Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 681e6a9

Browse files
raulgarciamsftraulgarciamsft
committed
Adding Solorigate context for the generic backdoor queries.
1 parent 3dc1b81 commit 681e6a9

3 files changed

Lines changed: 18 additions & 0 deletions

File tree

csharp/ql/src/experimental/Security Features/backdoor/DangerousNativeFunctionCall.qhelp

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,4 +5,10 @@
55
<overview>
66
<p>This query finds native calls to external functions that are often used in creating backdoors or are generally attributed to unsafe code practices.</p>
77
</overview>
8+
9+
<recommendation>
10+
<p>Any findings from this rules is only intended to indicate suspicious code that shares similarities with known portions of code used for the Solorigate attack, but no certainty that the code is related or part of any attack.</p>
11+
<p>For more information about Solorigate, please visit https://aka.ms/solorigate. </p>
12+
</recommendation>
13+
814
</qhelp>

csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.qhelp

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,4 +5,10 @@
55
<overview>
66
<p>This query finds if there exists a DataFlow from a file last modification date (very likely implant installation time) and an offset to a condition statement (the trigger) that controls code execution.</p>
77
</overview>
8+
9+
<recommendation>
10+
<p>Any findings from this rules is only intended to indicate suspicious code that shares similarities with known portions of code used for the Solorigate attack, but no certainty that the code is related or part of any attack.</p>
11+
<p>For more information about Solorigate, please visit https://aka.ms/solorigate. </p>
12+
</recommendation>
13+
814
</qhelp>

csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.qhelp

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,4 +6,10 @@
66
<p>This query detects code flow from ProcessName property on the Process class into a hash function.</p>
77
<p>Such flow is often used in code backdoors to detect runnig processes and compare them to an obfuscated list of antivirus processes to aviod detection.</p>
88
</overview>
9+
10+
<recommendation>
11+
<p>Any findings from this rules is only intended to indicate suspicious code that shares similarities with known portions of code used for the Solorigate attack, but no certainty that the code is related or part of any attack.</p>
12+
<p>For more information about Solorigate, please visit https://aka.ms/solorigate. </p>
13+
</recommendation>
14+
915
</qhelp>

0 commit comments

Comments
 (0)