a/detections/endpoint/windows_msiexec_remote_download.yml b/detections/endpoint/windows_msiexec_remote_download.yml index c9bbaa82e8..96f29b8be8 100644 --- a/detections/endpoint/windows_msiexec_remote_download.yml +++ b/detections/endpoint/windows_msiexec_remote_download.yml @@ -1,7 +1,7 @@ name: Windows MSIExec Remote Download id: 6aa49ff2-3c92-4586-83e0-d83eb693dfda -version: 12 -date: '2025-12-16' +version: 13 +date: '2026-02-09' author: Michael Haag, Splunk status: production type: TTP @@ -84,6 +84,7 @@ tags: - Water Gamayun - Cisco Network Visibility Module Analytics - StealC Stealer + - SolarWinds Active Exploitation asset_type: Endpoint mitre_attack_id: - T1218.007 diff --git a/detections/endpoint/windows_process_execution_from_programdata.yml b/detections/endpoint/windows_process_execution_from_programdata.yml index 92cf87ea08..29facf8efa 100644 --- a/detections/endpoint/windows_process_execution_from_programdata.yml +++ b/detections/endpoint/windows_process_execution_from_programdata.yml @@ -1,7 +1,7 @@ name: Windows Process Execution From ProgramData id: 237016fa-d8e6-47b4-80f9-70c4d42c72c0 -version: 6 -date: '2026-01-13' +version: 7 +date: '2026-02-09' author: Teoderick Contreras, Splunk status: production type: Hunting @@ -50,6 +50,7 @@ references: - https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ tags: analytic_story: + - SolarWinds Active Exploitation - StealC Stealer - SnappyBee - XWorm diff --git a/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml b/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml index 90e991fb8f..c7718b8573 100644 --- a/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml +++ b/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml @@ -1,7 +1,7 @@ name: Windows Scheduled Task with Highest Privileges id: 2f15e1a4-0fc2-49dd-919e-cbbe60699218 -version: 12 -date: '2025-11-20' +version: 13 +date: '2026-02-09' author: Teoderick Contreras, Splunk status: production type: TTP @@ -67,6 +67,7 @@ rba: threat_objects: [] tags: analytic_story: + - SolarWinds Active Exploitation - XWorm - CISA AA23-347A - Scheduled Tasks diff --git a/detections/endpoint/windows_scheduled_task_with_suspicious_command.yml b/detections/endpoint/windows_scheduled_task_with_suspicious_command.yml index af01444771..527a3b7ad4 100644 --- a/detections/endpoint/windows_scheduled_task_with_suspicious_command.yml +++ b/detections/endpoint/windows_scheduled_task_with_suspicious_command.yml @@ -1,7 +1,7 @@ name: Windows Scheduled Task with Suspicious Command id: 1f44c126-c26a-4dd3-83bb-0f9a0f03ecc3 -version: 5 -date: '2025-09-18' +version: 6 +date: '2026-02-09' author: Steven Dick status: production type: TTP @@ -73,6 +73,7 @@ rba: type: signature tags: analytic_story: + - SolarWinds Active Exploitation - Scheduled Tasks - Ransomware - Quasar RAT diff --git a/detections/endpoint/windows_service_creation_using_registry_entry.yml b/detections/endpoint/windows_service_creation_using_registry_entry.yml index c1f2466404..ca43feb25e 100644 --- a/detections/endpoint/windows_service_creation_using_registry_entry.yml +++ b/detections/endpoint/windows_service_creation_using_registry_entry.yml @@ -1,7 +1,7 @@ name: Windows Service Creation Using Registry Entry id: 25212358-948e-11ec-ad47-acde48001122 -version: 15 -date: '2025-05-02' +version: 16 +date: '2026-02-09' author: Teoderick Contreras, Splunk, Steven Dick status: production type: Anomaly @@ -54,6 +54,7 @@ rba: threat_objects: [] tags: analytic_story: + - SolarWinds Active Exploitation - PlugX - CISA AA23-347A - China-Nexus Threat Activity diff --git a/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml b/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml index 4ea5b06026..08beebaf23 100644 --- a/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml +++ b/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml @@ -1,7 +1,7 @@ name: WinEvent Windows Task Scheduler Event Action Started id: b3632472-310b-11ec-9aab-acde48001122 -version: 11 -date: '2025-12-10' +version: 12 +date: '2026-02-09' author: Michael Haag, Splunk status: production type: Hunting @@ -30,6 +30,7 @@ references: - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ tags: analytic_story: + - SolarWinds Active Exploitation - IcedID - BlackSuit Ransomware - Windows Persistence Techniques diff --git a/stories/solarwinds_active_exploitation.yml b/stories/solarwinds_active_exploitation.yml new file mode 100644 index 0000000000..a86e56f3be --- /dev/null +++ b/stories/solarwinds_active_exploitation.yml @@ -0,0 +1,21 @@ +name: SolarWinds Active Exploitation +id: 8d6080bf-bb29-4569-94dd-e4c797569c48 +version: 1 +date: '2026-02-09' +author: Teoderick Contreras, Splunk +status: production +description: CVE-2025-26399 is a critical remote code execution vulnerability in SolarWinds Web Help Desk caused by insecure deserialization in the AjaxProxy component. The flaw allows unauthenticated attackers to execute arbitrary code on vulnerable, internet-exposed systems with high privileges. Because Web Help Desk often runs with elevated access and integrates into internal IT environments, successful exploitation provides a direct entry point into enterprise networks. +narrative: Threat actors actively exploit this vulnerability by scanning for exposed Web Help Desk instances and delivering crafted payloads to gain execution. Following initial access, attackers quickly deploy legitimate remote management and forensic tools to establish persistence and interactive control. This enables reconnaissance, credential access, and potential lateral movement, demonstrating a fast transition from exploitation to hands-on intrusion. +references: +- https://www.microsoft.com/en-us/security/blog/2026/02/06/active-exploitation-solarwinds-web-help-desk/ +- https://www.huntress.com/blog/active-exploitation-solarwinds-web-help-desk-cve-2025-26399 +tags: + category: + - Data Destruction + - Malware + - Adversary Tactics + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection \ No newline at end of file From 3d62b28e35ab6f89b06d4dad43afde24c5654118 Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Mon, 9 Feb 2026 14:37:43 +0100 Subject: [PATCH 02/15] solarwinds_expl --- .../windows_cmdline_tool_execution_from_non_shell_process.yml | 2 +- detections/endpoint/windows_file_download_via_powershell.yml | 2 +- .../windows_http_network_communication_from_msiexec.yml | 2 +- ...indows_modify_registry_disable_windefender_notifications.yml | 2 +- detections/endpoint/windows_msiexec_remote_download.yml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml b/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml index 7dc856925c..cb29bdddc0 100644 --- a/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml +++ b/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml @@ -92,7 +92,7 @@ tags: - FIN7 - Water Gamayun - Tuoni - - SolarWinds Active Exploitation + - SolarWinds Active Exploitation asset_type: Endpoint mitre_attack_id: - T1059.007 diff --git a/detections/endpoint/windows_file_download_via_powershell.yml b/detections/endpoint/windows_file_download_via_powershell.yml index 1cc64e49a9..6feff3e7f4 100644 --- a/detections/endpoint/windows_file_download_via_powershell.yml +++ b/detections/endpoint/windows_file_download_via_powershell.yml @@ -109,7 +109,7 @@ tags: - XWorm - Tuoni - StealC Stealer - - SolarWinds Active Exploitation + - SolarWinds Active Exploitation asset_type: Endpoint mitre_attack_id: - T1059.001 diff --git a/detections/endpoint/windows_http_network_communication_from_msiexec.yml b/detections/endpoint/windows_http_network_communication_from_msiexec.yml index 9a89ba3778..0e89b338a8 100644 --- a/detections/endpoint/windows_http_network_communication_from_msiexec.yml +++ b/detections/endpoint/windows_http_network_communication_from_msiexec.yml @@ -86,7 +86,7 @@ tags: - Windows System Binary Proxy Execution MSIExec - Water Gamayun - Cisco Network Visibility Module Analytics - - SolarWinds Active Exploitation + - SolarWinds Active Exploitation asset_type: Endpoint mitre_attack_id: - T1218.007 diff --git a/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml b/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml index 9b852774f1..e818cfef35 100644 --- a/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml +++ b/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml @@ -62,7 +62,7 @@ tags: analytic_story: - CISA AA23-347A - RedLine Stealer - - SolarWinds Active Exploitation + - SolarWinds Active Exploitation asset_type: Endpoint atomic_guid: - 12e03af7-79f9-4f95-af48-d3f12f28a260 diff --git a/detections/endpoint/windows_msiexec_remote_download.yml b/detections/endpoint/windows_msiexec_remote_download.yml index 96f29b8be8..55dffc5817 100644 --- a/detections/endpoint/windows_msiexec_remote_download.yml +++ b/detections/endpoint/windows_msiexec_remote_download.yml @@ -84,7 +84,7 @@ tags: - Water Gamayun - Cisco Network Visibility Module Analytics - StealC Stealer - - SolarWinds Active Exploitation + - SolarWinds Active Exploitation asset_type: Endpoint mitre_attack_id: - T1218.007 From ae9fe34db8bfabad0ec3cbdc71b674d6cf536fe9 Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Mon, 9 Feb 2026 19:22:58 +0100 Subject: [PATCH 03/15] solarwinds_expl --- .../suspicious_scheduled_task_from_public_directory.yml | 5 +++-- .../endpoint/windows_schtasks_create_run_as_system.yml | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml index 58fc0587f8..5aa9bb47c9 100644 --- a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml +++ b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml @@ -1,7 +1,7 @@ name: Suspicious Scheduled Task from Public Directory id: 7feb7972-7ac3-11eb-bac8-acde48001122 -version: 17 -date: '2025-11-20' +version: 18 +date: '2026-02-09' author: Michael Haag, Splunk status: production type: Anomaly @@ -70,6 +70,7 @@ rba: threat_objects: [] tags: analytic_story: + - SolarWinds Active Exploitation - XWorm - Medusa Ransomware - CISA AA23-347A diff --git a/detections/endpoint/windows_schtasks_create_run_as_system.yml b/detections/endpoint/windows_schtasks_create_run_as_system.yml index 4fcc6ea990..b364abb1b2 100644 --- a/detections/endpoint/windows_schtasks_create_run_as_system.yml +++ b/detections/endpoint/windows_schtasks_create_run_as_system.yml @@ -1,7 +1,7 @@ name: Windows Schtasks Create Run As System id: 41a0e58e-884c-11ec-9976-acde48001122 -version: 10 -date: '2025-12-18' +version: 11 +date: '2026-02-09' author: Michael Haag, Splunk status: production type: TTP @@ -75,6 +75,7 @@ rba: type: process_name tags: analytic_story: + - SolarWinds Active Exploitation - Medusa Ransomware - Windows Persistence Techniques - Qakbot From f410bd14e0c39523bf398f61087a4faf31569d04 Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Mon, 9 Feb 2026 19:31:50 +0100 Subject: [PATCH 04/15] solarwinds_expl --- .../endpoint/windows_dll_module_loaded_in_temp_dir.yml | 5 +++-- .../windows_hijack_execution_flow_version_dll_side_load.yml | 5 +++-- .../windows_known_abused_dll_loaded_suspiciously.yml | 5 +++-- detections/endpoint/windows_unsigned_dll_side_loading.yml | 5 +++-- 4 files changed, 12 insertions(+), 8 deletions(-) diff --git a/detections/endpoint/windows_dll_module_loaded_in_temp_dir.yml b/detections/endpoint/windows_dll_module_loaded_in_temp_dir.yml index 2ef946cc99..83fca54416 100644 --- a/detections/endpoint/windows_dll_module_loaded_in_temp_dir.yml +++ b/detections/endpoint/windows_dll_module_loaded_in_temp_dir.yml @@ -1,7 +1,7 @@ name: Windows DLL Module Loaded in Temp Dir id: c2998141-235a-4e31-83cf-46afb5208a87 -version: 3 -date: '2026-01-14' +version: 4 +date: '2026-02-09' author: Teoderick Contreras, Splunk status: production type: Hunting @@ -37,6 +37,7 @@ references: - https://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar/ tags: analytic_story: + - SolarWinds Active Exploitation - Interlock Rat - Lokibot asset_type: Endpoint diff --git a/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml b/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml index ee1aed0a14..4d87da9ff7 100644 --- a/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml +++ b/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml @@ -1,7 +1,7 @@ name: Windows Hijack Execution Flow Version Dll Side Load id: 8351340b-ac0e-41ec-8b07-dd01bf32d6ea -version: 10 -date: '2026-01-14' +version: 11 +date: '2026-02-09' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -51,6 +51,7 @@ rba: threat_objects: [] tags: analytic_story: + - SolarWinds Active Exploitation - Brute Ratel C4 - XWorm - Malicious Inno Setup Loader diff --git a/detections/endpoint/windows_known_abused_dll_loaded_suspiciously.yml b/detections/endpoint/windows_known_abused_dll_loaded_suspiciously.yml index eb35525617..0777bfeb44 100644 --- a/detections/endpoint/windows_known_abused_dll_loaded_suspiciously.yml +++ b/detections/endpoint/windows_known_abused_dll_loaded_suspiciously.yml @@ -1,7 +1,7 @@ name: Windows Known Abused DLL Loaded Suspiciously id: dd6d1f16-adc0-4e87-9c34-06189516b803 -version: 8 -date: '2025-05-02' +version: 9 +date: '2026-02-09' author: Steven Dick status: production type: TTP @@ -60,6 +60,7 @@ rba: threat_objects: [] tags: analytic_story: + - SolarWinds Active Exploitation - Windows Defense Evasion Tactics - Living Off The Land asset_type: Endpoint diff --git a/detections/endpoint/windows_unsigned_dll_side_loading.yml b/detections/endpoint/windows_unsigned_dll_side_loading.yml index 153cd86371..b56fdbd14e 100644 --- a/detections/endpoint/windows_unsigned_dll_side_loading.yml +++ b/detections/endpoint/windows_unsigned_dll_side_loading.yml @@ -1,7 +1,7 @@ name: Windows Unsigned DLL Side-Loading id: 5a83ce44-8e0f-4786-a775-8249a525c879 -version: 11 -date: '2025-05-02' +version: 12 +date: '2026-02-09' author: Teoderick Contreras, Splunk status: production type: Anomaly @@ -64,6 +64,7 @@ tags: - Salt Typhoon - NjRAT - Earth Alux + - SolarWinds Active Exploitation asset_type: Endpoint mitre_attack_id: - T1574.001 From 551048b8dbc4c22c794808583048c1066b65db3b Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Mon, 9 Feb 2026 19:38:02 +0100 Subject: [PATCH 05/15] solarwinds_expl --- detections/endpoint/windows_unsigned_dll_side_loading.yml | 2 +- ...indows_unsigned_dll_side_loading_in_same_process_path.yml | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/detections/endpoint/windows_unsigned_dll_side_loading.yml b/detections/endpoint/windows_unsigned_dll_side_loading.yml index b56fdbd14e..d5f288f2d0 100644 --- a/detections/endpoint/windows_unsigned_dll_side_loading.yml +++ b/detections/endpoint/windows_unsigned_dll_side_loading.yml @@ -64,7 +64,7 @@ tags: - Salt Typhoon - NjRAT - Earth Alux - - SolarWinds Active Exploitation + - SolarWinds Active Exploitation asset_type: Endpoint mitre_attack_id: - T1574.001 diff --git a/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml b/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml index 63fa4b6865..cb52a40c9c 100644 --- a/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml +++ b/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml @@ -1,7 +1,7 @@ name: Windows Unsigned DLL Side-Loading In Same Process Path id: 3cf85c02-f9d6-4186-bf3c-e70ee99fbc7f -version: 16 -date: '2026-01-14' +version: 17 +date: '2026-02-09' author: Teoderick Contreras, Splunk type: TTP status: production @@ -67,6 +67,7 @@ tags: - SnappyBee - NailaoLocker Ransomware - Lokibot + - SolarWinds Active Exploitation asset_type: Endpoint mitre_attack_id: - T1574.001 From 79a8ed5bfc2ae1fd808e7a7f3176a7fed723c1f8 Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Tue, 17 Feb 2026 12:18:40 +0100 Subject: [PATCH 06/15] solarwinds_expl --- detections/endpoint/disable_defender_antivirus_registry.yml | 5 ++++- .../endpoint/disable_defender_blockatfirstseen_feature.yml | 5 ++++- detections/endpoint/disable_windows_behavior_monitoring.yml | 5 ++++- .../malicious_powershell_process___encoded_command.yml | 5 ++++- .../endpoint/scheduled_task_deleted_or_created_via_cmd.yml | 5 ++++- ...powershell_execution_policy_to_unrestricted_or_bypass.yml | 5 ++++- .../suspicious_scheduled_task_from_public_directory.yml | 5 ++++- .../endpoint/system_information_discovery_detection.yml | 5 ++++- ...windows_cmdline_tool_execution_from_non_shell_process.yml | 5 ++++- detections/endpoint/windows_disableantispyware_registry.yml | 5 ++++- .../endpoint/windows_dll_module_loaded_in_temp_dir.yml | 5 ++++- detections/endpoint/windows_file_download_via_powershell.yml | 5 ++++- detections/endpoint/windows_group_discovery_via_net.yml | 5 ++++- .../windows_hijack_execution_flow_version_dll_side_load.yml | 5 ++++- .../windows_http_network_communication_from_msiexec.yml | 5 ++++- .../windows_known_abused_dll_loaded_suspiciously.yml | 5 ++++- ...ows_modify_registry_disable_windefender_notifications.yml | 5 ++++- detections/endpoint/windows_msiexec_remote_download.yml | 5 ++++- .../endpoint/windows_process_execution_from_programdata.yml | 5 ++++- .../windows_scheduled_task_with_highest_privileges.yml | 5 ++++- .../windows_scheduled_task_with_suspicious_command.yml | 5 ++++- .../endpoint/windows_schtasks_create_run_as_system.yml | 5 ++++- .../windows_service_creation_using_registry_entry.yml | 5 ++++- detections/endpoint/windows_unsigned_dll_side_loading.yml | 5 ++++- ...indows_unsigned_dll_side_loading_in_same_process_path.yml | 5 ++++- .../winevent_windows_task_scheduler_event_action_started.yml | 5 ++++- ..._exploitation.yml => solarwinds_whd_rce_exploitation.yml} | 2 +- 27 files changed, 105 insertions(+), 27 deletions(-) rename stories/{solarwinds_active_exploitation.yml => solarwinds_whd_rce_exploitation.yml} (97%) diff --git a/detections/endpoint/disable_defender_antivirus_registry.yml b/detections/endpoint/disable_defender_antivirus_registry.yml index bf2cd19f8a..b974b4897f 100644 --- a/detections/endpoint/disable_defender_antivirus_registry.yml +++ b/detections/endpoint/disable_defender_antivirus_registry.yml @@ -58,7 +58,7 @@ rba: threat_objects: [] tags: analytic_story: - - SolarWinds Active Exploitation + - SolarWinds WHD RCE Exploitation - Windows Registry Abuse - CISA AA24-241A - IcedID @@ -72,6 +72,9 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint + cve: + - CVE-2025-40551 + - CVE-2025-26399 tests: - name: True Positive Test attack_data: diff --git a/detections/endpoint/disable_defender_blockatfirstseen_feature.yml b/detections/endpoint/disable_defender_blockatfirstseen_feature.yml index deb90877a9..0a61368ef5 100644 --- a/detections/endpoint/disable_defender_blockatfirstseen_feature.yml +++ b/detections/endpoint/disable_defender_blockatfirstseen_feature.yml @@ -56,7 +56,7 @@ rba: threat_objects: [] tags: analytic_story: - - SolarWinds Active Exploitation + - SolarWinds WHD RCE Exploitation - Azorult - CISA AA23-347A - IcedID @@ -69,6 +69,9 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint + cve: + - CVE-2025-40551 + - CVE-2025-26399 tests: - name: True Positive Test attack_data: diff --git a/detections/endpoint/disable_windows_behavior_monitoring.yml b/detections/endpoint/disable_windows_behavior_monitoring.yml index 35c819c51e..901fa980bd 100644 --- a/detections/endpoint/disable_windows_behavior_monitoring.yml +++ b/detections/endpoint/disable_windows_behavior_monitoring.yml @@ -59,7 +59,7 @@ rba: threat_objects: [] tags: analytic_story: - - SolarWinds Active Exploitation + - SolarWinds WHD RCE Exploitation - Windows Defense Evasion Tactics - CISA AA23-347A - Revil Ransomware @@ -80,6 +80,9 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint + cve: + - CVE-2025-40551 + - CVE-2025-26399 tests: - name: True Positive Test attack_data: diff --git a/detections/endpoint/malicious_powershell_process___encoded_command.yml b/detections/endpoint/malicious_powershell_process___encoded_command.yml index 5785757046..71271e03e6 100644 --- a/detections/endpoint/malicious_powershell_process___encoded_command.yml +++ b/detections/endpoint/malicious_powershell_process___encoded_command.yml @@ -48,7 +48,7 @@ references: - https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ tags: analytic_story: - - SolarWinds Active Exploitation + - SolarWinds WHD RCE Exploitation - CISA AA22-320A - Hermetic Wiper - Sandworm Tools @@ -73,6 +73,9 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint + cve: + - CVE-2025-40551 + - CVE-2025-26399 tests: - name: True Positive Test attack_data: diff --git a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml index 6c3b662384..e49b932e2b 100644 --- a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml +++ b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml @@ -74,7 +74,7 @@ rba: threat_objects: [] tags: analytic_story: - - SolarWinds Active Exploitation + - SolarWinds WHD RCE Exploitation - ShrinkLocker - AgentTesla - CISA AA24-241A @@ -120,6 +120,9 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint + cve: + - CVE-2025-40551 + - CVE-2025-26399 tests: - name: True Positive Test attack_data: diff --git a/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml b/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml index 36712ba154..9794b38090 100644 --- a/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml +++ b/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml @@ -62,7 +62,7 @@ rba: type: registry_path tags: analytic_story: - - SolarWinds Active Exploitation + - SolarWinds WHD RCE Exploitation - HAFNIUM Group - Hermetic Wiper - Credential Dumping @@ -78,6 +78,9 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint + cve: + - CVE-2025-40551 + - CVE-2025-26399 tests: - name: True Positive Test attack_data: diff --git a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml index 5aa9bb47c9..9e113e8035 100644 --- a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml +++ b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml @@ -70,7 +70,7 @@ rba: threat_objects: [] tags: analytic_story: - - SolarWinds Active Exploitation + - SolarWinds WHD RCE Exploitation - XWorm - Medusa Ransomware - CISA AA23-347A @@ -100,6 +100,9 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint + cve: + - CVE-2025-40551 + - CVE-2025-26399 tests: - name: True Positive Test attack_data: diff --git a/detections/endpoint/system_information_discovery_detection.yml b/detections/endpoint/system_information_discovery_detection.yml index 853b6dc0c7..7a0495170e 100644 --- a/detections/endpoint/system_information_discovery_detection.yml +++ b/detections/endpoint/system_information_discovery_detection.yml @@ -76,7 +76,7 @@ rba: threat_objects: [] tags: analytic_story: - - SolarWinds Active Exploitation + - SolarWinds WHD RCE Exploitation - Windows Discovery Techniques - Gozi Malware - Medusa Ransomware @@ -93,6 +93,9 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint + cve: + - CVE-2025-40551 + - CVE-2025-26399 tests: - name: True Positive Test attack_data: diff --git a/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml b/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml index cb29bdddc0..c79a05e336 100644 --- a/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml +++ b/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml @@ -92,7 +92,7 @@ tags: - FIN7 - Water Gamayun - Tuoni - - SolarWinds Active Exploitation + - SolarWinds WHD RCE Exploitation asset_type: Endpoint mitre_attack_id: - T1059.007 @@ -101,6 +101,9 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint + cve: + - CVE-2025-40551 + - CVE-2025-26399 tests: - name: True Positive Test attack_data: diff --git a/detections/endpoint/windows_disableantispyware_registry.yml b/detections/endpoint/windows_disableantispyware_registry.yml index 5121f62b96..b5ab86103d 100644 --- a/detections/endpoint/windows_disableantispyware_registry.yml +++ b/detections/endpoint/windows_disableantispyware_registry.yml @@ -55,7 +55,7 @@ rba: threat_objects: [] tags: analytic_story: - - SolarWinds Active Exploitation + - SolarWinds WHD RCE Exploitation - Azorult - Ryuk Ransomware - Windows Registry Abuse @@ -71,6 +71,9 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint + cve: + - CVE-2025-40551 + - CVE-2025-26399 tests: - name: True Positive Test attack_data: diff --git a/detections/endpoint/windows_dll_module_loaded_in_temp_dir.yml b/detections/endpoint/windows_dll_module_loaded_in_temp_dir.yml index 83fca54416..c2fb8782c5 100644 --- a/detections/endpoint/windows_dll_module_loaded_in_temp_dir.yml +++ b/detections/endpoint/windows_dll_module_loaded_in_temp_dir.yml @@ -37,7 +37,7 @@ references: - https://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar/ tags: analytic_story: - - SolarWinds Active Exploitation + - SolarWinds WHD RCE Exploitation - Interlock Rat - Lokibot asset_type: Endpoint @@ -48,6 +48,9 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint + cve: + - CVE-2025-40551 + - CVE-2025-26399 tests: - name: True Positive Test attack_data: diff --git a/detections/endpoint/windows_file_download_via_powershell.yml b/detections/endpoint/windows_file_download_via_powershell.yml index 6feff3e7f4..b20265a280 100644 --- a/detections/endpoint/windows_file_download_via_powershell.yml +++ b/detections/endpoint/windows_file_download_via_powershell.yml @@ -109,7 +109,7 @@ tags: - XWorm - Tuoni - StealC Stealer - - SolarWinds Active Exploitation + - SolarWinds WHD RCE Exploitation asset_type: Endpoint mitre_attack_id: - T1059.001 @@ -119,6 +119,9 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint + cve: + - CVE-2025-40551 + - CVE-2025-26399 tests: - name: True Positive Test - Sysmon attack_data: diff --git a/detections/endpoint/windows_group_discovery_via_net.yml b/detections/endpoint/windows_group_discovery_via_net.yml index f8bf210051..f10aae4a7e 100644 --- a/detections/endpoint/windows_group_discovery_via_net.yml +++ b/detections/endpoint/windows_group_discovery_via_net.yml @@ -45,7 +45,7 @@ references: - https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/ tags: analytic_story: - - SolarWinds Active Exploitation + - SolarWinds WHD RCE Exploitation - Windows Discovery Techniques - Windows Post-Exploitation - Graceful Wipe Out Attack @@ -67,6 +67,9 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint + cve: + - CVE-2025-40551 + - CVE-2025-26399 tests: - name: True Positive Test attack_data: diff --git a/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml b/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml index 4d87da9ff7..80e4d39f06 100644 --- a/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml +++ b/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml @@ -51,7 +51,7 @@ rba: threat_objects: [] tags: analytic_story: - - SolarWinds Active Exploitation + - SolarWinds WHD RCE Exploitation - Brute Ratel C4 - XWorm - Malicious Inno Setup Loader @@ -63,6 +63,9 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint + cve: + - CVE-2025-40551 + - CVE-2025-26399 tests: - name: True Positive Test attack_data: diff --git a/detections/endpoint/windows_http_network_communication_from_msiexec.yml b/detections/endpoint/windows_http_network_communication_from_msiexec.yml index 0e89b338a8..9649b87171 100644 --- a/detections/endpoint/windows_http_network_communication_from_msiexec.yml +++ b/detections/endpoint/windows_http_network_communication_from_msiexec.yml @@ -86,7 +86,7 @@ tags: - Windows System Binary Proxy Execution MSIExec - Water Gamayun - Cisco Network Visibility Module Analytics - - SolarWinds Active Exploitation + - SolarWinds WHD RCE Exploitation asset_type: Endpoint mitre_attack_id: - T1218.007 @@ -95,6 +95,9 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint + cve: + - CVE-2025-40551 + - CVE-2025-26399 tests: - name: True Positive Test - Sysmon attack_data: diff --git a/detections/endpoint/windows_known_abused_dll_loaded_suspiciously.yml b/detections/endpoint/windows_known_abused_dll_loaded_suspiciously.yml index 0777bfeb44..b0db3a5c5b 100644 --- a/detections/endpoint/windows_known_abused_dll_loaded_suspiciously.yml +++ b/detections/endpoint/windows_known_abused_dll_loaded_suspiciously.yml @@ -60,7 +60,7 @@ rba: threat_objects: [] tags: analytic_story: - - SolarWinds Active Exploitation + - SolarWinds WHD RCE Exploitation - Windows Defense Evasion Tactics - Living Off The Land asset_type: Endpoint @@ -71,6 +71,9 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint + cve: + - CVE-2025-40551 + - CVE-2025-26399 tests: - name: True Positive Test attack_data: diff --git a/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml b/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml index e818cfef35..4de10cee46 100644 --- a/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml +++ b/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml @@ -62,7 +62,7 @@ tags: analytic_story: - CISA AA23-347A - RedLine Stealer - - SolarWinds Active Exploitation + - SolarWinds WHD RCE Exploitation asset_type: Endpoint atomic_guid: - 12e03af7-79f9-4f95-af48-d3f12f28a260 @@ -73,6 +73,9 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint + cve: + - CVE-2025-40551 + - CVE-2025-26399 tests: - name: True Positive Test attack_data: diff --git a/detections/endpoint/windows_msiexec_remote_download.yml b/detections/endpoint/windows_msiexec_remote_download.yml index 55dffc5817..117df18291 100644 --- a/detections/endpoint/windows_msiexec_remote_download.yml +++ b/detections/endpoint/windows_msiexec_remote_download.yml @@ -84,7 +84,7 @@ tags: - Water Gamayun - Cisco Network Visibility Module Analytics - StealC Stealer - - SolarWinds Active Exploitation + - SolarWinds WHD RCE Exploitation asset_type: Endpoint mitre_attack_id: - T1218.007 @@ -93,6 +93,9 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint + cve: + - CVE-2025-40551 + - CVE-2025-26399 tests: - name: True Positive Test - Sysmon attack_data: diff --git a/detections/endpoint/windows_process_execution_from_programdata.yml b/detections/endpoint/windows_process_execution_from_programdata.yml index 29facf8efa..a469d5d327 100644 --- a/detections/endpoint/windows_process_execution_from_programdata.yml +++ b/detections/endpoint/windows_process_execution_from_programdata.yml @@ -50,7 +50,7 @@ references: - https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ tags: analytic_story: - - SolarWinds Active Exploitation + - SolarWinds WHD RCE Exploitation - StealC Stealer - SnappyBee - XWorm @@ -66,6 +66,9 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint + cve: + - CVE-2025-40551 + - CVE-2025-26399 tests: - name: True Positive Test attack_data: diff --git a/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml b/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml index c7718b8573..467855b918 100644 --- a/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml +++ b/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml @@ -67,7 +67,7 @@ rba: threat_objects: [] tags: analytic_story: - - SolarWinds Active Exploitation + - SolarWinds WHD RCE Exploitation - XWorm - CISA AA23-347A - Scheduled Tasks @@ -85,6 +85,9 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint + cve: + - CVE-2025-40551 + - CVE-2025-26399 tests: - name: True Positive Test attack_data: diff --git a/detections/endpoint/windows_scheduled_task_with_suspicious_command.yml b/detections/endpoint/windows_scheduled_task_with_suspicious_command.yml index 527a3b7ad4..1854589673 100644 --- a/detections/endpoint/windows_scheduled_task_with_suspicious_command.yml +++ b/detections/endpoint/windows_scheduled_task_with_suspicious_command.yml @@ -73,7 +73,7 @@ rba: type: signature tags: analytic_story: - - SolarWinds Active Exploitation + - SolarWinds WHD RCE Exploitation - Scheduled Tasks - Ransomware - Quasar RAT @@ -89,6 +89,9 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint + cve: + - CVE-2025-40551 + - CVE-2025-26399 tests: - name: True Positive Test attack_data: diff --git a/detections/endpoint/windows_schtasks_create_run_as_system.yml