See why a cybersecurity company chose Censys over our competitors | Read the Case Study

Using Censys Search to Identify SolarWinds Orion Associated Infrastructure

This is a quick guide to Censys Search (Free and Pro) to identify potential assets and other infrastructure associated with SolarWinds Orion. 

Find SolarWinds Orion assets worldwide running on ports 80 or 443. This search will help Censys users identify SolarWinds Orion assets exposed on the Internet. Censys Search Free and Pro customers can then use further, built in query syntax to search for assets that may belong to them. If a user finds an asset in Censys search that matches one within their environment, we recommend you follow CISA’s Emergency Directive and guidance.

443.https.get.title: “SolarWinds Orion” OR 80.https.get.title: “SolarWinds Orion” OR 8080.http.get.title: “SolarWinds Orion”

Find assets using “SolarWinds-Orion”-associated RDP certificates.  The SolarWinds Orion exploit leverages C2 hosts that present RDP certificates as highlighted in the FireEye analysis earlier this week. This search identifies any hosts on the Internet that identify as “SolarWinds-Orion” presenting certificates on RDP port 3389. Hosts identified in this search may be attacker infrastructure – report and share this information in appropriate threat information sharing channels and/or possibly to authorities.

3389.rdp.banner.tls.certificate.parsed.issuer_dn: “CN=SolarWinds-Orion”

[optional substitute]
3389.rdp.banner.tls.certificate.parsed.issuer_dn: “CN=SolarWinds”

Or any “SolarWinds-Orion” certificate presented via any port

 “CN=SolarWinds-Orion”

Find possible Indicators of Compromise (attacker replicates hostname in RDP certificate of attacker’s C2 host). The SolarWinds Orion exploit leverages C2 hosts that present RDP certificates. These certificates incorporate the victim’s hostname to avoid detection. If a user finds their hostname associated via this search and finds further evidence of “SolarWinds” or “Orion” nomenclature in their investigation, we recommend you follow CISA’s Emergency Directive and guidance.

3389.rdp.banner.tls.certificate.parsed.subject_dn.raw: /.*HOSTNAME*/

Stay up to date

To get regular news about product updates, user guides, and security tips, send us your email. You can unsubscribe at any time.