Microsoft is monitoring a dynamic menace environment surrounding the breakthrough of a sophisticated assault that included compromised binaries from a legitimate software. These binaries, which are related to the SolarWinds Orion Platform, could be used by attackers to remotely access devices. On Sunday, December 13, Microsoft liberated detections that alerted customers to the presence of these malicious binaries, with the recommendation to isolate and investigate the devices.

It is important to understand that these binaries represent a significant threat to client environments. Clients should consider any machine with the binary as compromised and should already be investigating machines with this alert. Starting on Wednesday, December 16 at 8: 00 AM PST, Microsoft Defender Antivirus will begin blocking the known malicious SolarWinds binaries. This will quarantine the binary even if the process is running. We also realize this is a server product running in customer environments, so it may not be simple to remove the product from service. Nevertheless, Microsoft continues to recommend that customers isolate and investigate these devices 😛 TAGEND

Immediately isolate the affected device. If malicious code has been launched, it is likely that the device is under complete attacker control. Recognize the accounts that have been used on the affected machine and consider these reports compromised. Reset passwords or decommission the accounts. Analyse how the affected endpoint might have been compromised. Investigate the machine timeline for indications of lateral movement activities applying one of the compromised reports. Check for additional tools that attackers might have dropped to enable credential access, lateral movement, and other strike activities.

If service interruption is not possible, customers must take the action below to omit SolarWinds binaries. This should be a temporary change that you are able to revert as soon as you update binaries from the provider or complete your investigation.

For Microsoft Defender Antivirus via GPO Instructions:

PATH: Computer Configuration> Administrative Templates> Windows Components> Microsoft Defender Antivirus( or Windows Defender Antivirus)> Menaces> Specify threat alert levels at which default activity should not be taken when detected.

Value name: 2147771206

Value: 6

For SCEP via GPO instructions 😛 TAGEND

PATH: Computer Configuration> Administrative Templates> Windows Components> Endpoint Protection> Menace> Specify threat alert levels at which default activity should not be taken when detected.

Value name: 2147771206

Value: 6

Note: If you don’t understand the “Endpoint Protection” section, ascertain: Manage Endpoint Protection using Group Policies- Configuration Manager | Microsoft Docs

For Microsoft Defender Antivirus and SCEP via SCCM Instructions :

PATH: Asset and Compliance, Endpoint Protection> Antimalware Policy> Threat overrules> Enter Threat name: Trojan: MSIL/ Solorigate.BR! dha

PATH: Assets and Compliance, Endpoint Protection> Antimalware Policy>