Domain Name System (DNS) is the backbone of the Internet. However, threat actors have abused the antiquated protocol to facilitate command-and-control (C2) actions, to tunnel, or to exfiltrate sensitive information in novel ways. The FireEye breach and Solarwinds intrusions of late 2020 demonstrated the sophistication of hacker groups. Researchers were eager to reverse-engineer the malware and eager to decode the encrypted traffic. Noticeably, organizations were keen on being first to "solve the puzzle". Dr. Eric Cole of SANS Institute routinely expressed "prevention is ideal, but detection is a must". Detection analytics may not always provide the underlying context in encrypted traffic, but will at least give a fighting chance for defenders to detect the anomaly. SUNBURST is an open-source moniker for the backdoor that affected Solarwinds Orion. While analyzing the malware with security vendor research, there is a possible single-point-of-failure in the C2 phase of the Cyber Kill Chain provides an avenue for defenders to exploit and detect the activity itself. One small chance is better than none. The assumption is that encryption increases entropy in strings. SUNBURST relied on encryption to exfiltrate data through DNS queries of which the adversary prepended to registered Fully-Qualified Domain Names (FQDNs). These FQDNs were typo-squatted to mimic Amazon Web Services (AWS) domains. SUNBURST detection is possible through a simple 1-variable t-test across all DNS logs for a given day. The detection code is located on GitHub (https://github.com/MalwareMorghulis/SUNBURST).

翻译：域名系统（DNS）是互联网的基石。然而，威胁行为者滥用了这一过时的协议，以新颖的方式实施命令与控制（C2）行动、建立隧道或窃取敏感信息。2020年末发生的FireEye入侵事件和Solarwinds入侵事件，展现了黑客组织的精密程度。研究人员热切希望逆向分析恶意软件并解码加密流量。值得注意的是，各组织都急于成为"解开谜题"的第一人。SANS研究所的Eric Cole博士经常强调"预防是理想的，但检测是必须的"。检测分析虽未必能揭示加密流量中的底层上下文，但至少能让防御者有机会检测异常。SUNBURST是影响Solarwinds Orion的后门程序的开源代号。在联合安全厂商研究分析该恶意软件时，发现在"网络杀伤链"的C2阶段存在一个可能的单点故障，这为防御者提供了利用并检测此类活动的途径。微小的机会也胜过没有机会。假设加密会增加字符串的熵值。SUNBURST依赖加密技术，通过DNS查询（攻击者将查询内容前置到已注册的全限定域名前）来窃取数据。这些全限定域名通过域名抢注手法模仿亚马逊云服务（AWS）的域名。针对指定日期的所有DNS日志进行简单的单变量t检验，即可实现SUNBURST检测。检测代码位于GitHub开源平台（https://github.com/MalwareMorghulis/SUNBURST）。