Name:Supernova Webshell id:2ec08a09-9ff1-4dac-b59f-1efd57972ec1 version:3 date:2024-10-17 author:John Stoner, Splunk status:experimental type:TTP Description:The following analytic detects the presence of the Supernova webshell, used in the SUNBURST attack, by identifying specific patterns in web URLs. The detection leverages Splunk to search for URLs containing "*logoimagehandler.ashx*codes*", "*logoimagehandler.ashx*clazz*", "*logoimagehandler.ashx*method*", and "*logoimagehandler.ashx*args*". This activity is significant as it indicates potential unauthorized access and arbitrary code execution on a compromised system. If confirmed malicious, this could lead to data theft, ransomware deployment, or other severe outcomes. Immediate steps include reviewing the web URLs, inspecting on-disk artifacts, and analyzing concurrent processes and network connections. Data_source:
search:| tstats `security_content_summariesonly` count from datamodel=Web.Web where web.url=*logoimagehandler.ashx*codes* OR Web.url=*logoimagehandler.ashx*clazz* OR Web.url=*logoimagehandler.ashx*method* OR Web.url=*logoimagehandler.ashx*args* by Web.src Web.dest Web.url Web.vendor_product Web.user Web.http_user_agent _time span=1s | `supernova_webshell_filter`
how_to_implement:To successfully implement this search, you need to be monitoring web traffic to your Solarwinds Orion. The logs should be ingested into splunk and populating/mapped to the Web data model. known_false_positives:There might be false positives associted with this detection since items like args as a web argument is pretty generic. References: -https://www.splunk.com/en_us/blog/security/detecting-supernova-malware-solarwinds-continued.html -https://www.guidepointsecurity.com/blog/supernova-solarwinds-net-webshell-analysis/ drilldown_searches:
: tags: analytic_story: - 'NOBELIUM Group' asset_type:Web Server confidence:50 impact:50 message:tbd mitre_attack_id: - 'T1505.003' - 'T1133' observable: name:'user' type:'User' - role: - 'Victim' name:'dest' type:'Hostname' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'Web.url' - 'Web.src' - 'Web.dest' - 'Web.vendor_product' - 'Web.user' - 'Web.http_user_agent' risk_score:25 security_domain:network
