Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0559: SUNBURST

SUNBURST is a trojanized DLL designed to fit within the SolarWinds Orion software update framework. It was used by APT29 since at least February 2020.[1][2]

EnterpriseS0559MalwareObject v2.5 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

SUNBURST matters because it represents malicious code delivered through a trusted software update path: a trojanized DLL within the SolarWinds Orion update framework. For leaders, the decision point is not only “can we find this malware,” but whether the organization can validate trust in critical vendor software, investigate Windows systems that run privileged management tools, and preserve enough network, DNS, web, endpoint, and software update evidence to reconstruct a supply-chain incident.

Executive priority

Prioritize this as a supply-chain and operational resilience scenario. The ATT&CK relationships tie SUNBURST to the SolarWinds Compromise campaign and APT29, and the described behaviors span command-and-control, discovery, execution, collection, and stealth. Executives should ask whether software update trust, vendor risk evidence, privileged management server monitoring, incident response retention, and identity/API abuse investigation processes are tested together rather than treated as separate controls.

Technical view

SUNBURST is documented for Windows and is linked to behaviors including web and DNS command-and-control, protocol/service impersonation, junk data, steganography, system and process discovery, registry queries, WMI execution, Visual Basic execution, local data collection, obfuscation, compression, matching legitimate resource names or locations, and multiple forms of indicator or artifact removal. SOC and IR teams should validate whether Orion-related Windows hosts and comparable management servers have endpoint process, module/DLL, registry, WMI, DNS, HTTP/S, file deletion, and log-retention coverage sufficient to correlate trusted update activity with later discovery, C2, and cleanup behaviors.

Likely telemetry

  • Windows endpoint process execution and parent/child process telemetry
  • DLL/module load and file integrity evidence for trusted software directories
  • Software update and application deployment logs for SolarWinds Orion or equivalent management platforms
  • DNS query and response logs, including historical retention
  • HTTP/S proxy, web gateway, firewall, and network flow metadata

Detection direction

  • Do not rely on a single malware signature; the related techniques emphasize obfuscation, compression, impersonated protocols, DNS/web C2, and indicator removal.
  • Validate correlation across trusted software update events, unusual outbound DNS or web behavior, discovery commands, registry queries, WMI use, and cleanup activity on Windows management systems.
  • Tune detections for high-value management servers separately from ordinary workstations because legitimate administration can create false positives for WMI, discovery, and service enumeration.
  • Review whether DNS and web telemetry preserve enough detail and history to identify blended command-and-control patterns using web protocols, DNS, junk data, steganography, or protocol impersonation.
  • Account for evidence loss: related techniques include file deletion, clearing network connection history/configurations, clearing persistence, and broader indicator removal.

Mitigation priorities

  • Inventory SolarWinds Orion and comparable trusted management/update platforms and treat them as high-value assets with enhanced monitoring and retention.
  • Strengthen software supply-chain governance: verify update sources, document vendor risk decisions, and preserve audit evidence for critical software changes.
  • Apply least privilege and administrative segmentation around management servers to reduce the blast radius if trusted software is compromised.
  • Ensure endpoint, DNS, web, registry, WMI, and file telemetry is retained long enough to support supply-chain incident reconstruction.
  • Exercise incident response playbooks that combine malware triage, vendor-software validation, identity/token/API review, and network C2 investigation.
Analyst notes and limits

MITRE provides no official detection text for this object, so the take is driven by the official description, external references, and relationships to the SolarWinds Compromise, APT29, and listed ATT&CK techniques. The most useful local validation is whether the organization can correlate activity around trusted Windows management software with network C2, discovery, execution, collection, and cleanup behaviors.

This summary does not assert current exploitation, customer exposure, or guaranteed detection. The object lists Windows as the platform, while several related techniques have broader platform metadata; platform-specific claims should therefore be validated against local affected software and telemetry. ATT&CK tactics are not specified directly on the malware object.

Official MITRE ATT&CK definition

SUNBURST

SUNBURST is a trojanized DLL designed to fit within the SolarWinds Orion software update framework. It was used by APT29 since at least February 2020.[1][2]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

36 rows
Domain ID Name Relationship / procedure
Enterprise T1497.003 Time Based Checks Sub-technique

SUNBURST remained dormant after initial access for a period of up to two weeks.[3]
Enterprise T1047 Windows Management Instrumentation

SUNBURST used the WMI query Select * From Win32_SystemDriver to retrieve a driver listing.[3]
Enterprise T1082 System Information Discovery

SUNBURST collected hostname and OS version.[3]CitationMicrosoft Analyzing Solorigate Dec 2020
Enterprise T1112 Modify Registry

