Using GitHub code scanning and CodeQL to detect traces of Solorigate and other backdoors

Image of Bas van Schaik

上个月,CodeQL安全社区的成员贡献多个码问题查询for C# codebases that can help organizations assess whether they are affected by the SolarWinds nation-state attack on various parts of critical network infrastructure around the world. This attack is also referred to as考虑(由微软),或森伯斯特(由Fireeye)。在此博客文章中,我们将解释Github高级安全客户如何使用这些CodeQL查询来确定其构建基础架构是否感染恶意软件。




What is build hijacking?

恶意软件通过后卫传播构建系统in order to inject malicious code into product releases, and in turn compromise the users of a shipped release. In particular, it monitors for invocations ofmsbuild.exe.Microsoft构建引擎)流程。给自己debugging privileges, it injects additional malicious code into the build process. This means that while the codebases themselves do not contain any malicious commits or other traces of the malware, the products that are built from those codebases包含恶意软件。“构建劫持”的过程更详细地解释了this technical analysis from Crowdstrike


GitHub CodeQL is a semantic code analysis engine that uses疑问分析源代码并找到不需要的模式。例如,CodeQL可以跟踪来自不可信的源(例如,HTTP请求)的数据,该数据最终在潜在的危险位置(例如,在SQL语句中的字符串连接中导致SQL注入漏洞)。



If a build server is backdoored with the build hijacking component of the Solorigate malware campaign, the malware will inject additional source code at compilation time. If CodeQL is observing the build process on the infected server, it will extract the injected malicious source code together with the genuine source code. The resulting CodeQL database will therefore contain traces of the malicious Solorigate source code. Note that if your CodeQL database is generated on a machine that isnot感染,数据库不包含任何注入的源代码。


The CodeQL queries that werecontributed by the Microsoft team将检测由恶意软件注入的恶意C#代码模式。运行这些查询的最佳方法是手动在潜在受影响的服务器上创建CodeQL数据库,并使用Visual Studio代码的CodeQL扩展分析该数据库。

Alternatively, you can generate the CodeQL database and run the queries through a CI/CD pipeline. This could detect build injection on the systems that run your CI/CD jobs (and may be used to build your release artifacts).

使用Visual Studio代码运行CodeQL查询

  1. 安装致码问题的vs code插件,并跟随Quick start guide设置起动工作空间
  2. 生成CodeQL数据库通过在潜在受感染的构建服务器上构建C#源代码。
  3. 将CodeQL数据库传输到计算机。
    笔记:the CodeQL database itself does not contain any (potentially dangerous) compilation artifacts or infected executables. It contains (1) a plaintext copy of the source code that was compiled, and (2) a relations representation of that code.
  4. 将潜在受影响的CodeQL数据库加载到VS代码中
  5. 导航QL / CSharp / QL / SRC / CodeQL-Suites,你会在哪里找到solorigate.qlsCodeQL query suite file. Right-click on the file, and selectcodeql:在所选文件中运行查询


Repeat steps 2-5 for every codebase that is potentially affected.


为了在GitHub代码扫描中运行C#CodeBase上的附加CodeQL查询,创建文件.github / codeql / solorige.qls在您想要分析的存储库中:

- 导入:codeql-suites / solorige.qls来自:codeql-csharp


- name: Initialize CodeQL uses: github/codeql-action/init@v1 with: languages: csharp queries: ./.github/codeql/solorigate.qls


With the above configuration, the additional CodeQL queries will be run. If CodeQL detects any malware indicators (Solorigate or otherwise) in your source code, it will produce an在GitHub代码扫描Web界面中提醒



Next steps

If CodeQL flags up suspicious elements in a product or codebase, you should conduct a careful manual code review of the affected area. In particular, we suggest that you compare the code that was seen by CodeQL to the original source code.

The queries contributed by Microsoft’s Solorigate response team serve as a heuristic for detecting backdoors, like the one involved in the Solorigate attack. A negative result does not necessarily rule out that a system or network is compromised. Analyzing codebases using CodeQL should be considered just one part in a mosaic of techniques to audit for compromise. For more information on the attack and advice on other auditing techniques, please refer to theMicrosoft崇尚资源中心



如果您想了解更多有关SoloriGe查询的技术背景,请参阅this post on the Microsoft Blog