* [Blog](https://www.paloaltonetworks.com.au/blog) * [Security Operations](https://www.paloaltonetworks.com.au/blog/security-operations/) * [Must-Read Articles](https://www.paloaltonetworks.com.au/blog/security-operations/category/must-read-articles/) * Hunting for APT29 Spear P... # Hunting for APT29 Spear Phishing Using XDR [](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2Fsecurity-operations%2Fhunting-for-apt29-spear-phishing-using-xdr%2F) [](https://twitter.com/share?text=Hunting+for+APT29+Spear+Phishing+Using+XDR&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2Fsecurity-operations%2Fhunting-for-apt29-spear-phishing-using-xdr%2F) [](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com.au%2Fblog%2Fsecurity-operations%2Fhunting-for-apt29-spear-phishing-using-xdr%2F&title=Hunting+for+APT29+Spear+Phishing+Using+XDR&summary=&source=) [](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com.au/blog/security-operations/hunting-for-apt29-spear-phishing-using-xdr/&ts=markdown) \[\](mailto:?subject=Hunting for APT29 Spear Phishing Using XDR) Link copied By [Unit 42](https://www.paloaltonetworks.com/blog/author/unit-42/?ts=markdown "Posts by Unit 42") May 28, 2021 4 minutes [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown) [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown) [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown) [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown) [APT29](https://www.paloaltonetworks.com/blog/tag/apt29/?ts=markdown) [CobaltStrike](https://www.paloaltonetworks.com/blog/tag/cobaltstrike/?ts=markdown) [Nobelium](https://www.paloaltonetworks.com/blog/tag/nobelium/?ts=markdown) [Spear Phishing](https://www.paloaltonetworks.com/blog/tag/spear-phishing/?ts=markdown) This post is also available in: [日本語 (Japanese)](https://www.paloaltonetworks.com.au/blog/security-operations/hunting-for-apt29-spear-phishing-using-xdr/?lang=ja "Switch to Japanese(日本語)") ## Executive Summary On May 27, 2021, [Microsoft reported](https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/) a wide scale spear phishing campaign attributed to APT29, the same threat actor responsible for the SolarWinds campaign named [SolarStorm](https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/3/). This attack had a wide range of targets for an APT spear phishing campaign with 3,000 email accounts targeted within 150 organizations. This blog will help you proactively search for related indicators of compromise (IOCs) and attack techniques using Cortex XDR. ## Hunting for This Attack in Your Environment **Hunt for the attack using Cortex XDR alerts** * Use the existing alert set and hunt for alerts with "rundll32.exe" as source of the alert: ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/05/word-image-99.png) * Look for Cobalt Strike related alerts as [Volexity](https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/) mentioned that it might be used by the attackers: ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2021/05/word-image-100.png) **Hunt for the attack using XQL Search in Cortex XDR** * Use this to hunt on known IOCs that have been attributes to this attack: |------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | dataset = xdr\_data|filter action\_file\_sha256 IN ("2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252", "d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142", "94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916", "48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0", "ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c", "ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330") OR action\_module\_sha256 IN ("ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088c", "ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330") OR dst\_action\_external\_hostname ~=".\*theyardservice.com|.\*worldhomeoutlet.com|refreshauthtoken-default-rtdb.firebaseio.com" OR action\_external\_hostname ~=".\*theyardservice.com|.\*worldhomeoutlet.com|refreshauthtoken-default-rtdb.firebaseio.com" OR dns\_query\_name ~=".\*theyardservice.com|.