This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Create Post
jmulsman
Level 8
‎12-17-2020 12:16 PM

A slightly easier way to find the hash values of SolarWinds.Orion.Core.BusinessLayer.dll

Jump to solution

The security advisory and FAQs show a way to get a hash value for the SolarWinds.Orion.Core.BusinessLayer.dll file that was hacked, 

Get-FileHash "C:\Program Files (x86)\SolarWinds\Orion\SolarWinds.Orion.Core.BusinessLayer.dll"

However, this file is in more than one location, depending on what is installed on your system (I found it in 6 locations) . An easy way to find and check these is to modify their PowerShell command, I used: 

Get-ChildItem -path c:\ -include solarwinds.orion.core.businesslayer.dll -recurse -ErrorAction SilentlyContinue   


and   

Get-ChildItem -path c:\ -include solarwinds.orion.core.businesslayer.dll -recurse -ErrorAction SilentlyContinue | Get-FileHash

the first command is needed, because the second one (that generates the hash) truncates the displayed path.

 

Reply
1 Solution
astrasheim
Level 8
‎12-17-2020 02:50 PM

Jump to solution

Append your command with

| Out-GridView

and you can then expand those columns if needed on the GUI output.

View solution in original post

Reply
6 Replies
astrasheim
Level 8
‎12-17-2020 02:50 PM

Jump to solution

Append your command with

| Out-GridView

and you can then expand those columns if needed on the GUI output.

View solution in original post

Reply
blanczak
Level 9
In response to astrasheim
a month ago

Jump to solution

Screen Shot 2020-12-21 at 12.47.41 PM.png

Ha I've done basically the same thing but baked in the publicly published bad hashes.  This way you just run it and it tells you if you've got the bad files. Source code available to copy/paste on my website https://lanczak.com 

Note: I left the scope wide (all of C:\ volume) in case someone chose a non-default installation path.  If your installation path is on a separate drive you'd obviously have to adjust that a bit. 

 

 

# Purpose: This snippet of PowerShell is designed to identify if the version of SolarWinds you're running is effected by the recent SolarWinds hack.
#
# How it works: Simple ForEach loop that looks for known infected files via SHA256 file hash related to the SolarWinds hack. 
#
# References: 
#        https://www.solarwinds.com/securityadvisory/faq
#        https://us-cert.cisa.gov/ncas/alerts/aa20-352a
#
# Hashes publicly known to contain the malware:
#     -a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc
#     -9bee4af53a8cdd7ecabe5d0c77b6011abe887ac516a5a22ad51a058830403690
#     -bb86f66d11592e3312cd03423b754f7337aeebba9204f54b745ed3821de6252d
#     -ae6694fd12679891d95b427444466f186bcdcc79bc0627b590e0cb40de1928ad
#     -9d6285db647e7eeabdb85b409fad61467de1655098fec2e25aeb7770299e9fee
#     -dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b
#     -32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77
#     -019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134
#     -ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6
#     -8dfe613b00d495fb8905bdf6e1317d3e3ac1f63a626032fa2bdad4750887ee8a
#     -143632672dcb6ef324343739636b984f5c52ece0e078cfee7c6cac4a3545403a
#     -cc870c07eeb672ab33b6c2be51b173ad5564af5d98bfc02da02367a9e349a76f
#
#
# Author: Brandon Lanczak
# Contact: Brandon@Lanczak.com
#
# Notes: 
#     -If your SolarWinds Orion installation is in a drive other than C:\ make sure you adjust the foreach statement accordingly.
#     -Run as an administrator to ensure it can access all files.
#
# Revision: v1.2 | 12-21-2020 @ 12:51 CST
#
# Execution:
[String] $HashToFind = 'a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc',
                        '9bee4af53a8cdd7ecabe5d0c77b6011abe887ac516a5a22ad51a058830403690',
                        'bb86f66d11592e3312cd03423b754f7337aeebba9204f54b745ed3821de6252d',
                        'ae6694fd12679891d95b427444466f186bcdcc79bc0627b590e0cb40de1928ad',
                        '9d6285db647e7eeabdb85b409fad61467de1655098fec2e25aeb7770299e9fee',
                        'dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b',
                        '32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77',
                        '019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134',
                        'ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6',
                        '8dfe613b00d495fb8905bdf6e1317d3e3ac1f63a626032fa2bdad4750887ee8a',
                        '143632672dcb6ef324343739636b984f5c52ece0e078cfee7c6cac4a3545403a',
                        'cc870c07eeb672ab33b6c2be51b173ad5564af5d98bfc02da02367a9e349a76f'
 
Foreach ($file in Get-ChildItem C:\ -file -Recurse)
{
    If ((Get-FileHash $file.Fullname -Algorithm SHA256).hash -eq $HashToFind)
    {
        Write-Host "Infected file found: $($File.Fullname) with hash $Hash"
        }
}
 
pause

 

 

 

Updated: 12-21-2020 @ 12:48 CST with accurate hashes referenced from https://us-cert.cisa.gov/ncas/alerts/aa20-352a

0 Kudos
Reply
jmulsman
Level 8
In response to blanczak
a month ago

Jump to solution

Nice, but maybe tweak the list of hashes a bit?  It looks like published hashes for both good and bad versions are in the list, unless you have newer information about the 'good' version being a problem.  

