Fixes on multiple files.

raulgarciamsft · raulgarciamsft · commit d775528069c3 · 2021-02-05T14:09:26.000-08:00
diff --git a/csharp/ql/src/experimental/Security Features/backdoor/DangerousNativeFunctionCall.qhelp b/csharp/ql/src/experimental/Security Features/backdoor/DangerousNativeFunctionCall.qhelp
@@ -3,11 +3,11 @@
   "qhelp.dtd">
 <qhelp>
   <overview>
-    <p>This query finds native calls to external functions that are often used in creating backdoors or are generally attributed to unsafe code practices.</p>
+    <p>This query finds native calls to external functions that are often used in creating backdoors or are generally attributed to unsafe code practices. This is an example of a query that may be useful for detecting potential backdoors. Solorigate is one example that uses this mechanism.</p>
   </overview>
 
   <recommendation>
-    <p>Any findings from this rules is only intended to indicate suspicious code that shares similarities with known portions of code used for the Solorigate attack, but no certainty that the code is related or part of any attack.</p>
+    <p>Any findings from this rule are only intended to indicate suspicious code that shares similarities with known portions of code used for the Solorigate attack. There is no certainty that the code is related or that the code is part of any attack.</p>
     <p>For more information about Solorigate, please visit https://aka.ms/solorigate. </p>
   </recommendation>
 
diff --git a/csharp/ql/src/experimental/Security Features/backdoor/DangerousNativeFunctionCall.ql b/csharp/ql/src/experimental/Security Features/backdoor/DangerousNativeFunctionCall.ql
@@ -1,7 +1,6 @@
 /**
  * @name Potential dangerous use of native functions
- * @description Please review code for possible malicious intent or unsafe handling.
- *              NOTE: This query is an example of a query that may be useful for detecting potential backdoors, and Solorigate is just one such example that uses this mechanism.
+ * @description Detects the use of native functions that can be used for malicious intent or unsafe handling.
  * @kind problem
  * @problem.severity warning
  * @precision low
diff --git a/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.qhelp b/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.qhelp
@@ -3,11 +3,11 @@
   "qhelp.dtd">
 <qhelp>
   <overview>
-    <p>This query finds if there exists a DataFlow from a file last modification date (very likely implant installation time) and an offset to a condition statement (the trigger) that controls code execution.</p>
+    <p>This query checks for data flow from a file's last modification date and a condition statement that controls code execution. A malicious actor could have implanted code that triggers after a certain time, leading to a "time bomb".</p>
   </overview>
 
   <recommendation>
-    <p>Any findings from this rules is only intended to indicate suspicious code that shares similarities with known portions of code used for the Solorigate attack, but no certainty that the code is related or part of any attack.</p>
+    <p>Any findings from this rule are only intended to indicate suspicious code that shares similarities with known portions of code used for the Solorigate attack. There is no certainty that the code is related or that the code is part of any attack.</p>
     <p>For more information about Solorigate, please visit https://aka.ms/solorigate. </p>
   </recommendation>
 
diff --git a/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.ql b/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.ql
@@ -1,6 +1,6 @@
 /**
  * @name Potential Timebomb
- * @description Flow from a file last modification date (very likely implant installation time) and an offset to condition statement (the trigger)
+ * @description If there is data flow from a file's last modification date and an offset to a condition statement, this could trigger a "time bomb".
  * @kind path-problem
  * @precision Low
  * @problem.severity warning
diff --git a/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.qhelp b/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.qhelp
@@ -4,11 +4,11 @@
 <qhelp>
   <overview>
     <p>This query detects code flow from ProcessName property on the Process class into a hash function.</p>
-    <p>Such flow is often used in code backdoors to detect runnig processes and compare them to an obfuscated list of antivirus processes to aviod detection.</p>
+    <p>Such flow is often used in code backdoors to detect running processes and compare them to an obfuscated list of antivirus processes to avoid detection. Solorigate is one example that uses this mechanism.</p>
   </overview>
 
   <recommendation>
-    <p>Any findings from this rules is only intended to indicate suspicious code that shares similarities with known portions of code used for the Solorigate attack, but no certainty that the code is related or part of any attack.</p>
+    <p>Any findings from this rule are only intended to indicate suspicious code that shares similarities with known portions of code used for the Solorigate attack. There is no certainty that the code is related or that the code is part of any attack.</p>
     <p>For more information about Solorigate, please visit https://aka.ms/solorigate. </p>
   </recommendation>
 
diff --git a/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.ql b/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.ql
@@ -1,7 +1,6 @@
 /**
  * @name ProcessName to hash function flow
- * @description Flow from a function retrieving process name to a hash function
- *              NOTE: This query is an example of a query that may be useful for detecting potential backdoors, and Solorigate is just one such example that uses this mechanism.
+ * @description Flow from a function retrieving process name to a hash function.
  * @kind path-problem
  * @tags security
  *       solorigate
@@ -20,12 +19,12 @@ class DataFlowFromMethodToHash extends TaintTracking::Configuration {
   /**
    * Holds if `source` is a relevant data flow source.
    */
-  override predicate isSource(Node source) { isSuspiciousPropertyName(source.asExpr()) }
+  override predicate isSource(DataFlow::Node source) { isSuspiciousPropertyName(source.asExpr()) }
 
