solarwinds_expl

t-contreras · t-contreras · commit 8c91bddc31d6 · 2026-02-17T14:01:17.000+01:00
diff --git a/detections/endpoint/disable_defender_antivirus_registry.yml b/detections/endpoint/disable_defender_antivirus_registry.yml
@@ -58,7 +58,7 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
-  - SolarWinds WHD RCE Exploitation
+  - SolarWinds WHD RCE Post Exploitation
   - Windows Registry Abuse
   - CISA AA24-241A
   - IcedID
diff --git a/detections/endpoint/disable_defender_blockatfirstseen_feature.yml b/detections/endpoint/disable_defender_blockatfirstseen_feature.yml
@@ -56,7 +56,7 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
-  - SolarWinds WHD RCE Exploitation
+  - SolarWinds WHD RCE Post Exploitation
   - Azorult
   - CISA AA23-347A
   - IcedID
diff --git a/detections/endpoint/disable_windows_behavior_monitoring.yml b/detections/endpoint/disable_windows_behavior_monitoring.yml
@@ -59,7 +59,7 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
-  - SolarWinds WHD RCE Exploitation
+  - SolarWinds WHD RCE Post Exploitation
   - Windows Defense Evasion Tactics
   - CISA AA23-347A
   - Revil Ransomware
diff --git a/detections/endpoint/malicious_powershell_process___encoded_command.yml b/detections/endpoint/malicious_powershell_process___encoded_command.yml
@@ -48,7 +48,7 @@ references:
 - https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/
 tags:
   analytic_story:
-  - SolarWinds WHD RCE Exploitation
+  - SolarWinds WHD RCE Post Exploitation
   - CISA AA22-320A
   - Hermetic Wiper
   - Sandworm Tools
diff --git a/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml b/detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml
@@ -74,7 +74,7 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
-  - SolarWinds WHD RCE Exploitation
+  - SolarWinds WHD RCE Post Exploitation
   - ShrinkLocker
   - AgentTesla
   - CISA AA24-241A
diff --git a/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml b/detections/endpoint/set_default_powershell_execution_policy_to_unrestricted_or_bypass.yml
@@ -62,7 +62,7 @@ rba:
     type: registry_path
 tags:
   analytic_story:
-  - SolarWinds WHD RCE Exploitation
+  - SolarWinds WHD RCE Post Exploitation
   - HAFNIUM Group
   - Hermetic Wiper
   - Credential Dumping
diff --git a/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml b/detections/endpoint/suspicious_scheduled_task_from_public_directory.yml
@@ -70,7 +70,7 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
-  - SolarWinds WHD RCE Exploitation
+  - SolarWinds WHD RCE Post Exploitation
   - XWorm
   - Medusa Ransomware
   - CISA AA23-347A
@@ -100,9 +100,6 @@ tags:
   - Splunk Enterprise Security
   - Splunk Cloud
   security_domain: endpoint
-  cve:
-  - CVE-2025-40551
-  - CVE-2025-26399
 tests:
 - name: True Positive Test
   attack_data:
diff --git a/detections/endpoint/system_information_discovery_detection.yml b/detections/endpoint/system_information_discovery_detection.yml
@@ -76,7 +76,7 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
-  - SolarWinds WHD RCE Exploitation
+  - SolarWinds WHD RCE Post Exploitation
   - Windows Discovery Techniques
   - Gozi Malware
   - Medusa Ransomware
@@ -93,9 +93,6 @@ tags:
   - Splunk Enterprise Security
   - Splunk Cloud
   security_domain: endpoint
-  cve:
