RisingSun is a SUNBURST C2 decoder and Host ID encoder which can be used to attribute C2 domains to specific SolarWinds servers when network telemetry is unavailable. Our intent is to provide organizations without DNS logs (or other network-based logs) an option for validating the scope of compromise by the SolarWinds Orion backdoor. Use this tool if you:

  • Have received a list of C2 domains from a major vendor claiming they originated from your network
  • Lack the requisite network telemetry (DNS logs, HTTP logs, etc) to identify which hosts communicated with each C2 domain
  • Still have the compromised SolarWinds Orion servers (or backups) available
Download How to Get RisingSun
Option 1
To download RisingSun, type the following command in Linux:
Options 2
View on Git
help How to Get Help with RisingSun

For bug reports, enhancements, or any other contributions, please go to this project’s github page.

Linus History File Timestamps on the TrustedSec Security Blog