SolarWinds SUPERNOVA Hack Identification Snippet

If you think you may have been effected by the recent SolarWinds SUPERNOVA hack/malware the following snippet of PowerShell can assist you in identifying infection. It’s a rather simple foreach loop that searches all files for hashes publicly published by SolarWinds & CISA as compromised. If this script returns a known infected file it’s critical to take all remediation steps as soon as possible.

# Purpose: This snippet of PowerShell is designed to identify if the version of SolarWinds you're running is effected by the recent SolarWinds (SUPERNOVA) hack.
#
# How it works: Simple ForEach loop that looks for known infected files via SHA256 file hash related to the SolarWinds hack. 
#
# References: 
#        https://www.solarwinds.com/securityadvisory/faq
#        The SUPERNOVA malware is associated with the [app_web_logoimagehandler.ashx.b6031896.dll] file with a sha256 
#        hash of 'c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71'
#
# Hashes publicly known to contain the malware:
#     -c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71
#
# Author: Brandon Lanczak
# Contact: Brandon@Lanczak.com
#
# Notes: 
#     -If your SolarWinds Orion installation is in a drive other than C:\ make sure you adjust the foreach statement accordingly.
#     -Run as an administrator to ensure it can access all files.
#
# Revision: v1.0 | 01-04-2021 @ 10:51 CST
#
# Execution:
[String] $HashToFind = 'c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71'

Foreach ($file in Get-ChildItem C:\ -file -Recurse)
{
    If ((Get-FileHash $file.Fullname -Algorithm SHA256).hash -eq $HashToFind)
    {
        Write-Host "SUPERNOVA Infected file found: $($File.Fullname) with hash $Hash"
        }
}
 
pause

Leave a Reply

Your email address will not be published. Required fields are marked *