Good day everyone,
Ever since the breach and malicious update Solarwinds experienced the organization I am in has been crazy about keeping an eye open SolarWinds devices. And since the infrastructure and network folks seem to not keep us security folks in the loop when new devices are stood up, been trying to figure out a way to detect them. We utilize splunk and receive all sorts of alerts from the hosts via sysmon and ofcourse the web via the proxies and network traffic. Does any one have any suggestions like does solarwinds generate or recieve traffic on specfic ports by default that no other device would without further configuration. Are there sysmon events that would only occur on SW devices. One of the leadership when crazy stupid and had us create an alert for any traffic seen from a non-previously identified SW device that made a web request for anything that contains solarwinds in the url. Yes they are that freaking paranoid since the breach if any of the AV signatures for the sunburst even if it is just the patch that is within the DFSR confliction report they want a full forensic work up. Alerts for any communication to the IPs in the breach even though they now belong to microsft and google and are detected during a routing update on the site Demarc router need to do a full write up. It is that crazy still. Any help would be extremely handy.
