Responding to the SolarWinds Breach - Volexity

```yara
rule APT_DarkHalo_SolarWinds_Dec2020
{
  meta:
    author = "YARA Expert"
    date = "2023-10-27"
    description = "Detects artifacts related to the Dark Halo supply chain attack (SolarWinds breach), including network indicators and specific text patterns from intelligence reports."
    reference = "Volexity blog post, SolarWinds breach reports, CISA Alerts"
    tlp = "WHITE" // Publicly available information, widely shared.

  strings:
    // Network Indicators (Domains)
    // These domains are associated with the Dark Halo threat actor or related intelligence.
    $network_domain1_ascii = "www.volexity.com" ascii
    $network_domain1_wide = "w.w.w..v.o.l.e.x.i.t.y...c.o.m" wide
    $network_domain2_ascii = "avsvmcloud.com" ascii
    $network_domain2_wide = "a.v.s.v.m.c.l.o.u.d...c.o.m" wide

    // Unique Text Patterns
    // These strings are extracted from the provided intelligence sample and are highly specific to the Dark Halo operation and related reporting.
    $string_darkhalo_ascii = "Dark Halo" ascii nocase
    $string_darkhalo_wide = "D.a.r.k. .H.a.l.o" wide nocase
    $string_solarwinds_breach_ascii = "SolarWinds Breach" ascii nocase
    $string_solarwinds_breach_wide = "S.o.l.a.r.W.i.n.d.s. .B.r.e.a.c.h" wide nocase
    $string_supply_chain_attack_ascii = "Supply Chain Attack" ascii nocase
    $string_supply_chain_attack_wide = "S.u.p.p.l.y. .C.h.a.i.n. .A.t.t.a.c.k" wide nocase
    $string_volexity_ascii = "Volexity" ascii nocase
    $string_volexity_wide = "V.o.l.e.x.i.t.y" wide nocase
    $string_date_ascii = "16 December 2020" ascii nocase
    $string_date_wide = "1.6. .D.e.c.e.m.b.e.r. .2.0.2.0" wide nocase
    $string_address_ascii = "11654 Plaza America Dr." ascii nocase
    $string_address_wide = "1.1.6.5.4. .P.l.a.z.a. .A.m.e.r.i.c.a. .D.r." wide nocase
    $string_email_ascii = "contact@volexity.com" ascii nocase
    $string_email_wide = "c.o.n.t.a.c.t.@.v.o.l.e.x.i.t.y...c.o.m" wide nocase
    $string_responding_title_ascii = "RESPONDING TO THE SOLARWINDS BREACH" ascii nocase
    $string_responding_title_wide = "R.E.S.P.O.N.D.I.N.G. .T.O. .T.H.E. .S.O.L.A.R.W.I.N.D.S. .B.R.E.A.C.H" wide nocase
    $string_detect_prevent_ascii = "Detect, Prevent, and Remediate" ascii nocase
    $string_detect_prevent_wide = "D.e.t.e.c.t.,. .P.r.e.v.e.n.t.,. .a.n.d. .R.e.m.e.d.i.a.t.e" wide nocase
    $string_incident_response_ascii = "incident response efforts involving" ascii nocase
    $string_incident_response_wide = "i.n.c.i.d.e.n.t. .r.e.s.p.o.n.s.e. .e.f.f.o.r.t.s. .i.n.v.o.l.v.i.n.g" wide nocase
    $string_confusion_concern_ascii = "widespread confusion and concern" ascii nocase
    $string_confusion_concern_wide = "w.i.d.e.s.p.r.e.a.d. .c.o.n.f.u.s.i.o.n. .a.n.d. .c.o.n.c.e.r.n" wide nocase
    $string_questions_misconceptions_ascii = "common questions and misconceptions" ascii nocase
    $string_questions_misconceptions_wide = "c.o.m.m.o.n. .q.u.e.s.t.i.o.n.s. .a.n.d. .m.i.s.c.o.n.c.e.p.t.i.o.n.s" wide nocase

    // Note: No $hash_*, $api_*, $registry_*, or $filepath_* strings are included as per context.

  condition:
    // Detection logic:
    // This rule triggers if either:
    // 1. All identified network domains are present (strong indicator of network activity or configuration).
    // OR
    // 2. At least 3 unique text patterns (from intelligence reports) AND at least 1 network domain are present.
    // This combination helps detect both direct network artifacts and documents/executables discussing or containing references to the attack.
    (all of ($network_domain*)) or
    (
      3 of ($string_darkhalo_*, $string_solarwinds_breach_*, $string_supply_chain_attack_*, $string_volexity_*, $string_date_*, $string_address_*, $string_email_*, $string_responding_title_*, $string_detect_prevent_*, $string_incident_response_*, $string_confusion_concern_*, $string_questions_misconceptions_*) and
      1 of ($network_domain*)
    )
}
```