Uncategorized

A Query for the Weary


Trying to find SolarWinds Orion stuff in your Configuration Manager environment? Probably not, but in case you are, here’s a query to fire against your SQL site database. If you don’t have permissions to query the database, threaten your DBA with promises to post illicit photos of them from the last company party when they passed out and were never told what really happened to them before waking up. That, or a pizza and some beer, either might help.

For more in-depth inspection, check out the blog post by Matt Dowst at Detecting the SolarWinds Compromise Signals with PowerShell – Catapult Systems

SELECT DISTINCT 
  cdr.Name, 
  cdr.UserName, 
  cdr.ADSiteName, 
  cdr.DeviceOS, 
  isc.NormalizedPublisher, 
  isc.NormalizedName, 
  isc.NormalizedVersion
FROM 
  dbo.v_GS_INSTALLED_SOFTWARE_CATEGORIZED AS isc INNER JOIN
  dbo.v_CombinedDeviceResources AS cdr ON isc.ResourceID = cdr.MachineID
WHERE
  (isc.NormalizedPublisher LIKE 'SolarWinds%')

Modify to add an additional filter condition, at no extra charge, but only if your parents call before midnight….

SELECT DISTINCT 
  cdr.Name, 
  cdr.UserName, 
  cdr.ADSiteName, 
  cdr.DeviceOS, 
  isc.NormalizedPublisher, 
  isc.NormalizedName, 
  isc.NormalizedVersion
FROM 
  dbo.v_GS_INSTALLED_SOFTWARE_CATEGORIZED AS isc INNER JOIN
  dbo.v_CombinedDeviceResources AS cdr ON isc.ResourceID = cdr.MachineID
WHERE
  (isc.NormalizedPublisher LIKE 'SolarWinds%') AND
  (isc.NormalizedName LIKE '%Orion%')

And for a limited time, for only 30 cereal box tops, shove it into a PowerShell pipeline using a toilet plunger and some good old foot stomping power with module “dbatools”…

$query = "SELECT DISTINCT 
  cdr.Name, 
  cdr.UserName, 
  cdr.ADSiteName, 
  cdr.DeviceOS, 
  isc.NormalizedPublisher, 
  isc.NormalizedName, 
  isc.NormalizedVersion
FROM 
  dbo.v_GS_INSTALLED_SOFTWARE_CATEGORIZED AS isc INNER JOIN
  dbo.v_CombinedDeviceResources AS cdr ON isc.ResourceID = cdr.MachineID
WHERE
  (isc.NormalizedPublisher LIKE 'SolarWinds%') AND
  (isc.NormalizedName LIKE '%Orion%')"
$evil_little_turd_machines = Invoke-DbaQuery -SqlInstance "mysadsqlserver.loser.nowhere" -Database "CM_WOW" -Query $query

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s