720-891-1663

Return to the list of client alerts

Microsoft Shares How SolarWinds Attackers Evaded Detection

Just in case you thought that everyone was asleep at the wheel when the Russians hacked SolarWinds, Microsoft is shedding some interesting light on the subject.

This comes from the Microsoft Defender Research Team, Microsoft Threat Intelligence Center and Microsoft Cyber Defense Operations Center.

The SolarWinds attack is a multi-stage attack. The second stage, called Solorigate, deploys the custom Cobalt Strike loaders (Teardrop, Raindrop and others) after dropping the Solorigate (AKA Sunburst) DLL backdoor.

Microsoft says that the hackers who orchestrated the SolarWinds attack used a range of tactics, operational security and anti-forensic behavior that drastically decreased the breached organizations’ ability to detect their malicious actions.

They used best practices to minimize traces and avoid detection.

Some of the techniques used include:

Some examples of SolarWinds hackers’ evasion tactics as discovered and highlighted by Microsoft:

  • Methodic avoidance of shared indicators for each compromised host by deploying custom Cobalt Strike DLL implants on each machine
  • Camouflage and blending into the environment by renaming tools and binaries to match files and programs on the compromised device
  • Disabling event logging using AUDITPOL before hands-on keyboard activity and enabling back afterward
  • Creating firewall rules to minimize outgoing packets for certain protocols before running noisy network enumeration activities (removed after these operations were completed)
  • Carefully planning lateral movement activities by first disabling security services on targeted hosts
  • Also believed to have used timestomping to change artifacts’ timestamps and leveraged wiping procedures and tools to hinder malicious DLL implants discovery in affected environments.

It is amazing that they were able to do some of these things; it is indicative of the level of permission that they had inside the target environments.

For more information see this Bleeping Computer summary and Microsoft Blog post.

Copyright © 2025 CyberCecurity, All rights reserved. Privacy Policy