TTP Table for Detecting APT Activity Related to SolarWinds Compromise
Last Revised
CISA has released a table of tactics, techniques, and procedures (TTPs) used by the advanced persistent threat (APT) actor involved with the recent SolarWinds Orion supply chain compromise. The table uses the MITRE ATT&CK framework to identify APT TTPs and includes detection recommendations. This information will assist network defenders in detecting and responding to this activity.
CISA encourages network defenders to review [SolarWinds: Detecting Advanced Persistent Threat Activity from Known Tactics, Techniques, and Procedures] and implement the recommendations. CISA also recommends network defenders review the following resources regarding this incident:
- Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise web page
- CISA Emergency Directive 21-01 - Supplemental Guidance v.1
- CISA Emergency Directive 21-01: Mitigate SolarWinds Orion Code Compromise
- CISA Activity Alert AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations
This product is provided subject to this Notification and this Privacy & Use policy.