Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 1d8f828

Browse files
raulgarciamsftraulgarciamsft
committed
Fixes to address some of the comments during PR
1 parent 8e85145 commit 1d8f828

9 files changed

Lines changed: 57 additions & 45 deletions

csharp/ql/src/experimental/Security Features/backdoor/DangerousNativeFunctionCall.ql

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -52,4 +52,4 @@ from MethodCall mc
5252
where
5353
isExternMethod(mc.getTarget()) and
5454
isDangerousMethod(mc.getTarget())
55-
select mc, "Call to an external method $@", mc, mc.toString()
55+
select mc, "Call to an external method '" + mc.getTarget().getName() + "'."

csharp/ql/src/experimental/Security Features/campaign/Solorigate/ModifiedFnvFunctionDetection.qhelp

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
"qhelp.dtd">
44
<qhelp>
55
<overview>
6-
<p>The malicious code included hash values calculated using a standard FNV-1A 64-bit hash with an additional XOR by 6605813339339102567 after computing the FNV-1A.</p>
6+
<p>The malicious code included hash values calculated using a standard FNV-1A 64-bit hash with an additional XOR by a literal after computing the FNV-1A.</p>
77
<p>This query detects FNV-like hash calculations where there is an additional xor (with any static value) after the hash calculation loop.</p>
88
</overview>
99

csharp/ql/src/experimental/Security Features/campaign/Solorigate/ModifiedFnvFunctionDetection.ql

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -18,12 +18,12 @@ where
1818
maybeUsedInFNVFunction(v, _, _, loop) and
1919
(
2020
exists(BitwiseXorExpr xor2 | xor2.getAnOperand() = l and additional_xor = xor2 |
21-
loop.getAControlFlowNode().getASuccessor*() = xor2.getAControlFlowNode() and
21+
loop.getAControlFlowExitNode().getASuccessor*() = xor2.getAControlFlowNode() and
2222
xor2.getAnOperand() = v.getAnAccess()
2323
)
2424
or
2525
exists(AssignXorExpr xor2 | xor2.getAnOperand() = l and additional_xor = xor2 |
26-
loop.getAControlFlowNode().getASuccessor*() = xor2.getAControlFlowNode() and
26+
loop.getAControlFlowExitNode().getASuccessor*() = xor2.getAControlFlowNode() and
2727
xor2.getAnOperand() = v.getAnAccess()
2828
)
2929
)

csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownCommandsAboveThreshold.ql

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,22 @@
1313
import csharp
1414
import Solorigate
1515

16+
/*
17+
* Returns the total number of Solorigate-related commands in the given enum
18+
*
19+
* This command list is described at https://www.fireeye.com/blog/products-and-services/2020/12/global-intrusion-campaign-leverages-software-supply-chain-compromise.html
20+
* and the enum names are based from https://github.com/ITAYC0HEN/SUNBURST-Cracked/tree/a01f358965525bee34ad026acd9dfda3d488fdd8
21+
*/
22+
23+
int countSolorigateCommandInEnum(Enum e) {
24+
result =
25+
count(string s, EnumConstant ec |
26+
e.getAnEnumConstant() = ec and
27+
s = ec.getName() and
28+
s = solorigateSuspiciousCommandsInEnum()
29+
)
30+
}
31+
1632
from Enum e, int total
1733
where
1834
total = countSolorigateCommandInEnum(e) and

csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownHashesAboveThreshold.ql

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,15 @@
1313
import csharp
1414
import Solorigate
1515

16+
/*
17+
* Returns the total number of Solorigate-related literales found in the project
18+
*/
19+
20+
int countSolorigateSuspiciousHash() {
21+
result =
22+
count(string s | exists(Literal l | s = l.getValue() and s = solorigateSuspiciousHashes()))
23+
}
24+
1625
from Literal l, int total, int threshold
1726
where
1827
total = countSolorigateSuspiciousHash() and

csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownLiteralsAboveThreshold.ql

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,15 @@
1313
import csharp
1414
import Solorigate
1515

16+
/*
17+
* Returns the total number of Solorigate-related literales found in the project
18+
*/
19+
20+
int countSolorigateSuspiciousLiterals() {
21+
result =
22+
count(string s | exists(Literal l | s = l.getValue() and s = solorigateSuspiciousLiterals()))
23+
}
24+
1625
from Literal l, int total, int threshold
1726
where
1827
total = countSolorigateSuspiciousLiterals() and

csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownMethodNamesAboveThreshold.ql

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,15 @@
1313
import csharp
1414
import Solorigate
1515

16+
/*
17+
* Returns the total number of Solorigate-related method names found in the project
18+
*/
19+
20+
int countSolorigateSuspiciousMethodNames() {
21+
result =
22+
count(string s | exists(Method m | s = m.getName() and s = solorigateSuspiciousMethodNames()))
23+
}
24+
1625
from Method m, int total, int threshold
1726
where
1827
total = countSolorigateSuspiciousMethodNames() and

csharp/ql/src/experimental/Security Features/campaign/Solorigate/Solorigate.qhelp

