We have been monitoring all the events going on in the last few days and staying up to date with the news surrounding the breach of SolarWinds. Thanks to the hard work they do at FireEye, they have created the Yara rules to detect the IoC (indications of compromise), that can show if an organization has had the exploits used to create a backdoor to their environment.
We, at Stetson Cybergroup, quickly began making a tool to thoroughly test our environment and the clients we support. We created a script that can download the Yara rules created by FireEye and test a computer to see if the back door was created. We feel its our duty to share this tool with the community. You can find the link down below to download and configure this tool for your needs.
What the tool does
This tool downloads yara64.exe (the scanning engine that uses Yara Rules) from the Virus Total GitHub account and the Yara rules that FireEye made, from our GitHub account. (We will add any IoC’s that we come across, so stay tuned for updates!). It then runs the Yara rules across the 4 main locations that the IoC’s can be found. Once the scan is done, it checks to see if there were any hits. It then sends an email with any potential hits to an email address you specify. The email contains the attachment telling you what files have been reported as warnings for a possible backdoor. The email is sent using variables from the computer it came from. So, if you are an MSP that has many clients, this will send it out with the computer name and domain as the email address. The goal is to have this run on many computers and report back to the IT Department or MSP Teams. A single bat script that can be run on many machines remotely and report back.
What the tool needs from you
You will need to set a few options for your organization. You need to tell it how to send out the email and who to send it to. Below is a snippet you will find in the bat file and the changes that are needed. To edit the script, right click the bat file once you download it and click edit. Once you make the changes, you can save (and rename it as needed). Then you just need to run it as admin on any computer you would like to test for the exploit.
This script does save credentials inside of it for a mail server. It is recommended to use a free smarthost to send out your email. Most ISP (internet service provider) have free ones you canuse. If you can’t easily clean up the script after its run on a computer, or if you’re concerned over this, there is a local only script that does not mail anything. You just need to run it as admin, and it will give you the results (if there are any) in the c:\temp\ folder.
There you go! After you’re done configuring those settings save this as a .bat file and you can run it (as admin) on any computer you want to test for the exploits.
What this script cannot do
Unfortunately, this script is meant for Windows 10+ and Server2012+. It will not run on older OS’s. This script also does not remediate the exploit. It only warns you that you have been exposed. You will need to follow the guidelines set by SolarWinds to remediate the issue.