In an effort to help other businesses analyze source code at scale, Microsoft has open sourced the CodeQL queries it used to detect indicators of compromise (IoCs) and coding patterns associated with Solorigate.
A key aspect of the Solorigate attack is the supply chain compromise that allowed attackers to modify binaries in SolarWinds’ Orion product. As these modified binaries were distributed via legitimate update channels, they allowed the attackers to remotely perform malicious activities including credential theft, privilege escalation and lateral movement to steal sensitive information.
Microsoft has decided to open source the CodeQL queries it used in its investigation so that other organizations can perform a similar analysis on their software and systems.
While there is no guarantee that cybercriminals will be constrained to the same functionality or coding style used in the SolarWinds hack, these queries could still be helpful to organizations when it comes to detecting future attacks.
CodeQL is a powerful semantic code analysis engine which is now part of GitHub and can be downloaded by organizations that wish to use it in their own security efforts.
Unlike other analysis solutions though, CodeQL works in two distinct stages. First the code analysis engine builds a database that captures the model of the compiled source code into binaries. Once the database has been constructed, it can then be queried repeatedly just like any other database. The CodeQL language is also purpose-built to enable the easy selection of complex code conditions from the database.
In a new blog post, the Microsoft Security Team explained how it aggregates the CodeQL databases produced by the build systems or pipelines across the company into a centralized infrastructure, saying:
“Aggregating CodeQL databases allows us to search semantically across our multitude of codebases and look for code conditions that may span between multiple assemblies, libraries, or modules based on the specific code that was part of a build. We built this capability to analyze thousands of repositories for newly described variants of vulnerabilities within hours of the variant being described, but it also allowed us to do a first-pass investigation for Solorigate implant patterns similarly, quickly.”
As Microsoft has open sourced several of the C# queries used to assess code-level IoCs, organizations can now download them directly from the CodeQL GitHub repository.