-  - CVE-2025-40551
-  - CVE-2025-26399
 tests:
 - name: True Positive Test
   attack_data:
diff --git a/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml b/detections/endpoint/windows_cmdline_tool_execution_from_non_shell_process.yml
@@ -92,7 +92,7 @@ tags:
     - FIN7
     - Water Gamayun
     - Tuoni
-    - SolarWinds WHD RCE Exploitation
+    - SolarWinds WHD RCE Post Exploitation
   asset_type: Endpoint
   mitre_attack_id:
     - T1059.007
@@ -101,9 +101,6 @@ tags:
     - Splunk Enterprise Security
     - Splunk Cloud
   security_domain: endpoint
-  cve:
-  - CVE-2025-40551
-  - CVE-2025-26399
 tests:
   - name: True Positive Test
     attack_data:
diff --git a/detections/endpoint/windows_disableantispyware_registry.yml b/detections/endpoint/windows_disableantispyware_registry.yml
@@ -55,7 +55,7 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
-  - SolarWinds WHD RCE Exploitation
+  - SolarWinds WHD RCE Post Exploitation
   - Azorult
   - Ryuk Ransomware
   - Windows Registry Abuse
@@ -71,9 +71,6 @@ tags:
   - Splunk Enterprise Security
   - Splunk Cloud
   security_domain: endpoint
-  cve:
-  - CVE-2025-40551
-  - CVE-2025-26399
 tests:
 - name: True Positive Test
   attack_data:
diff --git a/detections/endpoint/windows_dll_module_loaded_in_temp_dir.yml b/detections/endpoint/windows_dll_module_loaded_in_temp_dir.yml
@@ -37,7 +37,7 @@ references:
 - https://blog.sekoia.io/interlock-ransomware-evolving-under-the-radar/
 tags:
   analytic_story:
-  - SolarWinds WHD RCE Exploitation
+  - SolarWinds WHD RCE Post Exploitation
   - Interlock Rat
   - Lokibot
   asset_type: Endpoint
@@ -48,9 +48,6 @@ tags:
   - Splunk Enterprise Security
   - Splunk Cloud
   security_domain: endpoint
-  cve:
-  - CVE-2025-40551
-  - CVE-2025-26399
 tests:
 - name: True Positive Test
   attack_data:
diff --git a/detections/endpoint/windows_file_download_via_powershell.yml b/detections/endpoint/windows_file_download_via_powershell.yml
@@ -109,7 +109,7 @@ tags:
     - XWorm
     - Tuoni
     - StealC Stealer
-    - SolarWinds WHD RCE Exploitation
+    - SolarWinds WHD RCE Post Exploitation
   asset_type: Endpoint
   mitre_attack_id:
     - T1059.001
@@ -119,9 +119,6 @@ tags:
     - Splunk Enterprise Security
     - Splunk Cloud
   security_domain: endpoint
-  cve:
-  - CVE-2025-40551
-  - CVE-2025-26399
 tests:
   - name: True Positive Test - Sysmon
     attack_data:
diff --git a/detections/endpoint/windows_group_discovery_via_net.yml b/detections/endpoint/windows_group_discovery_via_net.yml
@@ -45,7 +45,7 @@ references:
 - https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/
 tags:
   analytic_story:
-  - SolarWinds WHD RCE Exploitation
+  - SolarWinds WHD RCE Post Exploitation
   - Windows Discovery Techniques
   - Windows Post-Exploitation
   - Graceful Wipe Out Attack
@@ -67,9 +67,6 @@ tags:
   - Splunk Enterprise Security
   - Splunk Cloud
   security_domain: endpoint
-  cve:
-  - CVE-2025-40551
-  - CVE-2025-26399
 tests:
 - name: True Positive Test
   attack_data:
diff --git a/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml b/detections/endpoint/windows_hijack_execution_flow_version_dll_side_load.yml
@@ -51,7 +51,7 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
-  - SolarWinds WHD RCE Exploitation
