If you think you may have been effected by the recent SolarWinds SUPERNOVA hack/malware the following snippet of PowerShell can assist you in identifying infection. It’s a rather simple foreach loop that searches all files for hashes publicly published by SolarWinds & CISA as compromised. If this script returns a known infected file it’s critical to take all remediation steps as soon as possible.
# Purpose: This snippet of PowerShell is designed to identify if the version of SolarWinds you're running is effected by the recent SolarWinds (SUPERNOVA) hack.
#
# How it works: Simple ForEach loop that looks for known infected files via SHA256 file hash related to the SolarWinds hack.
#
# References:
# https://www.solarwinds.com/securityadvisory/faq
# The SUPERNOVA malware is associated with the [app_web_logoimagehandler.ashx.b6031896.dll] file with a sha256
# hash of 'c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71'
#
# Hashes publicly known to contain the malware:
# -c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71
#
# Author: Brandon Lanczak
# Contact: Brandon@Lanczak.com
#
# Notes:
# -If your SolarWinds Orion installation is in a drive other than C:\ make sure you adjust the foreach statement accordingly.
# -Run as an administrator to ensure it can access all files.
#
# Revision: v1.0 | 01-04-2021 @ 10:51 CST
#
# Execution:
[String] $HashToFind = 'c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71'
Foreach ($file in Get-ChildItem C:\ -file -Recurse)
{
If ((Get-FileHash $file.Fullname -Algorithm SHA256).hash -eq $HashToFind)
{
Write-Host "SUPERNOVA Infected file found: $($File.Fullname) with hash $Hash"
}
}
pause