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44
<qhelp>
55
<overview>
66
<p>The nation-state supply chain attack on SolarWinds known as Solorigate or SunBurst gave nation-state actors access to some victims' networks.</p>
7-
<p>The purpose of these rules is to identify poetntially tampered code that requires further analysis</p>
7+
<p>The purpose of these rules is to identify potentially tampered code that requires further analysis</p>
88
</overview>
99
<recommendation>
1010
<p>Any findings from these rules are only intended to indicate suspicious code that shares similarities with known portions of code used for this attack, but no certainty that the code is related or part of any attack.</p>

csharp/ql/src/experimental/Security Features/campaign/Solorigate/Solorigate.qll

Lines changed: 9 additions & 40 deletions
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ import csharp
1111
* and https://github.com/fireeye/sunburst_countermeasures/blob/main/fnv1a_xor_hashes.txt
1212
*/
1313

14-
private string solorigateSuspiciousHashes() {
14+
string solorigateSuspiciousHashes() {
1515
result =
1616
[
1717
"10063651499895178962", "10235971842993272939", "10296494671777307979",
@@ -94,23 +94,14 @@ private string solorigateSuspiciousHashes() {
9494

9595
predicate isSolorigateHash(Literal l) { l.getValue() = solorigateSuspiciousHashes() }
9696

97-
/*
98-
* Returns the total number of Solorigate-related literales found in the project
99-
*/
100-
101-
int countSolorigateSuspiciousHash() {
102-
result =
103-
count(string s | exists(Literal l | s = l.getValue() and s = solorigateSuspiciousHashes()))
104-
}
105-
10697
/*
10798
* Returns a list of Literals used by Solorigate
10899
*
109100
* This data was extracted from https://github.com/ITAYC0HEN/SUNBURST-Cracked/tree/a01f358965525bee34ad026acd9dfda3d488fdd8
110101
* and https://github.com/fireeye/sunburst_countermeasures/blob/main/fnv1a_xor_hashes.txt
111102
*/
112103

113-
private string solorigateSuspiciousLiterals() {
104+
string solorigateSuspiciousLiterals() {
114105
result =
115106
[
116107
"(?i)([^a-z]|^)(test)([^a-z]|$)", "(?i)(solarwinds)", "[{0,5}] {1,-16} {2}\t{3,5} {4}\\{5}\n",
@@ -157,22 +148,13 @@ private string solorigateSuspiciousLiterals() {
157148

158149
predicate isSolorigateLiteral(Literal l) { l.getValue() = solorigateSuspiciousLiterals() }
159150

160-
/*
161-
* Returns the total number of Solorigate-related literales found in the project
162-
*/
163-
164-
int countSolorigateSuspiciousLiterals() {
165-
result =
166-
count(string s | exists(Literal l | s = l.getValue() and s = solorigateSuspiciousLiterals()))
167-
}
168-
169151
/*
170152
* Returns a list of method names used by Solorigate
171153
*
172154
* This data was extracted from https://github.com/ITAYC0HEN/SUNBURST-Cracked/tree/a01f358965525bee34ad026acd9dfda3d488fdd8
173155
*/
174156

175-
private string solorigateSuspiciousMethodNames() {
157+
string solorigateSuspiciousMethodNames() {
176158
result =
177159
[
178160
"Abort", "AddFileExecutionEngine", "AddRegistryExecutionEngine", "AdjustTokenPrivileges",
@@ -211,32 +193,19 @@ predicate isSolorigateSuspiciousMethodName(Method m) {
211193
m.getName() = solorigateSuspiciousMethodNames()
212194
}
213195

214-
/*
215-
* Returns the total number of Solorigate-related method names found in the project
216-
*/
217-
218-
int countSolorigateSuspiciousMethodNames() {
219-
result =
220-
count(string s | exists(Method m | s = m.getName() and s = solorigateSuspiciousMethodNames()))
221-
}
222196

223197
/*
224-
* Returns the total number of Solorigate-related commands in the given enum
198+
* Returns a list of enum values used by Solorigate to represent commands
225199
*
226-
* This command list is described at https://www.fireeye.com/blog/products-and-services/2020/12/global-intrusion-campaign-leverages-software-supply-chain-compromise.html
227-
* and the enum names are based from https://github.com/ITAYC0HEN/SUNBURST-Cracked/tree/a01f358965525bee34ad026acd9dfda3d488fdd8
200+
* This data was extracted from https://github.com/ITAYC0HEN/SUNBURST-Cracked/tree/a01f358965525bee34ad026acd9dfda3d488fdd8
228201
*/
229202

230-
int countSolorigateCommandInEnum(Enum e) {
203+
string solorigateSuspiciousCommandsInEnum() {
231204
result =
232-
count(string s, EnumConstant ec |
233-
e.getAnEnumConstant() = ec and
234-
s = ec.getName() and
235-
s in [
205+
[
236206
"Idle", "Exit", "SetTime", "CollectSystemDescription", "UploadSystemDescription",
237207
"RunTask", "GetProcessByDescription", "KillTask", "GetFileSystemEntries", "WriteFile",
238208
"FileExists", "DeleteFile", "GetFileHash", "ReadRegistryValue", "SetRegistryValue",
239209
"DeleteRegistryValue", "GetRegistrySubKeyAndValueNames", "Reboot", "None"
240-
]
241-
)
242-
}
210+
]
211+
}

0 commit comments

Comments
 (0)