0 Kudos
Reply
blanczak
Level 9
In response to jmulsman
a month ago

Jump to solution

Good catch. I think I got the mall accurate now I hope.  Referenced https://us-cert.cisa.gov/ncas/alerts/aa20-352a as my source.  If there are different hashes I can certainly get them added.

 

Screen Shot 2020-12-21 at 12.57.51 PM.png

# Purpose: This snippet of PowerShell is designed to identify if the version of SolarWinds you're running is effected by the recent SolarWinds hack.
#
# How it works: Simple ForEach loop that looks for known infected files via SHA256 file hash related to the SolarWinds hack. 
#
# References: 
#        https://www.solarwinds.com/securityadvisory/faq
#        https://us-cert.cisa.gov/ncas/alerts/aa20-352a
#
# Hashes publicly known to contain the malware:
#     -a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc
#     -9bee4af53a8cdd7ecabe5d0c77b6011abe887ac516a5a22ad51a058830403690
#     -bb86f66d11592e3312cd03423b754f7337aeebba9204f54b745ed3821de6252d
#     -ae6694fd12679891d95b427444466f186bcdcc79bc0627b590e0cb40de1928ad
#     -9d6285db647e7eeabdb85b409fad61467de1655098fec2e25aeb7770299e9fee
#     -dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b
#     -32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77
#     -019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134
#     -ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6
#     -8dfe613b00d495fb8905bdf6e1317d3e3ac1f63a626032fa2bdad4750887ee8a
#     -143632672dcb6ef324343739636b984f5c52ece0e078cfee7c6cac4a3545403a
#     -cc870c07eeb672ab33b6c2be51b173ad5564af5d98bfc02da02367a9e349a76f
#
#
# Author: Brandon Lanczak
# Contact: Brandon@Lanczak.com
#
# Notes: 
#     -If your SolarWinds Orion installation is in a drive other than C:\ make sure you adjust the foreach statement accordingly.
#     -Run as an administrator to ensure it can access all files.
#
# Revision: v1.2 | 12-21-2020 @ 12:51 CST
#
# Execution:
[String] $HashToFind = 'a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc',
                        '9bee4af53a8cdd7ecabe5d0c77b6011abe887ac516a5a22ad51a058830403690',
                        'bb86f66d11592e3312cd03423b754f7337aeebba9204f54b745ed3821de6252d',
                        'ae6694fd12679891d95b427444466f186bcdcc79bc0627b590e0cb40de1928ad',
                        '9d6285db647e7eeabdb85b409fad61467de1655098fec2e25aeb7770299e9fee',
                        'dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b',
                        '32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77',
                        '019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134',
                        'ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6',
                        '8dfe613b00d495fb8905bdf6e1317d3e3ac1f63a626032fa2bdad4750887ee8a',
                        '143632672dcb6ef324343739636b984f5c52ece0e078cfee7c6cac4a3545403a',
                        'cc870c07eeb672ab33b6c2be51b173ad5564af5d98bfc02da02367a9e349a76f'
 
Foreach ($file in Get-ChildItem C:\ -file -Recurse)
{
    If ((Get-FileHash $file.Fullname -Algorithm SHA256).hash -eq $HashToFind)
    {
        Write-Host "Infected file found: $($File.Fullname) with hash $Hash"
        }
}
 
pause

 

0 Kudos
Reply
jlrobinson2171
Level 7
In response to blanczak
2 weeks ago

Jump to solution

I ran this script and it didn't find anything, however, I know for a fact that I have one of the hashes because if I run

Get-FileHash "C:\Program Files (x86)\SolarWinds\Orion\SolarWinds.Orion.Core.BusinessLayer.dll"

I get one of the hashes located in the [String] portion of the script.

If I change the following line to have the actual hash instead of the $HashToFind variable.

If ((Get-FileHash $file.Fullname -Algorithm SHA256).hash -eq $HashToFind)

It finds two locations.  Am I doing something wrong?

0 Kudos
Reply
jmulsman
Level 8
In response to astrasheim
a month ago

Jump to solution

Slick addition, thanks!

0 Kudos
Reply

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification SolarWinds Lab
About THWACK Blogs Federal & Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
© 2021 SolarWinds Worldwide, LLC. All Rights Reserved.