{"id":21548557,"url":"https://github.com/technion/revokesolar","last_synced_at":"2025-03-18T01:54:14.053Z","repository":{"id":145344248,"uuid":"324077676","full_name":"technion/RevokeSolar","owner":"technion","description":"Revoke the compromised Solarwinds certificate","archived":false,"fork":false,"pushed_at":"2020-12-24T09:57:55.000Z","size":19,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-01-24T09:29:15.437Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/technion.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-12-24T05:52:30.000Z","updated_at":"2020-12-24T09:57:57.000Z","dependencies_parsed_at":null,"dependency_job_id":"5524aa04-3e18-460f-8303-0c193cf2aa51","html_url":"https://github.com/technion/RevokeSolar","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/technion%2FRevokeSolar","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/technion%2FRevokeSolar/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/technion%2FRevokeSolar/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/technion%2FRevokeSolar/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/technion","download_url":"https://codeload.github.com/technion/RevokeSolar/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244141588,"owners_count":20404835,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-24T06:18:59.712Z","updated_at":"2025-03-18T01:54:14.047Z","avatar_url":"https://github.com/technion.png","language":"PowerShell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Revoke Compromised Solarwinds Certificate\n\nFollowing the recent Solarwinds incident, it is a common view that the impacted certificate should be revoked. This is currently planned, but not until February 22nd per this advisory:\nhttps://status.solarwindsmsp.com/2020/12/18/update-digital-certificate-revocation-date-change/\n\nSome parties have recommended using the existing certificate as an IOC:\nhttps://github.com/fireeye/sunburst_countermeasures/pull/3\n\n## Manually revoking the certificate\n\nIn order to be more proactive, this script will allow you to revoke the certificate immediately. In order to ensure its content can be independently verified, I do not ship any executables or certificates themselves. Accordingly, running this script starts by downloading the free \"Azure Cost Calculator\" (~90MB download) from Solarwinds. This is a *non malicious* file, signed by the impacted code signing certificate.\n\n## Automated Deployment\n\nIn a larger network you would be much better served with a Group Policy Object to automate this process. However, you may wish to start with this script to most easily obtain the certificate to revoke.\n\n## Usage\n\nFrom an Administrative Powershell session, run the script `RevokeSolar.ps1` from a temporary directory. Once completed the script and the file it creates in that temporary directory may be deleted.\n\n## Impact\n\nWindows does not always outright block an executable with a revoked certificate. However, UAC will always deny execution \"as administrator\". You can find this documented here:\n\nhttps://docs.microsoft.com/en-us/troubleshoot/windows-client/identity/uac-blocks-elevation-executable-apps\n\nIf you would like to test this as a standard user, you may need to wait a while due to OCSP caching. After which, running the executable should present you a less firm, but still unskippable block message:\n\n![Running executable with revoked certificate](standarduser.png)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftechnion%2Frevokesolar","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftechnion%2Frevokesolar","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftechnion%2Frevokesolar/lists"}