SUNBURST had commands that allow an attacker to write or delete registry keys, and was observed stopping services by setting their HKLM\SYSTEM\CurrentControlSet\services\\[service_name]\\Start registry entries to value 4.[3]CitationMicrosoft Analyzing Solorigate Dec 2020 It also deleted previously-created Image File Execution Options (IFEO) Debugger registry values and registry keys related to HTTP proxy to clean up traces of its activity.[2]
Enterprise T1573.001 Symmetric Cryptography Sub-technique

SUNBURST encrypted C2 traffic using a single-byte-XOR cipher.[3]
Enterprise T1132.001 Standard Encoding Sub-technique

SUNBURST used Base64 encoding in its C2 traffic.[3]
Enterprise T1070.009 Clear Persistence Sub-technique

SUNBURST removed IFEO registry values to clean up traces of persistence.[2]
Enterprise T1005 Data from Local System

SUNBURST collected information from a compromised host.CitationMicrosoft Analyzing Solorigate Dec 2020[3]
Enterprise T1124 System Time Discovery

SUNBURST collected device `UPTIME`.[3]CitationMicrosoft Analyzing Solorigate Dec 2020
Enterprise T1083 File and Directory Discovery

SUNBURST had commands to enumerate files and directories.[3]CitationMicrosoft Analyzing Solorigate Dec 2020
Enterprise T1685 Disable or Modify Tools

SUNBURST attempted to disable software security services following checks against a FNV-1a + XOR hashed hardcoded blocklist.CitationFireEye SUNBURST Additional Details Dec 2020
Enterprise T1016 System Network Configuration Discovery

SUNBURST collected all network interface MAC addresses that are up and not loopback devices, as well as IP address, DHCP configuration, and domain information.[3]
Enterprise T1027 Obfuscated Files or Information

SUNBURST obfuscated collected system information using a FNV-1a + XOR algorithm.[3]
Enterprise T1546.012 Image File Execution Options Injection Sub-technique

SUNBURST created an Image File Execution Options (IFEO) Debugger registry value for the process dllhost.exe to trigger the installation of Cobalt Strike.[2]
Enterprise T1218.011 Rundll32 Sub-technique

SUNBURST used Rundll32 to execute payloads.[2]
Enterprise T1027.015 Compression Sub-technique

SUNBURST strings were compressed and encoded in Base64.CitationMicrosoft Analyzing Solorigate Dec 2020
Enterprise T1007 System Service Discovery

SUNBURST collected a list of service names that were hashed using a FNV-1a + XOR algorithm to check against similarly-hashed hardcoded blocklists.[3]
Enterprise T1036.005 Match Legitimate Resource Name or Location Sub-technique

SUNBURST created VBScripts that were named after existing services or folders to blend into legitimate activities.[2]
Enterprise T1553.002 Code Signing Sub-technique

SUNBURST was digitally signed by SolarWinds from March - May 2020.[3]
Enterprise T1057 Process Discovery

SUNBURST collected a list of process names that were hashed using a FNV-1a + XOR algorithm to check against similarly-hashed hardcoded blocklists.[3]
Enterprise T1001.003 Protocol or Service Impersonation Sub-technique

SUNBURST masqueraded its network traffic as the Orion Improvement Program (OIP) protocol.[3]
Enterprise T1001.001 Junk Data Sub-technique

SUNBURST added junk bytes to its C2 over HTTP.[3]
Enterprise T1059.005 Visual Basic Sub-technique

SUNBURST used VBScripts to initiate the execution of payloads.[2]
Enterprise T1071.004 DNS Sub-technique

SUNBURST used DNS for C2 traffic designed to mimic normal SolarWinds API communications.[3]
Enterprise T1070.004 File Deletion Sub-technique

SUNBURST had a command to delete files.[3]CitationMicrosoft Analyzing Solorigate Dec 2020
Enterprise T1070.007 Clear Network Connection History and Configurations Sub-technique

SUNBURST also removed the firewall rules it created during execution.[2]
Enterprise T1497.001 System Checks Sub-technique

SUNBURST checked the domain name of the compromised host to verify it was running in a real environment.CitationMicrosoft Analyzing Solorigate Dec 2020
Enterprise T1012 Query Registry

SUNBURST collected the registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid from compromised hosts.[3]
Enterprise T1518.001 Security Software Discovery Sub-technique

SUNBURST checked for a variety of antivirus/endpoint detection agents prior to execution.CitationMicrosoft Analyzing Solorigate Dec 2020CitationFireEye SUNBURST Additional Details Dec 2020
Enterprise T1033 System Owner/User Discovery