+  - SolarWinds WHD RCE Post Exploitation
   - Brute Ratel C4
   - XWorm
   - Malicious Inno Setup Loader
@@ -63,9 +63,6 @@ tags:
   - Splunk Enterprise Security
   - Splunk Cloud
   security_domain: endpoint
-  cve:
-  - CVE-2025-40551
-  - CVE-2025-26399
 tests:
 - name: True Positive Test
   attack_data:
diff --git a/detections/endpoint/windows_http_network_communication_from_msiexec.yml b/detections/endpoint/windows_http_network_communication_from_msiexec.yml
@@ -86,7 +86,7 @@ tags:
     - Windows System Binary Proxy Execution MSIExec
     - Water Gamayun
     - Cisco Network Visibility Module Analytics
-    - SolarWinds WHD RCE Exploitation
+    - SolarWinds WHD RCE Post Exploitation
   asset_type: Endpoint
   mitre_attack_id:
     - T1218.007
@@ -95,9 +95,6 @@ tags:
     - Splunk Enterprise Security
     - Splunk Cloud
   security_domain: endpoint
-  cve:
-  - CVE-2025-40551
-  - CVE-2025-26399
 tests:
   - name: True Positive Test - Sysmon
     attack_data:
diff --git a/detections/endpoint/windows_known_abused_dll_loaded_suspiciously.yml b/detections/endpoint/windows_known_abused_dll_loaded_suspiciously.yml
@@ -60,7 +60,7 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
-  - SolarWinds WHD RCE Exploitation
+  - SolarWinds WHD RCE Post Exploitation
   - Windows Defense Evasion Tactics
   - Living Off The Land
   asset_type: Endpoint
@@ -71,9 +71,6 @@ tags:
   - Splunk Enterprise Security
   - Splunk Cloud
   security_domain: endpoint
-  cve:
-  - CVE-2025-40551
-  - CVE-2025-26399
 tests:
 - name: True Positive Test
   attack_data:
diff --git a/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml b/detections/endpoint/windows_modify_registry_disable_windefender_notifications.yml
@@ -62,7 +62,7 @@ tags:
   analytic_story:
     - CISA AA23-347A
     - RedLine Stealer
-    - SolarWinds WHD RCE Exploitation
+    - SolarWinds WHD RCE Post Exploitation
   asset_type: Endpoint
   atomic_guid:
     - 12e03af7-79f9-4f95-af48-d3f12f28a260
@@ -73,9 +73,6 @@ tags:
     - Splunk Enterprise Security
     - Splunk Cloud
   security_domain: endpoint
-  cve:
-  - CVE-2025-40551
-  - CVE-2025-26399
 tests:
   - name: True Positive Test
     attack_data:
diff --git a/detections/endpoint/windows_msiexec_remote_download.yml b/detections/endpoint/windows_msiexec_remote_download.yml
@@ -84,7 +84,7 @@ tags:
     - Water Gamayun
     - Cisco Network Visibility Module Analytics
     - StealC Stealer
-    - SolarWinds WHD RCE Exploitation
+    - SolarWinds WHD RCE Post Exploitation
   asset_type: Endpoint
   mitre_attack_id:
     - T1218.007
@@ -93,9 +93,6 @@ tags:
     - Splunk Enterprise Security
     - Splunk Cloud
   security_domain: endpoint
-  cve:
-  - CVE-2025-40551
-  - CVE-2025-26399
 tests:
   - name: True Positive Test - Sysmon
     attack_data:
diff --git a/detections/endpoint/windows_process_execution_from_programdata.yml b/detections/endpoint/windows_process_execution_from_programdata.yml
@@ -50,7 +50,7 @@ references:
 - https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/
 tags:
   analytic_story:
-  - SolarWinds WHD RCE Exploitation
+  - SolarWinds WHD RCE Post Exploitation
   - StealC Stealer
   - SnappyBee
   - XWorm
@@ -66,9 +66,6 @@ tags:
   - Splunk Enterprise Security
   - Splunk Cloud
   security_domain: endpoint
-  cve:
-  - CVE-2025-40551
