← Back to Explore
splunk_escuTTP
Sunburst Correlation DLL and Network Event
The following analytic identifies the loading of the malicious SolarWinds.Orion.Core.BusinessLayer.dll by SolarWinds.BusinessLayerHost.exe and subsequent DNS queries to avsvmcloud.com. It uses Sysmon EventID 7 for DLL loading and Event ID 22 for DNS queries, correlating these events within a 12-14 day period. This activity is significant as it indicates potential Sunburst malware infection, a known supply chain attack. If confirmed malicious, this could lead to unauthorized network access, data exfiltration, and further compromise of the affected systems.
MITRE ATT&CK
Detection Query
| (`sysmon` EventCode=7 ImageLoaded=*SolarWinds.Orion.Core.BusinessLayer.dll) OR (`sysmon` EventCode=22 QueryName=*avsvmcloud.com)
| eventstats dc(EventCode) AS dc_events
| where dc_events=2
| stats count min(_time) as firstTime max(_time) as lastTime
BY Image ImageLoaded dest
loaded_file loaded_file_path original_file_name
process_exec process_guid process_hash
process_id process_name process_path
service_dll_signature_exists service_dll_signature_verified signature
signature_id user_id vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `sunburst_correlation_dll_and_network_event_filter`Author
Patrick Bareiss, Splunk
Created
2026-03-10
Data Sources
Sysmon EventID 7Sysmon EventID 22
Tags
NOBELIUM Group
Raw Content
name: Sunburst Correlation DLL and Network Event
id: 701a8740-e8db-40df-9190-5516d3819787
version: 9
date: '2026-03-10'
author: Patrick Bareiss, Splunk
status: experimental
type: TTP
description: The following analytic identifies the loading of the malicious SolarWinds.Orion.Core.BusinessLayer.dll by SolarWinds.BusinessLayerHost.exe and subsequent DNS queries to avsvmcloud.com. It uses Sysmon EventID 7 for DLL loading and Event ID 22 for DNS queries, correlating these events within a 12-14 day period. This activity is significant as it indicates potential Sunburst malware infection, a known supply chain attack. If confirmed malicious, this could lead to unauthorized network access, data exfiltration, and further compromise of the affected systems.
data_source:
- Sysmon EventID 7
- Sysmon EventID 22
search: |-
| (`sysmon` EventCode=7 ImageLoaded=*SolarWinds.Orion.Core.BusinessLayer.dll) OR (`sysmon` EventCode=22 QueryName=*avsvmcloud.com)
| eventstats dc(EventCode) AS dc_events
| where dc_events=2
| stats count min(_time) as firstTime max(_time) as lastTime
BY Image ImageLoaded dest
loaded_file loaded_file_path original_file_name
process_exec process_guid process_hash
process_id process_name process_path
service_dll_signature_exists service_dll_signature_verified signature
signature_id user_id vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `sunburst_correlation_dll_and_network_event_filter`
how_to_implement: This detection relies on sysmon logs with the Event ID 7, Driver loaded. Please tune your sysmon config that you DriverLoad event for SolarWinds.Orion.Core.BusinessLayer.dll is captured by Sysmon. Additionally, you need sysmon logs for Event ID 22, DNS Query. We suggest to run this detection at least once a day over the last 14 days.
known_false_positives: No false positives have been identified at this time.
references:
- https://www.mandiant.com/resources/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor
rba:
message: Possible Sunburst activity on $dest$
risk_objects:
- field: dest
type: system
score: 50
threat_objects: []
tags:
analytic_story:
- NOBELIUM Group
asset_type: Windows
mitre_attack_id:
- T1203
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
security_domain: endpoint