-
Notifications
You must be signed in to change notification settings - Fork 395
/
Copy pathsupernova_webshell.yml
53 lines (53 loc) · 2.21 KB
/
supernova_webshell.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
name: Supernova Webshell
id: 2ec08a09-9ff1-4dac-b59f-1efd57972ec1
version: 5
date: '2025-04-16'
author: John Stoner, Splunk
status: experimental
type: TTP
description: The following analytic detects the presence of the Supernova webshell,
used in the SUNBURST attack, by identifying specific patterns in web URLs. The detection
leverages Splunk to search for URLs containing "*logoimagehandler.ashx*codes*",
"*logoimagehandler.ashx*clazz*", "*logoimagehandler.ashx*method*", and "*logoimagehandler.ashx*args*".
This activity is significant as it indicates potential unauthorized access and arbitrary
code execution on a compromised system. If confirmed malicious, this could lead
to data theft, ransomware deployment, or other severe outcomes. Immediate steps
include reviewing the web URLs, inspecting on-disk artifacts, and analyzing concurrent
processes and network connections.
data_source: []
search: '| tstats `security_content_summariesonly` count from datamodel=Web.Web where
web.url=*logoimagehandler.ashx*codes* OR Web.url=*logoimagehandler.ashx*clazz* OR
Web.url=*logoimagehandler.ashx*method* OR Web.url=*logoimagehandler.ashx*args* by
Web.src Web.dest Web.url Web.vendor_product Web.user Web.http_user_agent _time span=1s
| `supernova_webshell_filter`'
how_to_implement: To successfully implement this search, you need to be monitoring
web traffic to your Solarwinds Orion. The logs should be ingested into splunk and
populating/mapped to the Web data model.
known_false_positives: There might be false positives associted with this detection
since items like args as a web argument is pretty generic.
references:
- https://www.splunk.com/en_us/blog/security/detecting-supernova-malware-solarwinds-continued.html
- https://www.guidepointsecurity.com/blog/supernova-solarwinds-net-webshell-analysis/
rba:
message: Potential Supernova Webshell on $dest$
risk_objects:
- field: user
type: user
score: 25
- field: dest
type: system
score: 25
threat_objects: []
tags:
analytic_story:
- NOBELIUM Group
- Earth Alux
asset_type: Web Server
mitre_attack_id:
- T1505.003
- T1133
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
security_domain: network