016
EXH-0162020Fictional reconstruction
A Quiet Orion
December 2020. FireEye discovers its own red-team tools were stolen, not by spear-phishing, but through a trojaned update to enterprise network monitoring software.
Type
Classic
Difficulty
Advanced
Era
2020s
Time
11 min
Briefing
You have a synthetic executive summary that mirrors CISA AA20-352A themes. No binaries, no live C2.
Your role
Vendor risk analyst reviewing the SolarWinds Orion compromise for your CIO briefing.
Objective
From public IOC summaries, describe SUNBURST: longevity, dormant beaconing, and why the trusted build pipeline was the breach.
Terminal environment
- user
- analyst
- host
- soc-east
- cwd
- /soc/vendor-review
- steps
- 3
Enter the terminalAbout 11 minutesSafe simulation
Safety note. This is a safe reconstruction. All systems, files, hosts, credentials, and outputs are simulated. Do not use these techniques on systems you do not own or have explicit permission to test.