Security News > 2021 > February > Microsoft Releases Open Source Resources for Solorigate Threat Hunting
Microsoft on Thursday announced the open source availability of CodeQL queries that it used during its investigation into the SolarWinds attack.
The company has released the source code of CodeQL queries, which it used to analyze its code at scale and identify any code-level indicators of compromise associated with Solorigate.
"We are open sourcing the CodeQL queries that we used in this investigation so that other organizations may perform a similar analysis. Note that the queries [] simply serve to home in on source code that shares similarities with the source in the Solorigate implant, either in the syntactic elements or in functionality," the company says.
Microsoft also underlines that reviews would still be required to ensure the correct results, and that the malicious actor might use other functionality and coding style in different operations, meaning that these queries won't be able to detect implants that deviate significantly.
Microsoft has made C# queries meant for the assessment of code-level IoCs available in the CodeQL GitHub repository, with detailed information on each query and the code-level IoCs it attempts to find available in the Solorigate-Readme.
"GitHub will shortly publish guidance on how they are deploying these queries for existing CodeQL customers. As a reminder, CodeQL is free for open-source projects hosted by GitHub," Microsoft also notes.
News URL
Related news
- Suricata: Open-source network analysis and threat detection (source)
- US Government, Microsoft Aim to Disrupt Russian threat actor ‘Star Blizzard’ (source)
- How open source SIEM and XDR tackle evolving threats (source)
- ScubaGear: Open-source tool to assess Microsoft 365 configurations for security gaps (source)