-  - CVE-2025-26399
 tests:
 - name: True Positive Test
   attack_data:
diff --git a/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml b/detections/endpoint/windows_scheduled_task_with_highest_privileges.yml
@@ -67,7 +67,7 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
-  - SolarWinds WHD RCE Exploitation
+  - SolarWinds WHD RCE Post Exploitation
   - XWorm
   - CISA AA23-347A
   - Scheduled Tasks
@@ -85,9 +85,6 @@ tags:
   - Splunk Enterprise Security
   - Splunk Cloud
   security_domain: endpoint
-  cve:
-  - CVE-2025-40551
-  - CVE-2025-26399
 tests:
 - name: True Positive Test
   attack_data:
diff --git a/detections/endpoint/windows_scheduled_task_with_suspicious_command.yml b/detections/endpoint/windows_scheduled_task_with_suspicious_command.yml
@@ -73,7 +73,7 @@ rba:
     type: signature
 tags:
   analytic_story:
-  - SolarWinds WHD RCE Exploitation
+  - SolarWinds WHD RCE Post Exploitation
   - Scheduled Tasks
   - Ransomware
   - Quasar RAT
@@ -89,9 +89,6 @@ tags:
   - Splunk Enterprise Security
   - Splunk Cloud
   security_domain: endpoint
-  cve:
-  - CVE-2025-40551
-  - CVE-2025-26399
 tests:
 - name: True Positive Test
   attack_data:
diff --git a/detections/endpoint/windows_schtasks_create_run_as_system.yml b/detections/endpoint/windows_schtasks_create_run_as_system.yml
@@ -75,7 +75,7 @@ rba:
     type: process_name
 tags:
   analytic_story:
-  - SolarWinds WHD RCE Exploitation
+  - SolarWinds WHD RCE Post Exploitation
   - Medusa Ransomware
   - Windows Persistence Techniques
   - Qakbot
@@ -89,9 +89,6 @@ tags:
   - Splunk Enterprise Security
   - Splunk Cloud
   security_domain: endpoint
-  cve:
-  - CVE-2025-40551
-  - CVE-2025-26399
 tests:
 - name: True Positive Test
   attack_data:
diff --git a/detections/endpoint/windows_service_creation_using_registry_entry.yml b/detections/endpoint/windows_service_creation_using_registry_entry.yml
@@ -54,7 +54,7 @@ rba:
   threat_objects: []
 tags:
   analytic_story:
-  - SolarWinds WHD RCE Exploitation
+  - SolarWinds WHD RCE Post Exploitation
   - PlugX
   - CISA AA23-347A
   - China-Nexus Threat Activity
@@ -75,9 +75,6 @@ tags:
   - Splunk Enterprise Security
   - Splunk Cloud
   security_domain: endpoint
-  cve:
-  - CVE-2025-40551
-  - CVE-2025-26399
 tests:
 - name: True Positive Test
   attack_data:
diff --git a/detections/endpoint/windows_unsigned_dll_side_loading.yml b/detections/endpoint/windows_unsigned_dll_side_loading.yml
@@ -64,7 +64,7 @@ tags:
     - Salt Typhoon
     - NjRAT
     - Earth Alux
-    - SolarWinds WHD RCE Exploitation
+    - SolarWinds WHD RCE Post Exploitation
   asset_type: Endpoint
   mitre_attack_id:
     - T1574.001
@@ -73,9 +73,6 @@ tags:
     - Splunk Enterprise Security
     - Splunk Cloud
   security_domain: endpoint
-  cve:
-  - CVE-2025-40551
-  - CVE-2025-26399
 tests:
   - name: True Positive Test
     attack_data:
diff --git a/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml b/detections/endpoint/windows_unsigned_dll_side_loading_in_same_process_path.yml
diff --git a/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml b/detections/endpoint/winevent_windows_task_scheduler_event_action_started.yml
diff --git a/stories/solarwinds_whd_rce_post_exploitation.yml b/stories/solarwinds_whd_rce_post_exploitation.yml