\*worldhomeoutlet.com" | fields agent\_hostname, causality\_actor\_process\_image\_path, actor\_process\_image\_path,action\_external\_hostname, action\_file\_path, action\_module\_path, dst\_action\_external\_hostname, dns\_query\_name,event\_id, action\_file\_sha256, action\_module\_sha256 | * Hunt for ISO files dropped by browsers as the threat actor leverages ISO files as part of the exploitation attempts. Notice that there are legitimate cases of ISO drops: |---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | config case\_sensitive = false | dataset = xdr\_data | filter actor\_process\_image\_name in ("chrome.exe", "msedge.exe", "firefox.exe", "iexplore.exe", "google chrome", "firefox", "safari") and action\_file\_extension = "iso" | dedup agent\_id, agent\_hostname, action\_file\_name, action\_file\_path, action\_file\_sha256, action\_file\_size | fields agent\_id, agent\_hostname, action\_file\_name, action\_file\_path, action\_file\_sha256, action\_file\_size | * Hunt for "rundll32.exe" loading "documents.dll" or "GraphicalComponent.dll" via command line: |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | config case\_sensitive = false | dataset = xdr\_data | filter action\_process\_image\_name = "rundll32.exe" and action\_process\_image\_command\_line ~= ".\*(Documents.dll|GraphicalComponent.dll).\*" | dedup agent\_id, agent\_hostname, actor\_process\_image\_name, actor\_process\_image\_command\_line , action\_process\_image\_name, action\_process\_image\_command\_line | fields agent\_id, agent\_hostname, actor\_process\_image\_name, actor\_process\_image\_command\_line , action\_process\_image\_name, action\_process\_image\_command\_line | * Hunt for the FRESHFIRE malware using "C:\\dell.sdr" file access: |-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | config case\_sensitive = false | dataset = xdr\_data | filter action\_file\_path = "c:\\\\dell.sdr" | dedup agent\_id, agent\_hostname, action\_file\_name, action\_file\_path, action\_file\_sha256, action\_file\_size | fields agent\_id, agent\_hostname, action\_file\_name, action\_file\_path, action\_file\_sha256, action\_file\_size | ## Cortex XDR Product Response **Cortex XDR Managed Threat Hunting** The [Cortex XDR Managed Threat Hunting](https://www.paloaltonetworks.com/cortex/managed-threat-hunting) team proactively hunted for threats and activities related to the event and notified customers with a detailed Impact Report. Cortex XDR alerts that detect this attack |---------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | **Source** | **Description** | | Cortex XDR Analytics BIOC | [LOLBIN connecting to a rare host](https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/lolbin-connecting-to-a-rare-host.html) | | Cortex XDR Agent | Wildfire Malware | ## Conclusion Due to the high impact of a potential attack by APT29 and the technical prowess seen as part of SolarStorm, we highly advise Palo Alto Networks customers update to the latest XDR Agent and content version, and hunting for threats using the supplied XQL queries and the existing protection mechanisms within Cortex XDR. ## Additional Resources [Cortex XSOAR for Nobelium Spear Phishing Attacks Rapid Response](https://www.paloaltonetworks.com/blog/2021/06/cortex-xsoar-nobelium-spear-phishing/) *** ** * ** *** ## Related Blogs ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown) [#### Discover your WordPress Plugin Backdoor Exposures with Cortex Xpanse](https://www.paloaltonetworks.com.au/blog/security-operations/discover-your-wordpress-plugin-backdoor-exposures-with-cortex-xpanse/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown) [#### Prevent Critical Exposures for Employees on Unsecure Remote Networks Using ASM for Remote Workers Coverage](https://www.paloaltonetworks.com.au/blog/security-operations/attack-surface-management-for-remote-workers/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown) [#### From ILOVEYOU to AI Defenders -- 25 Years of Email Evolution](https://www.paloaltonetworks.com.au/blog/security-operations/from-iloveyou-to-ai-defenders-25-years-of-email-evolution/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown) [#### SIEM Replacement Made Easy (Yes, Really!)](https://www.paloaltonetworks.com.au/blog/security-operations/siem-replacement-made-easy-yes-really/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown) [#### Breaking Down Security Silos: How XDL Powers Advanced Threat Operations](https://www.paloaltonetworks.com.au/blog/security-operations/breaking-down-security-silos-how-xdl-powers-advanced-threat-operations/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown) [#### Real-World Email Attacks Detected by Cortex Advanced Email Security](https://www.paloaltonetworks.com.au/blog/security-operations/real-world-email-attacks-detected-by-cortex-advanced-email-security/) ### Subscribe to Security Operations Blogs! Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more. ![spinner](https://www.paloaltonetworks.com.au/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up Please enter a valid email. By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder. This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. {#footer} {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language