We have 2️⃣ webinars in June! Learn about the NEW Search 2.0 or explore Automation of Asset Discovery | Register for the Webinars!

Quick Guide: Using New Search 2.0 to Identify SolarWinds Orion Infrastructure

This is a quick guide with translated query syntax for the new Censys Search 2.0 which is free for community users. The following queries help practitioners identify potential assets and other infrastructure associated with SolarWinds Orion. For more information about the SolarWinds incident and global impact, please see our detailed write-up here

1. Find exposed SolarWinds Orion assets worldwide. 

This search identifies SolarWinds Orion assets exposed on the Internet. Censys Search can be used to search for those exposed assets that may belong to your organization. If you do find an exposed SolarWinds asset that’s yours, we recommend you follow CISA’s Emergency Directive and guidance.

Below is a comparison and query syntax translation between the old Censys Search App and Censys Search 2.0:

Old Search App: For the old Censys Search, this was limited to HTTP services running on ports 443 and 8080.

443.https.get.title: “SolarWinds Orion” OR 80.https.get.title: “SolarWinds Orion” OR 8080.http.get.title: “SolarWinds Orion” 

Results (May 20, 2021): 470

New Search 2.0: New Censys Search 2.0 scans 2,500 ports with automatic protocol detection, meaning you can identify services running on nonstandard ports.

services.http.response.html_title: “SolarWinds Orion”

Results (May 20, 2021): 1,051

2. Find assets using “SolarWinds-Orion” associated RDP certificates.  

The SolarWinds Orion exploit leverages C2 hosts that present RDP certificates as highlighted in the FireEye analysis in December 2020. This search identifies any hosts on the Internet that identify as “SolarWinds-Orion” via a certificate on RDP. Hosts identified in this search may be attacker infrastructure — report and share this information in appropriate threat information sharing channels and/or possibly to authorities.

Below is a comparison and query syntax translation between the old Censys Search App and Censys Search 2.0:

Old Search App

3389.rdp.banner.tls.certificate.parsed.issuer_dn: “CN=SolarWinds-Orion” 

Results (May 20, 2021): 1

New Search 2.0

same_service(“CN=SolarWinds-Orion” and services.service_name: RDP)

Results (May 20, 2021): 1

3. Find any “SolarWinds-Orion” certificate presented via any port

Below is a comparison and query syntax translation between the old Censys Search App and new Censys Search 2.0.

Old Search App

“CN=SolarWinds-Orion” 

Results (May 20, 2021): 48

New Search 2.0: With Search 2.0, automatic protocol detection enables Censys to find more services and certificates than in the old Search app.

“SolarWinds-Orion”

Results (May 20, 2021): 670

For more information about Search 2.0, check out our Help Center. If you’re interested in learning more about Censys Search 2.0, visit our website today!

Stay up to date

To get regular news about product updates, user guides, and security tips, send us your email. You can unsubscribe at any time.