Skip to content


SUNBURST is a trojanized DLL designed to fit within the SolarWinds Orion software update framework. It was used by APT29 since at least February 2020.32

Item Value
ID S0559
Associated Names Solorigate
Version 2.2
Created 05 January 2021
Last Modified 19 April 2022
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Solorigate 2

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols SUNBURST communicated via HTTP GET or HTTP POST requests to third party servers for C2.1
enterprise T1071.004 DNS SUNBURST used DNS for C2 traffic designed to mimic normal SolarWinds API communications.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.005 Visual Basic SUNBURST used VBScripts to initiate the execution of payloads.2
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding SUNBURST used Base64 encoding in its C2 traffic.1
enterprise T1005 Data from Local System SUNBURST collected information from a compromised host.41
enterprise T1001 Data Obfuscation -
enterprise T1001.001 Junk Data SUNBURST added junk bytes to its C2 over HTTP.1
enterprise T1001.002 Steganography SUNBURST C2 data attempted to appear as benign XML related to .NET assemblies or as a faux JSON blob.156
enterprise T1001.003 Protocol Impersonation SUNBURST masqueraded its network traffic as the Orion Improvement Program (OIP) protocol.1
enterprise T1568 Dynamic Resolution SUNBURST dynamically resolved C2 infrastructure for randomly-generated subdomains within a parent domain.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography SUNBURST encrypted C2 traffic using a single-byte-XOR cipher.1
enterprise T1546 Event Triggered Execution -
enterprise T1546.012 Image File Execution Options Injection SUNBURST created an Image File Execution Options (IFEO) Debugger registry value for the process dllhost.exe to trigger the installation of Cobalt Strike.2
enterprise T1083 File and Directory Discovery SUNBURST had commands to enumerate files and directories.14
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools SUNBURST attempted to disable software security services following checks against a FNV-1a + XOR hashed hardcoded blocklist.5
enterprise T1070 Indicator Removal on Host SUNBURST removed IFEO and HTTP proxy registry values to clean up traces of execution. SUNBURST also removed the firewall rules it created during execution.2
enterprise T1070.004 File Deletion SUNBURST had a command to delete files.14
enterprise T1105 Ingress Tool Transfer SUNBURST delivered different payloads, including TEARDROP in at least one instance.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location SUNBURST created VBScripts that were named after existing services or folders to blend into legitimate activities.2
enterprise T1112 Modify Registry SUNBURST had commands that allow an attacker to write or delete registry keys, and was observed stopping services by setting their HKLM\SYSTEM\CurrentControlSet\services\[service_name]\Start registry entries to value 4.14 It also deleted previously-created Image File Execution Options (IFEO) Debugger registry values and registry keys related to HTTP proxy to clean up traces of its activity.2
enterprise T1027 Obfuscated Files or Information SUNBURST strings were compressed and encoded in Base64.4 SUNBURST also obfuscated collected system information using a FNV-1a + XOR algorithm.1
enterprise T1027.005 Indicator Removal from Tools SUNBURST source code used generic variable names and pre-obfuscated strings, and was likely sanitized of developer comments before being added to SUNSPOT.7
enterprise T1057 Process Discovery SUNBURST collected a list of process names that were hashed using a FNV-1a + XOR algorithm to check against similarly-hashed hardcoded blocklists.1
enterprise T1012 Query Registry SUNBURST collected the registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid from compromised hosts.1
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery SUNBURST checked for a variety of antivirus/endpoint detection agents prior to execution.45
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing SUNBURST was digitally signed by SolarWinds from March - May 2020.1
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 SUNBURST used Rundll32 to execute payloads.2
enterprise T1082 System Information Discovery SUNBURST collected hostname, OS version, and device uptime.14
enterprise T1016 System Network Configuration Discovery SUNBURST collected all network interface MAC addresses that are up and not loopback devices, as well as IP address, DHCP configuration, and domain information.1
enterprise T1033 System Owner/User Discovery SUNBURST collected the username from a compromised host.14
enterprise T1007 System Service Discovery SUNBURST collected a list of service names that were hashed using a FNV-1a + XOR algorithm to check against similarly-hashed hardcoded blocklists.1
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.001 System Checks SUNBURST checked the domain name of the compromised host to verify it was running in a real environment.4
enterprise T1497.003 Time Based Evasion SUNBURST remained dormant after initial access for a period of up to two weeks.1
enterprise T1047 Windows Management Instrumentation SUNBURST used the WMI query Select * From Win32_SystemDriver to retrieve a driver listing.1

Groups That Use This Software

ID Name References
G0016 APT29 189


Back to top