   /**
    * Holds if `sink` is a relevant data flow sink.
    */
-  override predicate isSink(Node sink) { isGetHash(sink.asExpr()) }
+  override predicate isSink(DataFlow::Node sink) { isGetHash(sink.asExpr()) }
 }
 
 predicate isGetHash(Expr arg) {
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/ModifiedFnvFunctionDetection.qhelp b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/ModifiedFnvFunctionDetection.qhelp
@@ -3,8 +3,8 @@
   "qhelp.dtd">
 <qhelp>
   <overview>
-    <p>The malicious code included hash values calculated using a standard FNV-1A 64-bit hash with an additional XOR by a literal after computing the FNV-1A.</p>
-    <p>This query detects FNV-like hash calculations where there is an additional xor (with any static value) after the hash calculation loop.</p>
+    <p>In Solorigate, the malicious code tried to evade various security detection software by comparing hashes of the process names against an embedded list of values. The malicious code included hash values calculated using a standard FNV-1A 64-bit hash with an additional XOR by a literal after computing the FNV-1A.</p>
+    <p>This query detects FNV-like hash calculations where there is an additional XOR (with any static value) after the hash calculation loop.</p>
   </overview>
 
   <include src="Solorigate.qhelp" />
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownCommandsAboveThreshold.qhelp b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownCommandsAboveThreshold.qhelp
@@ -3,8 +3,8 @@
   "qhelp.dtd">
 <qhelp>
   <overview>
-    <p>This query detects if there is an enum that includes various of the values used for the Solorigate commands.</p>
-    <p>Please notice that by themselves the names of these enum constants are not malign.</p>
+    <p>This query detects enumerations that include various commands that were also used in the Solorigate implant.</p>
+    <p>By themselves, the names of these enumeration constants are not malicious, so the query only detects enumerations that includes at least 10 of the 18 Solorigate commands.</p>
   </overview>
 
   <include src="Solorigate.qhelp" />
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownHashesAboveThreshold.ql b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownHashesAboveThreshold.ql
@@ -1,7 +1,7 @@
 /**
- * @name Number of Solorigate-related Hashes as literals is above the threshold
- * @description The total number of Solorigate-related hash literals found in the code is above a threshold, which may indicate that the code may have been tampered by an external agent.
- *      It is recommended to review the code and verify that there is no unexpected code in this project, however it is highly unlikely the hash values would be present coincideentally
+ * @name Number of Solorigate-related hashes as literals is above the threshold
+ * @description The total number of Solorigate-related hash literals found in the code is above a threshold, which may indicate that an external agent has tampered with the code.
+ *      It is recommended to review the code and verify that there is no unexpected code in this project, however it is highly unlikely the hash values would be present coincidentally.
  * @kind problem
  * @tags security
  *       solorigate
@@ -14,7 +14,7 @@ import csharp
 import Solorigate
 
 /*
- * Returns the total number of Solorigate-related literales found in the project
+ * Returns the total number of Solorigate-related hashes found in the project
  */
 
 int countSolorigateSuspiciousHash() {
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownLiteralsAboveThreshold.ql b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownLiteralsAboveThreshold.ql
@@ -1,6 +1,6 @@
 /**
  * @name Number of Solorigate-related literals is above the threshold
- * @description The total number of Solorigate-related literals found in the code is above a threshold, which may indicate that the code may have been tampered by an external agent.
+ * @description The total number of Solorigate-related literals found in the code is above a threshold, which may indicate that an external agent has tampered with the code.
  *      It is recommended to review the code and verify that there is no unexpected code in this project.
  * @kind problem
  * @tags security
@@ -14,7 +14,7 @@ import csharp
 import Solorigate
 
 /*
- * Returns the total number of Solorigate-related literales found in the project
+ * Returns the total number of Solorigate-related literals found in the project
  */
 
 int countSolorigateSuspiciousLiterals() {
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownMethodNamesAboveThreshold.ql b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/NumberOfKnownMethodNamesAboveThreshold.ql
@@ -1,6 +1,6 @@
 /**
  * @name Number of Solorigate-related method names is above the threshold
- * @description The total number of Solorigate-related method names found in the code is above a threshold, which may indicate that the code may have been tampered by an external agent.
+ * @description The total number of Solorigate-related method names found in the code is above a threshold, which may indicate that an external agent has tampered with the code.
  *      It is recommended to review the code and verify that there is no unexpected code in this project.
  * @kind problem
  * @tags security
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/Solorigate.qhelp b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/Solorigate.qhelp
@@ -7,7 +7,7 @@
   <p>The purpose of these rules is to identify potentially tampered code that requires further analysis</p>
 </overview> 
 <recommendation>
-  <p>Any findings from these rules are only intended to indicate suspicious code that shares similarities with known portions of code used for this attack, but no certainty that the code is related or part of any attack.</p>
+  <p>Any findings from this rule are only intended to indicate suspicious code that shares similarities with known portions of code used for the Solorigate attack. There is no certainty that the code is related or that the code is part of any attack.</p>
   <p>For more information, please visit https://aka.ms/solorigate. </p>
 </recommendation>
 </qhelp>
diff --git a/csharp/ql/src/experimental/Security Features/campaign/Solorigate/SwallowEverythingExceptionHandler.qhelp b/csharp/ql/src/experimental/Security Features/campaign/Solorigate/SwallowEverythingExceptionHandler.qhelp
@@ -3,7 +3,7 @@
   "qhelp.dtd">
 <qhelp>
   <overview>
-    <p>The malicious code was wrapped in generic exception catch blocks that lacked any statements</p>
+    <p>In Solorigate, the malicious code was wrapped in generic exception catch blocks that lacked any statements. This made it harder to find any suspicious runtime exceptions.</p>
     <p>This query detects all generic exception empty catch blocks, but it is strongly suggested that the results for cs/catch-of-all-exceptions also be reviewed in the event that a malicious swallow everything exception handler was not empty</p>
   </overview>
 
