Merge pull request github#5083 from raulgarciamsft/master

Adding queries related to the Solorigate campaign

Author: tamasvajk

csharp/ql/src/codeql-suites/solorigate.qls

@@ -0,0 +1,4 @@
+- description: Queries related to Solorigate
+- qlpack: codeql-csharp
+- include:
+    tags contain: solorigate

csharp/ql/src/experimental/Security Features/backdoor/DangerousNativeFunctionCall.qhelp

@@ -0,0 +1,14 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+  <overview>
+    <p>This query finds native calls to external functions that are often used in creating backdoors or are generally attributed to unsafe code practices. This is an example of a query that may be useful for detecting potential backdoors. Solorigate is one example that uses this mechanism.</p>
+  </overview>
+
+  <recommendation>
+    <p>Any findings from this rule are only intended to indicate suspicious code that shares similarities with known portions of code used for the Solorigate attack. There is no certainty that the code is related or that the code is part of any attack.</p>
+    <p>For more information about Solorigate, please visit https://aka.ms/solorigate. </p>
+  </recommendation>
+
+</qhelp>

csharp/ql/src/experimental/Security Features/backdoor/DangerousNativeFunctionCall.ql

@@ -0,0 +1,54 @@
+/**
+ * @name Potential dangerous use of native functions
+ * @description Detects the use of native functions that can be used for malicious intent or unsafe handling.
+ * @kind problem
+ * @problem.severity warning
+ * @precision low
+ * @id cs/backdoor/dangerous-native-functions
+ * @tags security
+ *       solorigate
+ */
+
+import csharp
+import semmle.code.csharp.frameworks.system.runtime.InteropServices
+
+predicate isDangerousMethod(Method m) {
+  m.getName() = "OpenProcessToken" or
+  m.getName() = "OpenThreadToken" or
+  m.getName() = "DuplicateToken" or
+  m.getName() = "DuplicateTokenEx" or
+  m.getName().matches("LogonUser%") or
+  m.getName().matches("WNetAddConnection%") or
+  m.getName() = "DeviceIoControl" or
+  m.getName().matches("LoadLibrary%") or
+  m.getName() = "GetProcAddress" or
+  m.getName().matches("CreateProcess%") or
+  m.getName().matches("InitiateSystemShutdown%") or
+  m.getName() = "GetCurrentProcess" or
+  m.getName() = "GetCurrentProcessToken" or
+  m.getName() = "GetCurrentThreadToken" or
+  m.getName() = "GetCurrentThreadEffectiveToken" or
+  m.getName() = "OpenThreadToken" or
+  m.getName() = "SetTokenInformation" or
+  m.getName().matches("LookupPrivilegeValue%") or
+  m.getName() = "AdjustTokenPrivileges" or
+  m.getName() = "SetProcessPrivilege" or
+  m.getName() = "ImpersonateLoggedOnUser" or
+  m.getName().matches("Add%Ace%")
+}
+
+predicate isExternMethod(Method externMethod) {
+  externMethod.isExtern()
+  or
+  externMethod.getAnAttribute().getType() instanceof
+    SystemRuntimeInteropServicesDllImportAttributeClass
+  or
+  externMethod.getDeclaringType().getAnAttribute().getType() instanceof
+    SystemRuntimeInteropServicesComImportAttributeClass
+}
+
+from MethodCall mc
+where
+  isExternMethod(mc.getTarget()) and
+  isDangerousMethod(mc.getTarget())
+select mc, "Call to an external method '" + mc.getTarget().getName() + "'."

csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.qhelp

@@ -0,0 +1,14 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+  <overview>
+    <p>This query detects situations in which an offset to a last file modification time is used to conditionally execute a particular block of code. This is a common pattern in backdoors, where the file's modification timestamp is the time at which the backdoor was planted, and the time offset is used as a time bomb before a particular code block is executed.</p>
+  </overview>
+
+  <recommendation>
+    <p>Any findings from this rule are only intended to indicate suspicious code that shares similarities with known portions of code used for the Solorigate attack. There is no certainty that the code is related or that the code is part of any attack.</p>
+    <p>For more information about Solorigate, please visit https://aka.ms/solorigate. </p>
+  </recommendation>
+
+</qhelp>

csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.ql

@@ -0,0 +1,180 @@
+/**
+ * @name Potential Timebomb
+ * @description If there is data flow from a file's last modification date and an offset to a condition statement, this could trigger a "time bomb".
+ * @kind path-problem
+ * @precision Low
+ * @problem.severity warning
+ * @id cs/backdoor/potential-time-bomb
+ * @tags security
+ *       solorigate
+ */
+
+import csharp
+import DataFlow
+
+query predicate nodes = PathGraph::nodes/3;
+
+query predicate edges(DataFlow::PathNode a, DataFlow::PathNode b) {
+  PathGraph::edges(a, b)
+  or
+  exists(
+    FlowsFromGetLastWriteTimeConfigToTimeSpanArithmeticCallable conf1,
+    FlowsFromTimeSpanArithmeticToTimeComparisonCallable conf2
+  |
+    conf1 = a.getConfiguration() and
+    conf1.isSink(a.getNode()) and
+    conf2 = b.getConfiguration() and
+    b.isSource()
+  )
+  or
+  exists(
+    FlowsFromTimeSpanArithmeticToTimeComparisonCallable conf1,
+    FlowsFromTimeComparisonCallableToSelectionStatementCondition conf2
+  |
+    conf1 = a.getConfiguration() and
+    conf1.isSink(a.getNode()) and
+    conf2 = b.getConfiguration() and
+    b.isSource()
+  )
+}
+
+/**
+ * Class that will help to find the source for the trigger file-modification date.
+ *
+ * May be extended as new patterns for similar time bombs are found.
+ */
+class GetLastWriteTimeMethod extends Method {
+  GetLastWriteTimeMethod() {
+    this.getQualifiedName() in [
+        "System.IO.File.GetLastWriteTime", "System.IO.File.GetFileCreationTime",
+        "System.IO.File.GetCreationTimeUtc", "System.IO.File.GetLastAccessTimeUtc"
+      ]
+  }
+}
+
+/**
+ * Abstracts `System.DateTime` structure
+ */
+class DateTimeStruct extends Struct {
+  DateTimeStruct() { this.getQualifiedName() = "System.DateTime" }
+
+  /**
+   * holds if the Callable is used for DateTime arithmetic operations
+   */
+  Callable getATimeSpanArtithmeticCallable() {
+    (result = this.getAnOperator() or result = this.getAMethod()) and
+    result.getName() in [
+        "Add", "AddDays", "AddHours", "AddMilliseconds", "AddMinutes", "AddMonths", "AddSeconds",
+        "AddTicks", "AddYears", "+", "-"
+      ]
+  }
+
+  /**
+   * Holds if the Callable is used for DateTime comparision
+   */
+  Callable getAComparisonCallable() {
+    (result = this.getAnOperator() or result = this.getAMethod()) and
+    result.getName() in ["Compare", "CompareTo", "Equals", "==", "!=", "<", ">", "<=", ">="]
+  }
+}
+
+/**
+ * Dataflow configuration to find flow from a GetLastWriteTime source to a DateTime arithmetic operation
+ */
+private class FlowsFromGetLastWriteTimeConfigToTimeSpanArithmeticCallable extends TaintTracking::Configuration {
+  FlowsFromGetLastWriteTimeConfigToTimeSpanArithmeticCallable() {
+    this = "FlowsFromGetLastWriteTimeConfigToTimeSpanArithmeticCallable"
+  }
+
+  override predicate isSource(DataFlow::Node source) {
+    exists(Call call, GetLastWriteTimeMethod m |
+      m.getACall() = call and
+      source.asExpr() = call
+    )
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(Call call, DateTimeStruct dateTime |
+      call.getAChild*() = sink.asExpr() and
+      call = dateTime.getATimeSpanArtithmeticCallable().getACall()
+    )
+  }
+}
+
+/**
+ * Dataflow configuration to find flow from a DateTime arithmetic operation to a DateTime comparison operation
+ */
+private class FlowsFromTimeSpanArithmeticToTimeComparisonCallable extends TaintTracking::Configuration {
+  FlowsFromTimeSpanArithmeticToTimeComparisonCallable() {
+    this = "FlowsFromTimeSpanArithmeticToTimeComparisonCallable"
+  }
+
+  override predicate isSource(DataFlow::Node source) {
+    exists(DateTimeStruct dateTime, Call call | source.asExpr() = call |
+      call = dateTime.getATimeSpanArtithmeticCallable().getACall()
+    )
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(Call call, DateTimeStruct dateTime |
+      call.getAnArgument().getAChild*() = sink.asExpr() and
+      call = dateTime.getAComparisonCallable().getACall()
+    )
+  }
+}
+
+/**
+ * Dataflow configuration to find flow from a DateTime comparison operation to a Selection Statement (such as an If)
+ */
+private class FlowsFromTimeComparisonCallableToSelectionStatementCondition extends TaintTracking::Configuration {
+  FlowsFromTimeComparisonCallableToSelectionStatementCondition() {
+    this = "FlowsFromTimeComparisonCallableToSelectionStatementCondition"
+  }
+
+  override predicate isSource(DataFlow::Node source) {
+    exists(DateTimeStruct dateTime, Call call | source.asExpr() = call |
+      call = dateTime.getAComparisonCallable().getACall()
+    )
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(SelectionStmt sel | sel.getCondition().getAChild*() = sink.asExpr())
+  }
+}
+
+/**
+ * Holds if the last file modification date from the call to getLastWriteTimeMethodCall will be used in a DateTime arithmetic operation timeArithmeticCall,
+ * which is then used for a DateTime comparison timeComparisonCall and the result flows to a Selection statement which is likely a TimeBomb trigger
+ */
+predicate isPotentialTimeBomb(
+  DataFlow::PathNode pathSource, DataFlow::PathNode pathSink, Call getLastWriteTimeMethodCall,
+  Call timeArithmeticCall, Call timeComparisonCall, SelectionStmt selStatement
+) {
+  exists(
+    FlowsFromGetLastWriteTimeConfigToTimeSpanArithmeticCallable config1, Node sink,
+    DateTimeStruct dateTime, FlowsFromTimeSpanArithmeticToTimeComparisonCallable config2,
+    Node sink2, FlowsFromTimeComparisonCallableToSelectionStatementCondition config3, Node sink3
+  |
+    pathSource.getNode() = exprNode(getLastWriteTimeMethodCall) and
+    config1.hasFlow(exprNode(getLastWriteTimeMethodCall), sink) and
+    timeArithmeticCall = dateTime.getATimeSpanArtithmeticCallable().getACall() and
+    timeArithmeticCall.getAChild*() = sink.asExpr() and
+    config2.hasFlow(exprNode(timeArithmeticCall), sink2) and
+    timeComparisonCall = dateTime.getAComparisonCallable().getACall() and
+    timeComparisonCall.getAnArgument().getAChild*() = sink2.asExpr() and
+    config3.hasFlow(exprNode(timeComparisonCall), sink3) and
+    selStatement.getCondition().getAChild*() = sink3.asExpr() and
+    pathSink.getNode() = sink3
+  )
+}
+
+from
+  DataFlow::PathNode source, DataFlow::PathNode sink, Call getLastWriteTimeMethodCall,
+  Call timeArithmeticCall, Call timeComparisonCall, SelectionStmt selStatement
+where
+  isPotentialTimeBomb(source, sink, getLastWriteTimeMethodCall, timeArithmeticCall,
+    timeComparisonCall, selStatement)
+select selStatement, source, sink,
+  "Possible TimeBomb logic triggered by $@ that takes into account $@ from the $@ as part of the potential trigger.",
+  timeComparisonCall, timeComparisonCall.toString(), timeArithmeticCall, "an offset",
+  getLastWriteTimeMethodCall, "last modification time of a file"

csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.qhelp

@@ -0,0 +1,15 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+  <overview>
+    <p>This query detects code flow from ProcessName property on the Process class into a hash function.</p>
+    <p>Such flow is often used in code backdoors to detect running processes and compare them to an obfuscated list of antivirus processes to avoid detection. Solorigate is one example that uses this mechanism.</p>
+  </overview>
+
+  <recommendation>
+    <p>Any findings from this rule are only intended to indicate suspicious code that shares similarities with known portions of code used for the Solorigate attack. There is no certainty that the code is related or that the code is part of any attack.</p>
+    <p>For more information about Solorigate, please visit https://aka.ms/solorigate. </p>
+  </recommendation>
+
+</qhelp>

csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.ql

@@ -0,0 +1,54 @@
+/**
+ * @name ProcessName to hash function flow
+ * @description Flow from a function retrieving process name to a hash function.
+ * @kind path-problem
+ * @tags security
+ *       solorigate
+ * @problem.severity warning
+ * @precision medium
+ * @id cs/backdoor/process-name-to-hash-function
+ */
+
+import csharp
+import DataFlow::PathGraph
+import experimental.code.csharp.Cryptography.NonCryptographicHashes
+
+class DataFlowFromMethodToHash extends TaintTracking::Configuration {
+  DataFlowFromMethodToHash() { this = "DataFlowFromMethodNameToHashFunction" }
+
+  /**
+   * Holds if `source` is a relevant data flow source.
+   */
+  override predicate isSource(DataFlow::Node source) { isSuspiciousPropertyName(source.asExpr()) }
+
+  /**
+   * Holds if `sink` is a relevant data flow sink.
+   */
+  override predicate isSink(DataFlow::Node sink) { isGetHash(sink.asExpr()) }
+}
+
+predicate isGetHash(Expr arg) {
+  exists(MethodCall mc |
+    (
+      mc.getTarget().getName().matches("%Hash%") or
+      mc.getTarget().getName().regexpMatch("Md[4-5]|Sha[1-9]{1,3}")
+    ) and
+    mc.getAnArgument() = arg
+  )
+  or
+  exists(Callable callable, Parameter param, Call call |
+    isCallableAPotentialNonCryptographicHashFunction(callable, param) and
+    call = callable.getACall() and
+    arg = call.getArgumentForParameter(param)
+  )
+}
+
+predicate isSuspiciousPropertyName(PropertyRead pr) {
+  pr.getTarget().getQualifiedName() = "System.Diagnostics.Process.ProcessName"
+}
+
+from DataFlow::PathNode src, DataFlow::PathNode sink, DataFlowFromMethodToHash conf
+where conf.hasFlow(src.getNode(), sink.getNode())
+select src.getNode(), src, sink,
+  "The hash is calculated on the process name $@, may be related to a backdoor. Please review the code for possible malicious intent.",
+  sink.getNode(), "here"