{ "id": "0a0134a6-b879-42bd-9577-e92f2ac6fce1", "created_at": "2026-04-06T00:06:33.797999Z", "updated_at": "2026-04-10T03:37:32.557767Z", "deleted_at": null, "sha1_hash": "dc18a9434e9c63eeca6b4edade5e57e167aa8bde", "title": "Microsoft open sources CodeQL queries used to hunt for Solorigate activity | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 558020, "plain_text": "Microsoft open sources CodeQL queries used to hunt for Solorigate\r\nactivity | Microsoft Security Blog\r\nBy Microsoft Security Team\r\nPublished: 2021-02-25 · Archived: 2026-04-05 17:47:34 UTC\r\nUPDATE: Microsoft continues to work with partners and customers to expand our knowledge of the\r\nthreat actor behind the nation-state cyberattacks that compromised the supply chain of SolarWinds and\r\nimpacted multiple other organizations. Microsoft previously used ‘Solorigate’ as the primary\r\ndesignation for the actor, but moving forward, we want to place appropriate focus on the actors behind\r\nthe sophisticated attacks, rather than one of the examples of malware used by the actors. Microsoft\r\nThreat Intelligence Center (MSTIC) has named the actor behind the attack against SolarWinds, the\r\nSUNBURST backdoor, TEARDROP malware, and related components as NOBELIUM. As we release\r\nnew content and analysis, we will use NOBELIUM to refer to the actor and the campaign of attacks.\r\nA key aspect of the Solorigate attack is the supply chain compromise that allowed the attacker to modify binaries\r\nin SolarWinds’ Orion product. These modified binaries were distributed via previously legitimate update channels\r\nand allowed the attacker to remotely perform malicious activities, such as credential theft, privilege escalation,\r\nand lateral movement, to steal sensitive information. The incident has reminded organizations to reflect not just on\r\ntheir readiness to respond to sophisticated attacks, but also the resilience of their own codebases.\r\nMicrosoft believes in leading with transparency and sharing intelligence with the community for the betterment of\r\nsecurity practices and posture across the industry as a whole. In this blog, we’ll share our journey in reviewing our\r\ncodebases, highlighting one specific technique: the use of CodeQL queries to analyze our source code at scale and\r\nrule out the presence of the code-level indicators of compromise (IoCs) and coding patterns associated with\r\nSolorigate. We are open sourcing the CodeQL queries that we used in this investigation so that other organizations\r\nmay perform a similar analysis. Note that the queries we cover in this blog simply serve to home in on source\r\ncode that shares similarities with the source in the Solorigate implant, either in the syntactic elements (names,\r\nliterals, etc.) or in functionality. Both can occur coincidentally in benign code, so all findings will need review to\r\ndetermine if they are actionable. Additionally, there is no guarantee that the malicious actor is constrained to the\r\nsame functionality or coding style in other operations, so these queries may not detect other implants that deviate\r\nsignificantly from the tactics seen in the Solorigate implant. These should be considered as just a part in a mosaic\r\nof techniques to audit for compromise.\r\nMicrosoft has long had integrity controls in place to verify that the final compiled binaries distributed to our\r\nservers and to our customers have not been maliciously modified at any point in the development and release\r\ncycle. For example, we verify that the source file hashes generated by the compiler match the original source files.\r\nStill, at Microsoft, we live by the “assume breach” philosophy, which tells us that regardless of how diligent and\r\nexpansive our security practices are, potential adversaries can be equally as clever and resourced. As part of the\r\nSolorigate investigation, we used both automated and manual techniques to validate the integrity of our source\r\ncode, build environments, and production binaries and environments.\r\nhttps://www.microsoft.com/security/blog/2021/02/25/microsoft-open-sources-codeql-queries-used-to-hunt-for-solorigate-activity/\r\nPage 1 of 4\n\nMicrosoft’s contribution during Solorigate investigations reflects our commitment to a community-based sharing\r\nvision described in Githubification of InfoSec. In keeping with our vision to grow defender knowledge and speed\r\ncommunity response to sophisticated threats, Microsoft teams have openly and transparently shared indicators of\r\ncompromise, detailed attack analysis and MITRE ATT\u0026CK techniques, advanced hunting queries, incident\r\nresponse guidance, and risk assessment workbooks during this incident. Microsoft encourages other security\r\norganizations that share the “Githubification” vision to open source their own threat knowledge and defender\r\ntechniques to accelerate defender insight and analysis. As we have shared before, we have compiled a\r\ncomprehensive resource for technical details of the attack, indicators of compromise, and product guidance at\r\nhttps://aka.ms/solorigate. As part of Microsoft’s sweeping investigation into Solorigate, we reviewed our own\r\nenvironment. As we previously shared, these investigations found activity with a small number of internal\r\naccounts, and some accounts had been used to view source code, but we found no evidence of any modification to\r\nsource code, build infrastructure, compiled binaries, or production environments.