b/detections/endpoint/windows_schtasks_create_run_as_system.yml index b364abb1b2..ff0500b6e1 100644 --- a/detections/endpoint/windows_schtasks_create_run_as_system.yml +++ b/detections/endpoint/windows_schtasks_create_run_as_system.yml @@ -75,7 +75,7 @@ rba: type: process_name tags: analytic_story: - - SolarWinds Active Exploitation + - SolarWinds WHD RCE Exploitation - Medusa Ransomware - Windows Persistence Techniques - Qakbot @@ -89,6 +89,9 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint + cve: + - CVE-2025-40551 + - CVE-2025-26399 tests: - name: True Positive Test attack_data: diff --git a/detections/endpoint/windows_service_creation_using_registry_entry.yml b/detections/endpoint/windows_service_creation_using_registry_entry.yml index ca43feb25e..6d4e5cf545 100644 --- a/detections/endpoint/windows_service_creation_using_registry_entry.yml +++ b/detections/endpoint/windows_service_creation_using_registry_entry.yml @@ -54,7 +54,7 @@ rba: threat_objects: [] tags: analytic_story: - - SolarWinds Active Exploitation + - SolarWinds WHD RCE Exploitation - PlugX - CISA AA23-347A - China-Nexus Threat Activity @@ -75,6 +75,9 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint + cve: + - CVE-2025-40551 + - CVE-2025-26399 tests: - name: True Positive Test attack_data: diff --git a/detections/endpoint/windows_unsigned_dll_side_loading.yml b/detections/endpoint/windows_unsigned_dll_side_loading.yml index d5f288f2d0..af91d02dcd 100644 --- a/detections/endpoint/windows_unsigned_dll_side_loading.yml +++ b/detections/endpoint/windows_unsigned_dll_side_loading.yml @@ -64,7 +64,7 @@ tags: - Salt Typhoon - NjRAT - Earth Alux - - SolarWinds Active Exploitation + - SolarWinds WHD RCE Exploitation asset_type: Endpoint mitre_attack_id: - T1574.001 @@ -73,6 +73,9 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint + cve: + - CVE-2025-40551 + - CVE-2025-26399 tests: - name: True Positive Test attack_data: diff --git a/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml b/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml index cb52a40c9c..4188c12893 100644 --- a/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml +++ b/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml @@ -67,7 +67,7 @@ tags: - SnappyBee - NailaoLocker Ransomware - Lokibot - - SolarWinds Active Exploitation + - SolarWinds WHD RCE Exploitation asset_type: Endpoint mitre_attack_id: - T1574.001 @@ -76,6 +76,9 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint + cve: + - CVE-2025-40551 + - CVE-2025-26399 tests: - name: True Positive Test attack_data: diff --git a/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml b/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml index 08beebaf23..956849171a 100644 --- a/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml +++ b/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml @@ -30,7 +30,7 @@ references: - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ tags: analytic_story: - - SolarWinds Active Exploitation + - SolarWinds WHD RCE Exploitation - IcedID - BlackSuit Ransomware - Windows Persistence Techniques @@ -59,6 +59,9 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint + cve: + - CVE-2025-40551 + - CVE-2025-26399 tests: - name: True Positive Test attack_data: diff --git a/stories/solarwinds_active_exploitation.yml b/stories/solarwinds_whd_rce_exploitation.yml similarity index 97% rename from stories/solarwinds_active_exploitation.yml rename to stories/solarwinds_whd_rce_exploitation.yml index a86e56f3be..120040593a 100644 --- a/stories/solarwinds_active_exploitation.yml +++ b/stories/solarwinds_whd_rce_exploitation.yml @@ -1,4 +1,4 @@ -name: SolarWinds Active Exploitation +name: SolarWinds WHD RCE Exploitation id: 8d6080bf-bb29-4569-94dd-e4c797569c48 version: 1 date: '2026-02-09' From b6dbde3ccb0ad20acb690fb4711ad56660cce93c Mon Sep 17 00:00:00 2001 From: Br3akp0int <26181693+tccontre@users.noreply.github.com> Date: Tue, 17 Feb 2026 13:25:53 +0100 Subject: [PATCH 07/15] Update stories/solarwinds_whd_rce_exploitation.yml Co-authored-by: Nasreddine Bencherchali --- stories/solarwinds_whd_rce_exploitation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stories/solarwinds_whd_rce_exploitation.yml b/stories/solarwinds_whd_rce_exploitation.yml index 120040593a..d9ec7565c0 100644 --- a/stories/solarwinds_whd_rce_exploitation.yml +++ b/stories/solarwinds_whd_rce_exploitation.yml @@ -18,4 +18,4 @@ tags: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud - usecase: Advanced Threat Detection \ No newline at end of file + usecase: Advanced Threat Detection From 827a5d4c96d2e472441545b2f69140a78d538352 Mon Sep 17 00:00:00 2001 From: Br3akp0int <26181693+tccontre@users.noreply.github.com> Date: Tue, 17 Feb 2026 13:26:13 +0100 Subject: [PATCH 08/15] Update detections/endpoint/disable_defender_antivirus_registry.yml Co-authored-by: Nasreddine Bencherchali --- detections/endpoint/disable_defender_antivirus_registry.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/detections/endpoint/disable_defender_antivirus_registry.yml b/detections/endpoint/disable_defender_antivirus_registry.yml index b974b4897f..cca2c5afc5 100644 --- a/detections/endpoint/disable_defender_antivirus_registry.yml +++ b/detections/endpoint/disable_defender_antivirus_registry.yml @@ -72,9 +72,6 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint - cve: - - CVE-2025-40551 - - CVE-2025-26399 tests: - name: True Positive Test attack_data: From eed24be3a325c50e35968157ebefd4106b945f70 Mon Sep 17 00:00:00 2001 From: Br3akp0int <26181693+tccontre@users.noreply.github.com> Date: Tue, 17 Feb 2026 13:26:23 +0100 Subject: [PATCH 09/15] Update detections/endpoint/disable_defender_blockatfirstseen_feature.yml Co-authored-by: Nasreddine Bencherchali --- .../endpoint/disable_defender_blockatfirstseen_feature.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/detections/endpoint/disable_defender_blockatfirstseen_feature.yml b/detections/endpoint/disable_defender_blockatfirstseen_feature.yml index 0a61368ef5..8803a9957f 100644 --- a/detections/endpoint/disable_defender_blockatfirstseen_feature.yml +++ b/detections/endpoint/disable_defender_blockatfirstseen_feature.yml @@ -69,9 +69,6 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint - cve: - - CVE-2025-40551 - - CVE-2025-26399 tests: - name: True Positive Test attack_data: From bc21471c194374793f3741dcfcf7c2f55e8ccd76 Mon Sep 17 00:00:00 2001 From: Br3akp0int <26181693+tccontre@users.noreply.github.com> Date: Tue, 17 Feb 2026 13:26:32 +0100 Subject: [PATCH 10/15] Update detections/endpoint/disable_windows_behavior_monitoring.yml Co-authored-by: Nasreddine Bencherchali --- detections/endpoint/disable_windows_behavior_monitoring.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/detections/endpoint/disable_windows_behavior_monitoring.yml b/detections/endpoint/disable_windows_behavior_monitoring.yml index 901fa980bd..1ec15d5d9b 100644 --- a/detections/endpoint/disable_windows_behavior_monitoring.yml +++ b/detections/endpoint/disable_windows_behavior_monitoring.yml @@ -80,9 +80,6 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint - cve: - - CVE-2025-40551 - - CVE-2025-26399 tests: - name: True Positive Test attack_data: From 61f4118a0a7c83244496146129d8fa7a63c46097 Mon Sep 17 00:00:00 2001 From: Br3akp0int <26181693+tccontre@users.noreply.github.com> Date: Tue, 17 Feb 2026 13:26:40 +0100 Subject: [PATCH 11/15] Update detections/endpoint/malicious_powershell_process___encoded_command.yml Co-authored-by: Nasreddine Bencherchali --- .../malicious_powershell_process___encoded_command.