Microsoft open sources code review tool used to hunt for Solarigate activity

Software giant remains committed to the Githubification of InfoSec

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

In an effort to help other businesses analyze source code at scale,Microsofthas open sourced the CodeQL queries it used to detect indicators of compromise (IoCs) and coding patterns associated withSolorigate.

A key aspect of the Solorigate attack is thesupply chain compromisethat allowed attackers to modify binaries in SolarWinds' Orion product. As these modified binaries were distributed via legitimate update channels, they allowed the attackers to remotely perform malicious activities including credential theft, privilege escalation and lateral movement to steal sensitive information.

Microsofthas decided to open source the CodeQL queries it used in its investigation so that other organizations can perform a similar analysis on their software and systems.

While there is no guarantee that cybercriminals will be constrained to the same functionality or coding style used in theSolarWinds hack, these queries could still be helpful to organizations when it comes to detecting future attacks.

CodeQL queries

CodeQL is a powerful semantic code analysis engine which is now part ofGitHuband can be downloaded by organizations that wish to use it in their own security efforts.

Unlike other analysis solutions though, CodeQL works in two distinct stages. First the code analysis engine builds adatabasethat captures the model of the compiled source code into binaries. Once the database has been constructed, it can then be queried repeatedly just like any other database. The CodeQL language is also purpose-built to enable the easy selection of complex code conditions from the database.

In a newblog post, the Microsoft Security Team explained how it aggregates the CodeQL databases produced by the build systems or pipelines across the company into a centralized infrastructure, saying:

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

“Aggregating CodeQL databases allows us to search semantically across our multitude of codebases and look for code conditions that may span between multiple assemblies, libraries, or modules based on the specific code that was part of a build. We built this capability to analyze thousands of repositories for newly described variants of vulnerabilities within hours of the variant being described, but it also allowed us to do a first-pass investigation for Solorigate implant patterns similarly, quickly.”

As Microsoft has open sourced several of the C# queries used to assess code-level IoCs, organizations can now download them directly from theCodeQL GitHub repository.

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics

This new phishing strategy utilizes GitHub comments to distribute malware

Arcane season 2 finally gave us the huge Caitlyn and Vi moment we’ve been waiting for – and its creators say ‘we couldn’t have done it in season one’