This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.

You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

A slightly easier way to find the hash values of SolarWinds.Orion.Core.BusinessLayer.dll

jmulsman over 3 years ago

The security advisory and FAQs show a way to get a hash value for the SolarWinds.Orion.Core.BusinessLayer.dll file that was hacked,

Get-FileHash "C:\Program Files (x86)\SolarWinds\Orion\SolarWinds.Orion.Core.BusinessLayer.dll"

However, this file is in more than one location, depending on what is installed on your system (I found it in 6 locations) . An easy way to find and check these is to modify their PowerShell command, I used:

Get-ChildItem -path c:\ -include solarwinds.orion.core.businesslayer.dll -recurse -ErrorAction SilentlyContinue

and

Get-ChildItem -path c:\ -include solarwinds.orion.core.businesslayer.dll -recurse -ErrorAction SilentlyContinue | Get-FileHash

the first command is needed, because the second one (that generates the hash) truncates the displayed path.

Top Replies

FormerMember over 3 years ago +7 verified

Append your command with | Out-GridView and you can then expand those columns if needed on the GUI output.

0 FormerMember over 3 years ago

Append your command with
| Out-GridView
and you can then expand those columns if needed on the GUI output.
Cancel
Vote Up +7 Vote Down

Cancel
0 jmulsman over 3 years ago in reply to FormerMember

Slick addition, thanks!
Cancel
Vote Up 0 Vote Down

Cancel

0 blanczak over 3 years ago in reply to FormerMember

Screen Shot 2020-12-21 at 12.47.41 PM.png

Ha I've done basically the same thing but baked in the publicly published bad hashes. This way you just run it and it tells you if you've got the bad files. Source code available to copy/paste on my website https://lanczak.com

Note: I left the scope wide (all of C:\ volume) in case someone chose a non-default installation path. If your installation path is on a separate drive you'd obviously have to adjust that a bit.

# Purpose: This snippet of PowerShell is designed to identify if the version of SolarWinds you're running is effected by the recent SolarWinds hack.
#
# How it works: Simple ForEach loop that looks for known infected files via SHA256 file hash related to the SolarWinds hack. 
#
# References: 
#        https://www.solarwinds.com/securityadvisory/faq
#        https://us-cert.cisa.gov/ncas/alerts/aa20-352a
#
# Hashes publicly known to contain the malware:
#     -a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc
#     -9bee4af53a8cdd7ecabe5d0c77b6011abe887ac516a5a22ad51a058830403690
#     -bb86f66d11592e3312cd03423b754f7337aeebba9204f54b745ed3821de6252d
#     -ae6694fd12679891d95b427444466f186bcdcc79bc0627b590e0cb40de1928ad
#     -9d6285db647e7eeabdb85b409fad61467de1655098fec2e25aeb7770299e9fee
#     -dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b
#     -32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77
#     -019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134
#     -ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6
#     -8dfe613b00d495fb8905bdf6e1317d3e3ac1f63a626032fa2bdad4750887ee8a
#     -143632672dcb6ef324343739636b984f5c52ece0e078cfee7c6cac4a3545403a
#     -cc870c07eeb672ab33b6c2be51b173ad5564af5d98bfc02da02367a9e349a76f
#
#
# Author: Brandon Lanczak
# Contact: Brandon@Lanczak.com
#
# Notes: 
#     -If your SolarWinds Orion installation is in a drive other than C:\ make sure you adjust the foreach statement accordingly.
#     -Run as an administrator to ensure it can access all files.
#
# Revision: v1.2 | 12-21-2020 @ 12:51 CST
#
# Execution:
[String] $HashToFind = 'a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc',
                        '9bee4af53a8cdd7ecabe5d0c77b6011abe887ac516a5a22ad51a058830403690',
                        'bb86f66d11592e3312cd03423b754f7337aeebba9204f54b745ed3821de6252d',
                        'ae6694fd12679891d95b427444466f186bcdcc79bc0627b590e0cb40de1928ad',
                        '9d6285db647e7eeabdb85b409fad61467de1655098fec2e25aeb7770299e9fee',
                        'dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b',
                        '32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77',
                        '019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134',
                        'ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6',
                        '8dfe613b00d495fb8905bdf6e1317d3e3ac1f63a626032fa2bdad4750887ee8a',
                        '143632672dcb6ef324343739636b984f5c52ece0e078cfee7c6cac4a3545403a',
                        'cc870c07eeb672ab33b6c2be51b173ad5564af5d98bfc02da02367a9e349a76f'
 
