@DTMitchell I see the issue. It seems a limitation on the BigFix.me site.
Under Method 1, what was posted to BigFix.me were plain Relevance snippets, which could be loaded as an Analysis Property or as Global Properties. As we posted them, they are not bundled into an Analysis and cannot be directly “Imported” in the Console.
I’ll create an Analysis with the three properties for Method 1 shortly, which should be easier to export/import through BigFix.me and the Console.
I’ve put more notes into the original post as to Method 1’s usage (i.e. the Relevance can be used in Query or added as Properties but cannot be directly “Imported” to the console), as well as posting an Analysis that can import the three properties at https://bigfix.me/analysis/details/2998622
I’ve updated the Method 1 Analysis at https://bigfix.me/analysis/details/2998623 to additionally check for the SolarWinds Orion installation paths in the Registry, and return additional version / install date details if found.
If anyone can validate these I’d be much appreciative. I have a very limited set of Orion systems / versions with which I can test.
This should also work on 64bit systems, but always return false on 32bit systems, which seems to be the correct behavoir:
exists files "netsetupsvc.dll" of folders "syswow64" of windows folders
The relevance could work, but may have false positive on 32bit windows:
exists files "netsetupsvc.dll" of system folders
This relevance checks the System32 folder 32bit systems and the SysWow64 folder on 64bit systems and should work on both, but it will false positive on 32bit windows since this is an expected file in the native system folder.
These may result in errors on 32bit windows systems because these folders don’t exist:
system wow64 folderssystem x64 foldersI’ve corrected an issue with the Method 2 results analysis at https://bigfix.me/analysis/details/2998625 to avoid a false-negative due to 32-bit file redirection.
I’ve corrected a minor issue with the Method 2 results analysis at https://bigfix.me/analysis/details/2998626 to account for much older BES Clients that lack the ‘locked line of file’ inspector for parsing the scan results. The 1.3 version will fallback to ‘line of file’ if ‘locked line of file’ is not available.
I’ve also removed the 3 erroneous hashes pointed out by @sbl with thanks.
much simpler to use wild card search for the executable or dll file and list the folder where it is available
if (exists regapp “SolarWind.BusinessLayerHost.exe”) then ((pathname of it as string & " | " & version of it as string) of regapp “SolarWind.BusinessLayerHost.exe”) else “Not Installed”
It likely wouldn’t be listed as a registered app - are you finding it as a regapp on your machine?
Method 1 above, with the latest update that lists the Orion installation folder from Add/Remove Programs, is a great starting point for most cases, I think.
The Method 2 full-disk search can additionally find copies that are buried several levels beneath windows\system32\config\assembly (in a variety of folder names).
On at least the systems where any instances are found under Method 1, I’d recommending adding a Method 2 search to find additional traces.
@brolly33 mentioned removing these more expensive analysis properties that do a bit of file lookup and hashing when no longer needed as a good practice. This is especially true when the client is asked to do a full refresh and reevaluates all properties.
This got me thinking, what about an analysis property that self expires at a set time automatically?
if (current date - "14 Dec 2020" as date > 60 * day) then ERROR "Expired" else ("RunTemporaryRelevance")
You could even put the expiration date in the expiration message:
ERROR ("Expired " & (it as string) of ("14 Dec 2020" as date + 60 * day))
I don’t have a way to test this, but also, you could get the count and version of potential products with this session relevance:
(multiplicity of it, it) of unique values of values whose(it as lowercase contains "solar" as lowercase AND it as lowercase contains "winds" as lowercase) of results of (bes properties "Installed Applications - Windows"; bes properties "Services - Windows")
This will work as long as you have the Application Information (Windows) analysis activated from the BES Inventory and License site. One advantage of this approach is this will also give you results for machines that are offline as long as they reported into this analysis already.
Once you get what seems like the correct results above, you can pivot that into getting a list of computers:
unique values of names of computers of results whose(exists values whose(it as lowercase contains "solar" as lowercase AND it as lowercase contains "winds" as lowercase) of it) of (bes properties "Installed Applications - Windows"; bes properties "Services - Windows")
This is a significant advantage to existing analyses like Application Information (Windows) and similar is that they report raw data about what is installed on systems, which you can use Session Relevance to slice and dice the results for any product in the future as needed, not just this current one.
I talk about this approach in the upcoming BigFix Podcast episode about this topic, which is out now: https://bigfix.buzzsprout.com/1248878/6902894-special-triaging-the-sunburst-exploit-with-bigfix
A separate compromise of SolarWinds has been identified, dubbed ‘SuperNova’, and described at https://unit42.paloaltonetworks.com/solarstorm-supernova/
Also, Microsoft Security Research Center has updated the list of known-bad sha256 hashes for Sunburst.
Updated both Analyses and the Task at https://bigfix.me.
I’ve updated the Method 1 Analysis at https://bigfix.me/analysis/details/29986238 to additionally check for the SolarWinds Orion installation paths in the Registry, and return additional version / install date details if found
Nice. Does this mean we can run Method 1 and if it detects another location outside of Program Files then we should run Method 2?
I’m not an expert at forensics and you have to gauge your own level of risk.
Generally, I’d advise Method 1 everywhere - it’s lightweight, non-intrusive, and easy to evaluate.
I’d run Method 2 anywhere that Method 1 identifies a file of interest, and any system you expect runs any version of any SolarWinds tool. It’s a bit more intrusive in terms of system workload and effort to run the scans, but there are reports of the affected DLLs showing up in subdirectories of Windows\system32\config\assembly that Method 1 would not detect.
I just ran the analysis @JasonWalker from https://bigfix.me/analysis/details/2998634 and noticed that the IoC - SolarWinds SuperNova - Compromised app_web_logoimagehandler.ashx.b6031896.dll is present is returning with a string value rather than TRUE / FALSE
Any idea what would cause that?
The relevance doesn’t look to me like it should return any string value
IoC - SolarWinds SuperNova - Compromised app_web_logoimagehandler.ashx.b6031896.dll is present
120.2.27977.15320
2.9.1007.1
2.9.1007.1
1.16.2.0
1.16.2.0
117.1.1825.5300
2.6.123.0
1.16.2.0
1.12.1007.0
2.9.1007.1
117.1.1825.5300
You’re right - that property should only return a true/false.
Could you paste the relevance from your copy of the property? I wonder whether it is a problem with the export from BigFix.me. Those look more like a portion of results from one of the “- All Details” properties.
Also, did you import this as a new Analysis or did you update/overwrite an older version? If updating an older version, sometimes the console will display results from an older version of that property ID until computers re-evaluate and post results for the latest version. Are any of your computers reporting the expected true/false for that property? Are the string values coming from older-reported computers?