SUNBURST collected the username from a compromised host.[3]CitationMicrosoft Analyzing Solorigate Dec 2020
Enterprise T1105 Ingress Tool Transfer

SUNBURST delivered different payloads, including TEARDROP in at least one instance.[3]
Enterprise T1027.005 Indicator Removal from Tools Sub-technique

SUNBURST source code used generic variable names and pre-obfuscated strings, and was likely sanitized of developer comments before being added to SUNSPOT.CitationCrowdStrike SUNSPOT Implant January 2021
Enterprise T1071.001 Web Protocols Sub-technique

SUNBURST communicated via HTTP GET or HTTP POST requests to third party servers for C2.[3]
Enterprise T1001.002 Steganography Sub-technique

SUNBURST C2 data attempted to appear as benign XML related to .NET assemblies or as a faux JSON blob.[3]CitationFireEye SUNBURST Additional Details Dec 2020CitationSymantec Sunburst Sending Data January 2021
Enterprise T1568 Dynamic Resolution

SUNBURST dynamically resolved C2 infrastructure for randomly-generated subdomains within a parent domain.[3]
Enterprise T1070 Indicator Removal

SUNBURST removed HTTP proxy registry values to clean up traces of execution.[2]
Associated objects

Groups, software, and campaigns

Group Enterprise

G0016: APT29

APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]

In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]

Campaign Enterprise

C0024: SolarWinds Compromise

The SolarWinds Compromise was a sophisticated supply chain cyber operation conducted by APT29 that was discovered in mid-December 2020. APT29 used customized malware to inject malicious code into the SolarWinds Orion software build process that was later distributed through a normal software update; they also used password spraying, token theft, API abuse, spear phishing, and other supply chain attacks to compromise user accounts and leverage their associated access. Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. This activity has been labled the StellarParticle campaign in industry reporting.[1] Industry reporting also initially referred to the actors involved in this campaign as UNC2452, NOBELIUM, Dark Halo, and SolarStorm.[2][3][4][5][1][6][7][8]

In April 2021, the US and UK governments attributed the SolarWinds Compromise to Russia's Foreign Intelligence Service (SVR); public statements included citations to APT29, Cozy Bear, and The Dukes.[9][10][11] The US government assessed that of the approximately 18,000 affected public and private sector customers of Solar Winds’ Orion product, a much smaller number were compromised by follow-on APT29 activity on their systems.[12]

Relationship explorer

All related ATT&CK context

uses · Technique T1497.003: Time Based Checks Enterprise uses · Technique T1047: Windows Management Instrumentation Enterprise uses · Technique T1082: System Information Discovery Enterprise uses · Technique T1112: Modify Registry Enterprise uses · Technique T1573.001: Symmetric Cryptography Enterprise uses · Technique T1132.001: Standard Encoding Enterprise uses · Technique T1070.009: Clear Persistence Enterprise uses · Technique T1005: Data from Local System Enterprise uses · Technique T1124: System Time Discovery Enterprise uses · Technique T1083: File and Directory Discovery Enterprise uses · Technique T1685: Disable or Modify Tools Enterprise uses · Technique T1016: System Network Configuration Discovery Enterprise uses · Technique T1027: Obfuscated Files or Information Enterprise uses · Technique T1546.012: Image File Execution Options Injection Enterprise uses · Technique T1218.011: Rundll32 Enterprise uses · Technique T1027.015: Compression Enterprise uses · Technique T1007: System Service Discovery Enterprise uses · Technique T1036.005: Match Legitimate Resource Name or Location Enterprise uses · Technique T1553.002: Code Signing Enterprise uses · Technique T1057: Process Discovery Enterprise uses · Technique T1001.003: Protocol or Service Impersonation Enterprise uses · Technique T1001.001: Junk Data Enterprise uses · Technique T1059.005: Visual Basic Enterprise uses · Technique T1071.004: DNS Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.5
Created
Modified
Raw hash
7e266b436b3ed1f1...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.5 Current bundle 7e266b436b3e…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    SolarWinds Sunburst Sunspot Update January 2021

    Sudhakar Ramakrishna . (2021, January 11). New Findings From Our Investigation of SUNBURST. Retrieved January 13, 2021.

    Open source URL
  2. [2]
    Microsoft Deep Dive Solorigate January 2021

    MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.

    Open source URL
  3. [3]
    FireEye SUNBURST Backdoor December 2020

    FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.

    Open source URL
  4. [4]
    SUNBURST

    (Citation: FireEye SUNBURST Backdoor December 2020)

  5. [5]
    Solorigate

    (Citation: Microsoft Deep Dive Solorigate January 2021)

  6. [6]
    mitre-attack S0559
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use