Skip to content
This repository has been archived by the owner on Nov 16, 2023. It is now read-only.

Latest commit

 

History

History
55 lines (42 loc) · 2.75 KB

possible-affected-software-orion[Solorigate].md

File metadata and controls

55 lines (42 loc) · 2.75 KB
Raw

Get an inventory of SolarWinds Orion software possibly affected by Solorigate

This query was originally published in the threat analytics report, Solorigate supply chain attack.

Microsoft detects the 2020 SolarWinds supply chain attack implant and its other components as Solorigate. A threat actor silently added malicious code to legitimate software updates for Orion, which is IT monitoring software provided by SolarWinds. In this way, malicious dynamic link libraries (DLLs) were distributed to SolarWinds customers.

The following query retrieves an inventory of SolarWinds Orion software use in your organization, organized by product name and ordered by how many devices the software is installed on.

More Solorigate-related queries can be found listed under the See also section of this document.

Query

DeviceTvmSoftwareInventoryVulnerabilities
| where SoftwareVendor == 'solarwinds'
| where SoftwareName startswith 'orion'
| summarize dcount(DeviceName) by SoftwareName
| sort by dcount_DeviceName desc

Category

This query can be used to detect the following attack techniques and tactics (see MITRE ATT&CK framework) or security configuration states.

Technique, tactic, or state Covered? (v=yes) Notes
Initial access
Execution
Persistence
Privilege escalation
Defense evasion
Credential Access
Discovery
Lateral movement
Collection
Command and control
Exfiltration
Impact v Not all instances of SolarWinds Orion may be affected by Solorigate.
Vulnerability
Misconfiguration
Malware, component

See also

Contributor info

Contributor: Microsoft Threat Protection team