Foreach ($file in Get-ChildItem C:\ -file -Recurse)
{
    If ((Get-FileHash $file.Fullname -Algorithm SHA256).hash -eq $HashToFind)
    {
        Write-Host "Infected file found: $($File.Fullname) with hash $Hash"
        }
}
 
pause

Updated: 12-21-2020 @ 12:48 CST with accurate hashes referenced from https://us-cert.cisa.gov/ncas/alerts/aa20-352a

0 jmulsman over 3 years ago in reply to blanczak

Nice, but maybe tweak the list of hashes a bit? It looks like published hashes for both good and bad versions are in the list, unless you have newer information about the 'good' version being a problem.
Cancel
Vote Up 0 Vote Down

Cancel

0 blanczak over 3 years ago in reply to jmulsman

Good catch. I think I got the mall accurate now I hope. Referenced https://us-cert.cisa.gov/ncas/alerts/aa20-352a as my source. If there are different hashes I can certainly get them added.

Screen Shot 2020-12-21 at 12.57.51 PM.png

# Purpose: This snippet of PowerShell is designed to identify if the version of SolarWinds you're running is effected by the recent SolarWinds hack.
#
# How it works: Simple ForEach loop that looks for known infected files via SHA256 file hash related to the SolarWinds hack. 
#
# References: 
#        https://www.solarwinds.com/securityadvisory/faq
#        https://us-cert.cisa.gov/ncas/alerts/aa20-352a
#
# Hashes publicly known to contain the malware:
#     -a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc
#     -9bee4af53a8cdd7ecabe5d0c77b6011abe887ac516a5a22ad51a058830403690
#     -bb86f66d11592e3312cd03423b754f7337aeebba9204f54b745ed3821de6252d
#     -ae6694fd12679891d95b427444466f186bcdcc79bc0627b590e0cb40de1928ad
#     -9d6285db647e7eeabdb85b409fad61467de1655098fec2e25aeb7770299e9fee
#     -dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b
#     -32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77
#     -019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134
#     -ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6
#     -8dfe613b00d495fb8905bdf6e1317d3e3ac1f63a626032fa2bdad4750887ee8a
#     -143632672dcb6ef324343739636b984f5c52ece0e078cfee7c6cac4a3545403a
#     -cc870c07eeb672ab33b6c2be51b173ad5564af5d98bfc02da02367a9e349a76f
#
#
# Author: Brandon Lanczak
# Contact: Brandon@Lanczak.com
#
# Notes: 
#     -If your SolarWinds Orion installation is in a drive other than C:\ make sure you adjust the foreach statement accordingly.
#     -Run as an administrator to ensure it can access all files.
#
# Revision: v1.2 | 12-21-2020 @ 12:51 CST
#
# Execution:
[String] $HashToFind = 'a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc',
                        '9bee4af53a8cdd7ecabe5d0c77b6011abe887ac516a5a22ad51a058830403690',
                        'bb86f66d11592e3312cd03423b754f7337aeebba9204f54b745ed3821de6252d',
                        'ae6694fd12679891d95b427444466f186bcdcc79bc0627b590e0cb40de1928ad',
                        '9d6285db647e7eeabdb85b409fad61467de1655098fec2e25aeb7770299e9fee',
                        'dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b',
                        '32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77',
                        '019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134',
                        'ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6',
                        '8dfe613b00d495fb8905bdf6e1317d3e3ac1f63a626032fa2bdad4750887ee8a',
                        '143632672dcb6ef324343739636b984f5c52ece0e078cfee7c6cac4a3545403a',
                        'cc870c07eeb672ab33b6c2be51b173ad5564af5d98bfc02da02367a9e349a76f'
 
Foreach ($file in Get-ChildItem C:\ -file -Recurse)
{
    If ((Get-FileHash $file.Fullname -Algorithm SHA256).hash -eq $HashToFind)
    {
        Write-Host "Infected file found: $($File.Fullname) with hash $Hash"
        }
}
 
pause

0 jlrobinson2171 over 3 years ago in reply to blanczak
I ran this script and it didn't find anything, however, I know for a fact that I have one of the hashes because if I run
Get-FileHash "C:\Program Files (x86)\SolarWinds\Orion\SolarWinds.Orion.Core.BusinessLayer.dll"
I get one of the hashes located in the [String] portion of the script.
If I change the following line to have the actual hash instead of the $HashToFind variable.
If ((Get-FileHash $file.Fullname -Algorithm SHA256).hash -eq $HashToFind)
It finds two locations. Am I doing something wrong?
Cancel
Vote Up 0 Vote Down

Cancel