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/detections/endpoint/malicious_powershell_process___encoded_command.yml b/detections/endpoint/malicious_powershell_process___encoded_command.yml index 71271e03e6..53661c08d0 100644 --- a/detections/endpoint/malicious_powershell_process___encoded_command.yml +++ b/detections/endpoint/malicious_powershell_process___encoded_command.yml @@ -73,9 +73,6 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint - cve: - - CVE-2025-40551 - - CVE-2025-26399 tests: - name: True Positive Test attack_data: From 47de920552ad70334f14f4ce42af582d9d4c2496 Mon Sep 17 00:00:00 2001 From: Br3akp0int <26181693+tccontre@users.noreply.github.com> Date: Tue, 17 Feb 2026 13:26:50 +0100 Subject: [PATCH 12/15] Update detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml Co-authored-by: Nasreddine Bencherchali --- .../endpoint/scheduled_task_deleted_or_created_via_cmd.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml index e49b932e2b..6050fe6f66 100644 --- a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml +++ b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml @@ -120,9 +120,6 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint - cve: - - CVE-2025-40551 - - CVE-2025-26399 tests: - name: True Positive Test attack_data: From 0e9510a3279e3673090e6ee38173d998b9670211 Mon Sep 17 00:00:00 2001 From: Br3akp0int <26181693+tccontre@users.noreply.github.com> Date: Tue, 17 Feb 2026 13:27:18 +0100 Subject: [PATCH 13/15] Update detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml Co-authored-by: Nasreddine Bencherchali --- .../winevent_windows_task_scheduler_event_action_started.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml b/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml index 956849171a..aea110b6b1 100644 --- a/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml +++ b/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml @@ -59,9 +59,6 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint - cve: - - CVE-2025-40551 - - CVE-2025-26399 tests: - name: True Positive Test attack_data: From 31b8406e74c8b7a80a8fbe6be6751305ba7c85b0 Mon Sep 17 00:00:00 2001 From: Br3akp0int <26181693+tccontre@users.noreply.github.com> Date: Tue, 17 Feb 2026 13:37:01 +0100 Subject: [PATCH 14/15] Update detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml Co-authored-by: Nasreddine Bencherchali --- ...t_powershell_execution_policy_to_unrestricted_or_bypass.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml b/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml index 9794b38090..b8bde3b69d 100644 --- a/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml +++ b/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml @@ -78,9 +78,6 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint - cve: - - CVE-2025-40551 - - CVE-2025-26399 tests: - name: True Positive Test attack_data: From 8c91bddc31d6ddf9d1504ba8a736342c1d439775 Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Tue, 17 Feb 2026 14:01:17 +0100 Subject: [PATCH 15/15] solarwinds_expl --- detections/endpoint/disable_defender_antivirus_registry.yml | 2 +- .../endpoint/disable_defender_blockatfirstseen_feature.yml | 2 +- detections/endpoint/disable_windows_behavior_monitoring.yml | 2 +- .../malicious_powershell_process___encoded_command.yml | 2 +- .../endpoint/scheduled_task_deleted_or_created_via_cmd.yml | 2 +- ...powershell_execution_policy_to_unrestricted_or_bypass.yml | 2 +- .../suspicious_scheduled_task_from_public_directory.yml | 5 +---- .../endpoint/system_information_discovery_detection.yml | 5 +---- ...windows_cmdline_tool_execution_from_non_shell_process.yml | 5 +---- detections/endpoint/windows_disableantispyware_registry.yml | 5 +---- .../endpoint/windows_dll_module_loaded_in_temp_dir.yml | 5 +---- detections/endpoint/windows_file_download_via_powershell.yml | 5 +---- detections/endpoint/windows_group_discovery_via_net.yml | 5 +---- .../windows_hijack_execution_flow_version_dll_side_load.yml | 5 +---- .../windows_http_network_communication_from_msiexec.yml | 5 +---- .../windows_known_abused_dll_loaded_suspiciously.yml | 5 +---- ...ows_modify_registry_disable_windefender_notifications.yml | 5 +---- detections/endpoint/windows_msiexec_remote_download.yml | 5 +---- .../endpoint/windows_process_execution_from_programdata.yml | 5 +---- .../windows_scheduled_task_with_highest_privileges.yml | 5 +---- .../windows_scheduled_task_with_suspicious_command.yml | 5 +---- .../endpoint/windows_schtasks_create_run_as_system.yml | 5 +---- .../windows_service_creation_using_registry_entry.yml | 5 +---- detections/endpoint/windows_unsigned_dll_side_loading.yml | 5 +---- ...indows_unsigned_dll_side_loading_in_same_process_path.yml | 5 +---- .../winevent_windows_task_scheduler_event_action_started.yml | 2 +- ...oitation.yml => solarwinds_whd_rce_post_exploitation.yml} | 4 ++-- 27 files changed, 28 insertions(+), 85 deletions(-) rename stories/{solarwinds_whd_rce_exploitation.yml => solarwinds_whd_rce_post_exploitation.yml} (70%) diff --git a/detections/endpoint/disable_defender_antivirus_registry.yml b/detections/endpoint/disable_defender_antivirus_registry.yml index cca2c5afc5..90bc86358a 100644 --- a/detections/endpoint/disable_defender_antivirus_registry.yml +++ b/detections/endpoint/disable_defender_antivirus_registry.yml @@ -58,7 +58,7 @@ rba: threat_objects: [] tags: analytic_story: - - SolarWinds WHD RCE Exploitation + - SolarWinds WHD RCE Post Exploitation - Windows Registry Abuse - CISA AA24-241A - IcedID diff --git a/detections/endpoint/disable_defender_blockatfirstseen_feature.yml b/detections/endpoint/disable_defender_blockatfirstseen_feature.yml index 8803a9957f..540daa2b7a 100644 --- a/detections/endpoint/disable_defender_blockatfirstseen_feature.yml +++ b/detections/endpoint/disable_defender_blockatfirstseen_feature.yml @@ -56,7 +56,7 @@ rba: threat_objects: [] tags: analytic_story: - - SolarWinds WHD RCE Exploitation + - SolarWinds WHD RCE Post Exploitation - Azorult - CISA AA23-347A - IcedID diff --git a/detections/endpoint/disable_windows_behavior_monitoring.yml b/detections/endpoint/disable_windows_behavior_monitoring.yml index 1ec15d5d9b..3b955f1c7a 100644 --- a/detections/endpoint/disable_windows_behavior_monitoring.yml +++ b/detections/endpoint/disable_windows_behavior_monitoring.yml @@ -59,7 +59,7 @@ rba: threat_objects: [] tags: analytic_story: - - SolarWinds WHD RCE Exploitation + - SolarWinds WHD RCE Post Exploitation - Windows Defense Evasion Tactics - CISA AA23-347A - Revil Ransomware diff --git a/detections/endpoint/malicious_powershell_process___encoded_command.yml b/detections/endpoint/malicious_powershell_process___encoded_command.yml index 53661c08d0..61667ec208 100644 --- a/detections/endpoint/malicious_powershell_process___encoded_command.yml +++ b/detections/endpoint/malicious_powershell_process___encoded_command.yml @@ -48,7 +48,7 @@ references: - https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ tags: analytic_story: - - SolarWinds WHD RCE Exploitation + - SolarWinds WHD RCE Post Exploitation - CISA AA22-320A - Hermetic Wiper - Sandworm Tools diff --git a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml index 6050fe6f66..9ede625ea7 100644 --- a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml +++ b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml @@ -74,7 +74,7 @@ rba: threat_objects: [] tags: analytic_story: - - SolarWinds WHD RCE Exploitation + - SolarWinds WHD RCE Post Exploitation - ShrinkLocker - AgentTesla - CISA AA24-241A diff --git a/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml b/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml index b8bde3b69d..41f9882e68 100644 --- a/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml +++ b/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml @@ -62,7 +62,7 @@ rba: type: registry_path tags: analytic_story: - - SolarWinds WHD RCE Exploitation + - SolarWinds WHD RCE Post Exploitation - HAFNIUM Group - Hermetic Wiper - Credential Dumping diff --git a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml index 9e113e8035..e18f4fe2a2 100644 --- a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml +++ b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml @@ -70,7 +70,7 @@ rba: threat_objects: [] tags: analytic_story: - - SolarWinds WHD RCE Exploitation + - SolarWinds WHD RCE Post Exploitation - XWorm - Medusa Ransomware - CISA AA23-347A @@ -100,9 +100,6 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint - cve: - - CVE-2025-40551 - - CVE-2025-26399 tests: - name: True Positive Test attack_data: diff --git a/detections/endpoint/system_information_discovery_detection.yml b/detections/endpoint/system_information_discovery_detection.yml index 7a0495170e..1b302b927c 100644 --- a/detections/endpoint/system_information_discovery_detection.yml +++ b/detections/endpoint/system_information_discovery_detection.yml @@ -76,7 +76,7 @@ rba: threat_objects: [] tags: analytic_story: - - SolarWinds WHD RCE Exploitation + - SolarWinds WHD RCE Post Exploitation - Windows Discovery Techniques - Gozi Malware - Medusa Ransomware @@ -93,9 +93,6 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint - cve: - - CVE-2025-40551 - - CVE-2025-26399 tests: - name: True Positive Test attack_data: diff --git a/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml b/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml index c79a05e336..861042b6a3 100644 --- a/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml +++ b/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml @@ -92,7 +92,7 @@ tags: - FIN7 - Water Gamayun - Tuoni - - SolarWinds WHD RCE Exploitation + - SolarWinds WHD RCE Post Exploitation asset_type: Endpoint mitre_attack_id: - T1059.007 @@ -101,9 +101,6 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint - cve: - - CVE-2025-40551 - - CVE-2025-26399 tests: - name: True Positive Test attack_data: diff --git a/detections/endpoint/windows_disableantispyware_registry.yml b/detections/endpoint/windows_disableantispyware_registry.yml index b5ab86103d..57ea2c9e91 100644 --- a/detections/endpoint/windows_disableantispyware_registry.yml +++ b/detections/endpoint/windows_disableantispyware_registry.yml @@ -55,7 +55,7 @@ rba: threat_objects: [] tags: analytic_story: - - SolarWinds WHD RCE Exploitation + - SolarWinds WHD RCE Post Exploitation - Azorult - Ryuk Ransomware - Windows Registry Abuse @@ -71,9 +71,6 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint - cve: - - CVE-2025-40551 - - CVE-2025-26399 tests: - name: True Positive Test attack_data: diff --git a/detections/endpoint/windows_dll_module_loaded_in_temp_dir.yml b/detections/endpoint/windows_dll_module_loaded_in_temp_dir.yml index c2fb8782c5..aea482045f 100644 --- a/detections/endpoint/windows_dll_module_loaded_in_temp_dir.yml +++ b/detections/endpoint/windows_dll_module_loaded_in_temp_dir.yml @@ -37,7 +37,7 @@ references: - https://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar/ tags: analytic_story: - - SolarWinds WHD RCE Exploitation + - SolarWinds WHD RCE Post Exploitation - Interlock Rat - Lokibot asset_type: Endpoint @@ -48,9 +48,6 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint - cve: - - CVE-2025-40551 - - CVE-2025-26399 tests: - name: True Positive Test attack_data: diff --git a/detections/endpoint/windows_file_download_via_powershell.yml b/detections/endpoint/windows_file_download_via_powershell.yml index b20265a280..4189dda48a 100644 --- a/detections/endpoint/windows_file_download_via_powershell.yml +++ b/detections/endpoint/windows_file_download_via_powershell.yml @@ -109,7 +109,7 @@ tags: - XWorm - Tuoni - StealC Stealer - - SolarWinds WHD RCE Exploitation + - SolarWinds WHD RCE Post Exploitation asset_type: Endpoint mitre_attack_id: - T1059.001 @@ -119,9 +119,6 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint - cve: - - CVE-2025-40551 - - CVE-2025-26399 tests: - name: True Positive Test - Sysmon attack_data: diff --git a/detections/endpoint/windows_group_discovery_via_net.yml b/detections/endpoint/windows_group_discovery_via_net.yml index f10aae4a7e..ecd51509a9 100644 --- a/detections/endpoint/windows_group_discovery_via_net.yml +++ b/detections/endpoint/windows_group_discovery_via_net.yml @@ -45,7 +45,7 @@ references: - https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/ tags: analytic_story: - - SolarWinds WHD RCE Exploitation + - SolarWinds WHD RCE Post Exploitation - Windows Discovery Techniques - Windows Post-Exploitation - Graceful Wipe Out Attack @@ -67,9 +67,6 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint - cve: - - CVE-2025-40551 - - CVE-2025-26399 tests: - name: True Positive Test attack_data: diff --git a/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml b/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml index 80e4d39f06..1013a76937 100644 --- a/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml +++ b/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml @@ -51,7 +51,7 @@ rba: threat_objects: [] tags: analytic_story: - - SolarWinds WHD RCE Exploitation + - SolarWinds WHD RCE Post Exploitation - Brute Ratel C4 - XWorm - Malicious Inno Setup Loader @@ -63,9 +63,6 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint - cve: - - CVE-2025-40551 - - CVE-2025-26399 tests: - name: True Positive Test attack_data: diff --git a/detections/endpoint/windows_http_network_communication_from_msiexec.yml b/detections/endpoint/windows_http_network_communication_from_msiexec.yml index 9649b87171..8490e9666e 100644 --- a/detections/endpoint/windows_http_network_communication_from_msiexec.yml +++ b/detections/endpoint/windows_http_network_communication_from_msiexec.yml @@ -86,7 +86,7 @@ tags: - Windows System Binary Proxy Execution MSIExec - Water Gamayun - Cisco Network Visibility Module Analytics - - SolarWinds WHD RCE Exploitation + - SolarWinds WHD RCE Post Exploitation asset_type: Endpoint mitre_attack_id: - T1218.007 @@ -95,9 +95,6 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint - cve: - - CVE-2025-40551 - - CVE-2025-26399 tests: - name: True Positive Test - Sysmon attack_data: diff --git a/detections/endpoint/windows_known_abused_dll_loaded_suspiciously.yml b/detections/endpoint/windows_known_abused_dll_loaded_suspiciously.yml index b0db3a5c5b..acd66a47b5 100644 --- a/detections/endpoint/windows_known_abused_dll_loaded_suspiciously.yml +++ b/detections/endpoint/windows_known_abused_dll_loaded_suspiciously.yml @@ -60,7 +60,7 @@ rba: threat_objects: [] tags: analytic_story: - - SolarWinds WHD RCE Exploitation + - SolarWinds WHD RCE Post Exploitation - Windows Defense Evasion Tactics - Living Off The Land asset_type: Endpoint @@ -71,9 +71,6 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint - cve: - - CVE-2025-40551 - - CVE-2025-26399 tests: - name: True Positive Test attack_data: diff --git a/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml b/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml index 4de10cee46..409bb33434 100644 --- a/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml +++ b/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml @@ -62,7 +62,7 @@ tags: analytic_story: - CISA AA23-347A - RedLine Stealer - - SolarWinds WHD RCE Exploitation + - SolarWinds WHD RCE Post Exploitation asset_type: Endpoint atomic_guid: - 12e03af7-79f9-4f95-af48-d3f12f28a260 @@ -73,9 +73,6 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint - cve: - - CVE-2025-40551 - - CVE-2025-26399 tests: - name: True Positive Test attack_data: diff --git a/detections/endpoint/windows_msiexec_remote_download.yml b/detections/endpoint/windows_msiexec_remote_download.yml index 117df18291..e83ae004f1 100644 --- a/detections/endpoint/windows_msiexec_remote_download.yml +++ b/detections/endpoint/windows_msiexec_remote_download.yml @@ -84,7 +84,7 @@ tags: - Water Gamayun - Cisco Network Visibility Module Analytics - StealC Stealer - - SolarWinds WHD RCE Exploitation + - SolarWinds WHD RCE Post Exploitation asset_type: Endpoint mitre_attack_id: - T1218.007 @@ -93,9 +93,6 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint - cve: - - CVE-2025-40551 - - CVE-2025-26399 tests: - name: True Positive Test - Sysmon attack_data: diff --git a/detections/endpoint/windows_process_execution_from_programdata.yml b/detections/endpoint/windows_process_execution_from_programdata.yml index a469d5d327..02cdbbfda4 100644 --- a/detections/endpoint/windows_process_execution_from_programdata.yml +++ b/detections/endpoint/windows_process_execution_from_programdata.yml @@ -50,7 +50,7 @@ references: - https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ tags: analytic_story: - - SolarWinds WHD RCE Exploitation + - SolarWinds WHD RCE Post Exploitation - StealC Stealer - SnappyBee - XWorm @@ -66,9 +66,6 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint - cve: - - CVE-2025-40551 - - CVE-2025-26399 tests: - name: True Positive Test attack_data: diff --git a/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml b/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml index 467855b918..8f45aad7be 100644 --- a/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml +++ b/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml @@ -67,7 +67,7 @@ rba: threat_objects: [] tags: analytic_story: - - SolarWinds WHD RCE Exploitation + - SolarWinds WHD RCE Post Exploitation - XWorm - CISA AA23-347A - Scheduled Tasks @@ -85,9 +85,6 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint - cve: - - CVE-2025-40551 - - CVE-2025-26399 tests: - name: True Positive Test attack_data: diff --git a/detections/endpoint/windows_scheduled_task_with_suspicious_command.yml b/detections/endpoint/windows_scheduled_task_with_suspicious_command.yml index 1854589673..dbfbf51276 100644 --- a/detections/endpoint/windows_scheduled_task_with_suspicious_command.yml +++ b/detections/endpoint/windows_scheduled_task_with_suspicious_command.yml @@ -73,7 +73,7 @@ rba: type: signature tags: analytic_story: - - SolarWinds WHD RCE Exploitation + - SolarWinds WHD RCE Post Exploitation - Scheduled Tasks - Ransomware - Quasar RAT @@ -89,9 +89,6 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint - cve: - - CVE-2025-40551 - - CVE-2025-26399 tests: - name: True Positive Test attack_data: diff --git a/detections/endpoint/windows_schtasks_create_run_as_system.yml b/detections/endpoint/windows_schtasks_create_run_as_system.yml index ff0500b6e1..be5defce69 100644 --- a/detections/endpoint/windows_schtasks_create_run_as_system.yml +++ b/detections/endpoint/windows_schtasks_create_run_as_system.yml @@ -75,7 +75,7 @@ rba: type: process_name tags: analytic_story: - - SolarWinds WHD RCE Exploitation + - SolarWinds WHD RCE Post Exploitation - Medusa Ransomware - Windows Persistence Techniques - Qakbot @@ -89,9 +89,6 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint - cve: - - CVE-2025-40551 - - CVE-2025-26399 tests: - name: True Positive Test attack_data: diff --git a/detections/endpoint/windows_service_creation_using_registry_entry.yml b/detections/endpoint/windows_service_creation_using_registry_entry.yml index 6d4e5cf545..4e73c7b5f4 100644 --- a/detections/endpoint/windows_service_creation_using_registry_entry.yml +++ b/detections/endpoint/windows_service_creation_using_registry_entry.yml @@ -54,7 +54,7 @@ rba: threat_objects: [] tags: analytic_story: - - SolarWinds WHD RCE Exploitation + - SolarWinds WHD RCE Post Exploitation - PlugX - CISA AA23-347A - China-Nexus Threat Activity @@ -75,9 +75,6 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint - cve: - - CVE-2025-40551 - - CVE-2025-26399 tests: - name: True Positive Test attack_data: diff --git a/detections/endpoint/windows_unsigned_dll_side_loading.yml b/detections/endpoint/windows_unsigned_dll_side_loading.yml index af91d02dcd..9ac4fa558d 100644 --- a/detections/endpoint/windows_unsigned_dll_side_loading.yml +++ b/detections/endpoint/windows_unsigned_dll_side_loading.yml @@ -64,7 +64,7 @@ tags: - Salt Typhoon - NjRAT - Earth Alux - - SolarWinds WHD RCE Exploitation + - SolarWinds WHD RCE Post Exploitation asset_type: Endpoint mitre_attack_id: - T1574.001 @@ -73,9 +73,6 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint - cve: - - CVE-2025-40551 - - CVE-2025-26399 tests: - name: True Positive Test attack_data: diff --git a/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml b/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml index 4188c12893..d5abe87e5c 100644 --- a/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml +++ b/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml @@ -67,7 +67,7 @@ tags: - SnappyBee - NailaoLocker Ransomware - Lokibot - - SolarWinds WHD RCE Exploitation + - SolarWinds WHD RCE Post Exploitation asset_type: Endpoint mitre_attack_id: - T1574.001 @@ -76,9 +76,6 @@ tags: - Splunk Enterprise Security - Splunk Cloud security_domain: endpoint - cve: - - CVE-2025-40551 - - CVE-2025-26399 tests: - name: True Positive Test attack_data: diff --git a/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml b/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml index aea110b6b1..a12388e078 100644 --- a/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml +++ b/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml @@ -30,7 +30,7 @@ references: - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ tags: analytic_story: - - SolarWinds WHD RCE Exploitation + - SolarWinds WHD RCE Post Exploitation - IcedID - BlackSuit Ransomware - Windows Persistence Techniques diff --git a/stories/solarwinds_whd_rce_exploitation.yml b/stories/solarwinds_whd_rce_post_exploitation.yml similarity index 70% rename from stories/solarwinds_whd_rce_exploitation.yml rename to stories/solarwinds_whd_rce_post_exploitation.yml index d9ec7565c0..b2ee6a7e5c 100644 --- a/stories/solarwinds_whd_rce_exploitation.yml +++ b/stories/solarwinds_whd_rce_post_exploitation.yml @@ -1,10 +1,10 @@ -name: SolarWinds WHD RCE Exploitation +name: SolarWinds WHD RCE Post Exploitation id: 8d6080bf-bb29-4569-94dd-e4c797569c48 version: 1 date: '2026-02-09' author: Teoderick Contreras, Splunk status: production -description: CVE-2025-26399 is a critical remote code execution vulnerability in SolarWinds Web Help Desk caused by insecure deserialization in the AjaxProxy component. The flaw allows unauthenticated attackers to execute arbitrary code on vulnerable, internet-exposed systems with high privileges. Because Web Help Desk often runs with elevated access and integrates into internal IT environments, successful exploitation provides a direct entry point into enterprise networks. +description: CVE-2025-26399 is a critical remote code execution vulnerability in SolarWinds Web Help Desk caused by insecure deserialization in the AjaxProxy component. The flaw allows unauthenticated attackers to execute arbitrary code on vulnerable, internet-exposed systems with high privileges. Because Web Help Desk often runs with elevated access and integrates into internal IT environments, successful exploitation provides a direct entry point into enterprise networks. This analytic story focuses on post-exploitation detection, providing a collection of detections designed to identify malicious activity occurring after initial compromise. The included detections monitor for behaviors such as suspicious process execution, command shell spawning, abnormal child processes from the Web Help Desk service, privilege escalation attempts, lateral movement activity, persistence mechanisms, and outbound command-and-control communications associated with exploitation of CVE-2025-26399. narrative: Threat actors actively exploit this vulnerability by scanning for exposed Web Help Desk instances and delivering crafted payloads to gain execution. Following initial access, attackers quickly deploy legitimate remote management and forensic tools to establish persistence and interactive control. This enables reconnaissance, credential access, and potential lateral movement, demonstrating a fast transition from exploitation to hands-on intrusion. references: - https://www.microsoft.com/en-us/security/blog/2026/02/06/active-exploitation-solarwinds-web-help-desk/