-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding queries related to the Solorigate campaign #5083
Conversation
@raulgarciamsft I think you have to auto-format the ql code (Or is it formatted? Then ignore this) |
I completely forgot about that during our internal review. I will fix the formatting right now. |
Question to the GitHub team. We are seeing a number of failures in the CodeQL task on files we did not modify. Is there anything we can/should do in this case? Thanks |
No, those errors are not caused by your changes, but instead a combination of this PR initially targeting |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you very much for this, @raulgarciamsft! I've done a very cursory review with some initial comments. I''ll leave the in-depth review to the experts 😄
.../ql/src/experimental/Security Features/campaign/Solorigate/ModifedFnvFunctionDetection.qhelp
Outdated
Show resolved
Hide resolved
csharp/ql/src/experimental/Security Features/campaign/Solorigate/ModifedFnvFunctionDetection.ql
Outdated
Show resolved
Hide resolved
csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.qhelp
Outdated
Show resolved
Hide resolved
csharp/ql/src/experimental/Security Features/backdoor/DangerousNativeFunctionCall.qhelp
Outdated
Show resolved
Hide resolved
csharp/ql/src/experimental/Security Features/campaign/Solorigate-Readme.md
Outdated
Show resolved
Hide resolved
csharp/ql/src/experimental/Security Features/campaign/Solorigate-Readme.md
Show resolved
Hide resolved
csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.ql
Show resolved
Hide resolved
csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.qhelp
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks a lot for your contributions, Raul. This is a very interesting an novel use of CodeQL, at least not something I have seen before or thought about myself :-)
csharp/ql/src/experimental/Security Features/campaign/Solorigate/Solorigate.qll
Outdated
Show resolved
Hide resolved
csharp/ql/src/experimental/Security Features/campaign/Solorigate/Solorigate.qhelp
Outdated
Show resolved
Hide resolved
csharp/ql/src/experimental/Security Features/campaign/Solorigate/Solorigate.qll
Outdated
Show resolved
Hide resolved
.../src/experimental/Security Features/campaign/Solorigate/NumberOfKnownHashesAboveThreshold.ql
Show resolved
Hide resolved
csharp/ql/src/microsoft/code/csharp/Cryptography/NonCryptographicHashes.qll
Outdated
Show resolved
Hide resolved
csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.ql
Outdated
Show resolved
Hide resolved
csharp/ql/src/experimental/Security Features/backdoor/DangerousNativeFunctionCall.ql
Outdated
Show resolved
Hide resolved
csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.ql
Outdated
Show resolved
Hide resolved
...rp/ql/src/experimental/Security Features/campaign/Solorigate/ModifiedFnvFunctionDetection.ql
Outdated
Show resolved
Hide resolved
...rp/ql/src/experimental/Security Features/campaign/Solorigate/ModifiedFnvFunctionDetection.ql
Show resolved
Hide resolved
Changing the TimeBomb query to path-problem (any suggestions to improve it would be welcomed, no previous experience iwth path-problem queries)
…back will be welcomed
I forgot to mention it on the first review, but would it be possible to add some tests for the new queries? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for this! I've had a look on behalf of the documentation team, to keep some of the style and terminology similar to our existing queries.
Since the "Solorigate-Readme" contains lots of helpful information, I've only suggested small additions to the .qhelp
files. (As a future task, we could perhaps move more details into the .ql
and .qhelp
files themselves?)
csharp/ql/src/experimental/Security Features/backdoor/DangerousNativeFunctionCall.ql
Outdated
Show resolved
Hide resolved
csharp/ql/src/experimental/Security Features/backdoor/DangerousNativeFunctionCall.qhelp
Outdated
Show resolved
Hide resolved
csharp/ql/src/experimental/Security Features/backdoor/DangerousNativeFunctionCall.qhelp
Outdated
Show resolved
Hide resolved
csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.qhelp
Outdated
Show resolved
Hide resolved
csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.qhelp
Outdated
Show resolved
Hide resolved
.../src/experimental/Security Features/campaign/Solorigate/NumberOfKnownHashesAboveThreshold.ql
Outdated
Show resolved
Hide resolved
...rc/experimental/Security Features/campaign/Solorigate/NumberOfKnownLiteralsAboveThreshold.ql
Outdated
Show resolved
Hide resolved
...rc/experimental/Security Features/campaign/Solorigate/NumberOfKnownLiteralsAboveThreshold.ql
Outdated
Show resolved
Hide resolved
...experimental/Security Features/campaign/Solorigate/NumberOfKnownMethodNamesAboveThreshold.ql
Outdated
Show resolved
Hide resolved
...c/experimental/Security Features/campaign/Solorigate/SwallowEverythingExceptionHandler.qhelp
Outdated
Show resolved
Hide resolved
Yeah - we will do that early next week. We have been testing detection against the actual Orion implant so had overlooked our normal test dev. Sorry about that |
Done. I added some unit tests. I tried to keep the tests simple, but let me know if you want me to make any changes. Thanks |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It turns out that I wrote a bunch of review comments last week that were never actually submitted in a review. Very sorry about that. Here they are. Let me know if you think it's feasible to make some of these changes in the next day or two; if not we'll note them for making later.
csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.qhelp
Outdated
Show resolved
Hide resolved
csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.qhelp
Outdated
Show resolved
Hide resolved
csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.qhelp
Outdated
Show resolved
Hide resolved
csharp/ql/src/experimental/Security Features/campaign/Solorigate/Solorigate.qhelp
Outdated
Show resolved
Hide resolved
...ql/src/experimental/Security Features/campaign/Solorigate/ModifiedFnvFunctionDetection.qhelp
Outdated
Show resolved
Hide resolved
.../src/experimental/Security Features/campaign/Solorigate/NumberOfKnownHashesAboveThreshold.ql
Outdated
Show resolved
Hide resolved
...rc/experimental/Security Features/campaign/Solorigate/NumberOfKnownLiteralsAboveThreshold.ql
Outdated
Show resolved
Hide resolved
...experimental/Security Features/campaign/Solorigate/NumberOfKnownMethodNamesAboveThreshold.ql
Outdated
Show resolved
Hide resolved
…te/Solorigate.qhelp Co-authored-by: Bas van Schaik <5082246+sj@users.noreply.github.com>
I think we have addressed all comments (BTW. Thanks a lot for all your feedback). Please let me know if we missed anything and I will fix it ASAP. |
I fixed the comments we were missing from @hvitved (for some reason I couldn't find them in the GitHub view, but we found them via email). Please reply to this message if there are any other comments we are missing and I will try to find the corresponding emails. Thanks a lot. |
There is a QHelp preview check that is failing. Not sure if it is caused by the Solorigate.qhelp file (that is shared for all the queries in this folder & only intended as an include for the individual .qhelp files) or something else. Please let us know what is the error & what can we do to fix it. Thanks |
I asked about this internally, and it looks like this is a limitation of the QHelp preview check itself. A possible fix would be to change the name of the included file to If that doesn't work, you might have to duplicate the shared snippet as a way to unblock the check, and we can tidy it up later on! |
csharp/ql/src/experimental/code/csharp/Cryptography/NonCryptographicHashes.qll
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe all my comments have now been addressed. Thanks for your patience @raulgarciamsft .
@raulgarciamsft Can you tell me why the PR targets the |
The base branch was changed.
Fixing the PR target... I changed the branch by mistake. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All changes appear to be addressed.
No description provided.