\r\nA primer on CodeQL and how Microsoft utilizes it\r\nCodeQL is a powerful semantic code analysis engine that is now part of GitHub. Unlike many analysis solutions,\r\nit works in two distinct stages. First, as part of the compilation of source code into binaries, CodeQL builds a\r\ndatabase that captures the model of the compiling code. For interpreted languages, it parses the source and builds\r\nits own abstract syntax tree model, as there is no compiler. Second, once constructed, this database can be queried\r\nrepeatedly like any other database. The CodeQL language is purpose-built to enable the easy selection of complex\r\ncode conditions from the database.\r\nOne of the reasons we find so much utility from CodeQL at Microsoft is specifically because this two-stage\r\napproach unlocks many useful scenarios, including being able to use static analysis not just for proactive Secure\r\nDevelopment Lifecycle analysis but also for reactive code inspection across the enterprise. We aggregate the\r\nCodeQL databases produced by the various build systems or pipelines across Microsoft to a centralized\r\ninfrastructure where we have the capability to query across the breadth of CodeQL databases at once. Aggregating\r\nCodeQL databases allows us to search semantically across our multitude of codebases and look for code\r\nconditions that may span between multiple assemblies, libraries, or modules based on the specific code that was\r\npart of a build. We built this capability to analyze thousands of repositories for newly described variants of\r\nvulnerabilities within hours of the variant being described, but it also allowed us to do a first-pass investigation for\r\nSolorigate implant patterns similarly, quickly.\r\nhttps://www.microsoft.com/security/blog/2021/02/25/microsoft-open-sources-codeql-queries-used-to-hunt-for-solorigate-activity/\r\nPage 2 of 4\n\nWe are open sourcing several of the C# queries that assess for these code-level IoCs, and they can currently be\r\nfound in the CodeQL GitHub repository. The Solorigate-Readme.md within that repo contains detailed\r\ndescriptions of each query and what code-level IoCs each one is attempting to find. It also contains guidance for\r\nother query authors on making adjustments to those queries or authoring queries that take a different tactic in\r\nfinding the patterns.\r\nGitHub will shortly publish guidance on how they are deploying these queries for existing CodeQL customers. As\r\na reminder, CodeQL is free for open-source projects hosted by GitHub.\r\nOur approach to finding code-level IoCs with CodeQL queries\r\nWe used two different tactics when looking for code-level Solorigate IoCs. One approach looks for particular\r\nsyntax that stood out in the Solorigate code-level IoCs; the other approach looks for overall semantic patterns for\r\nthe techniques present in the code-level IoCs.\r\nThe syntactic queries are very quick to write and execute while offering several advantages over comparable\r\nregular expression searches; however, they are brittle to the malicious actor changing the names and literals they\r\nuse. The semantic patterns look for the overall techniques used in the implant, such as hashing process names,\r\ntime delays before contacting the C2 servers, etc. These are durable to substantial variation, but they are more\r\ncomplicated to author and more compute-intensive when analyzing many codebases at once.\r\nhttps://www.microsoft.com/security/blog/2021/02/25/microsoft-open-sources-codeql-queries-used-to-hunt-for-solorigate-activity/\r\nPage 3 of 4\n\nBy combining these two approaches, the queries are able to detect scenarios where the malicious actor changed\r\ntechniques but used similar syntax, or changed syntax but employed similar techniques. Because it’s possible that\r\nthe malicious actor could change both syntax and techniques, CodeQL was but one part of our larger investigative\r\neffort.\r\nNext steps with CodeQL\r\nThe queries we shared in this blog and described in Solorigate-Readme.md target patterns specifically associated\r\nwith the Solorigate code-level IoCs, but CodeQL also provides many other options to query for backdoor\r\nfunctionality and detection-evasion techniques.\r\nThese queries were relatively quick to author, and we were able to hunt for patterns much more accurately across\r\nour CodeQL databases and with far less effort to manually review the findings, compared to using text searches of\r\nsource code. CodeQL is a powerful developer tool, and our hope is that this post inspires organizations to explore\r\nhow it can be used to improve reactive security response and act as a compromise detection tool.\r\nIn future blog posts, we’ll share more ways that Microsoft uses CodeQL. We’ll also continue open-sourcing\r\nqueries and utilities that build upon CodeQL so that others may benefit from them and further build upon them.\r\nSource: https://www.microsoft.com/security/blog/2021/02/25/microsoft-open-sources-codeql-queries-used-to-hunt-for-solorigate-activity/\r\nhttps://www.microsoft.com/security/blog/2021/02/25/microsoft-open-sources-codeql-queries-used-to-hunt-for-solorigate-activity/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.microsoft.com/security/blog/2021/02/25/microsoft-open-sources-codeql-queries-used-to-hunt-for-solorigate-activity/" ], "report_names": [ "microsoft-open-sources-codeql-queries-used-to-hunt-for-solorigate-activity" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433993, "ts_updated_at": 1775792252, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/dc18a9434e9c63eeca6b4edade5e57e167aa8bde.pdf", "text": "https://archive.orkl.eu/dc18a9434e9c63eeca6b4edade5e57e167aa8bde.txt", "img": "https://archive.orkl.eu/dc18a9434e9c63eeca6b4edade5e57e167aa8bde.jpg" } }