The toolkit can help organizations root out malicious code that could be hiding deep in their network.
Microsoft said it open-sourced the toolkit in an effort to share its findings on the SolarWinds malware attack, which Microsoft calls Solorigate.
“Microsoft believes in leading with transparency and sharing intelligence with the community for the betterment of security practices and posture across the industry as a whole,“ the company states.
The attacks abusing vulnerabilities in SolarWinds products don’t stop making rounds on the Internet. They left over 100 private companies breached, among them Microsoft and FireEye.
The vulnerabilities allowed the attackers to steal credentials, escalate privileges, and steal sensitive information.
Organizations who want to know whether they too fell victims to the SolarWinds attack campaign now can use a free tool that Microsoft used to hunt down the malware in its own code.
The CodeQL queries Microsoft used to analyze its source code are available as GitHub’s Advanced Security toolset and are available publicly now. These queries can find signs of the SolarWinds-type attack in any software.
But the CodeQL queries can find patterns not only those associated with the Solorigate indications of compromise (IoCs), but they offer many other backdoor functionality and detection-evasion techniques, Microsoft writes.
The researchers note, though, there is no guarantee that the bad actors always used the same functionality or coding style in their other attacks, so the open-sourced CodeQL queries may not detect malware in other systems if they deviate significantly from the tactics seen by Microsoft in their Solorigate implant.
The open-sourcing of CodeQL queries is a good example of how sharing techniques that a big tech company like Microsoft has found with the security community and other companies can benefit everyone and promote joint efforts in fighting against sophisticated attacks.
