Solarwinds SUPERNOVA Webshell Access
Detects access to SUPERNOVA webshell as described in Guidepoint report
Sigma rule (View on GitHub)
1title: Solarwinds SUPERNOVA Webshell Access
2id: a2cee20b-eacc-459f-861d-c02e5d12f1db
3status: test
4description: Detects access to SUPERNOVA webshell as described in Guidepoint report
5references:
6 - https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/
7 - https://www.anquanke.com/post/id/226029
8author: Florian Roth (Nextron Systems)
9date: 2020-12-17
10modified: 2023-01-02
11tags:
12 - attack.persistence
13 - attack.t1505.003
14 - detection.emerging-threats
15logsource:
16 category: webserver
17detection:
18 selection1:
19 cs-uri-query|contains|all:
20 - 'logoimagehandler.ashx'
21 - 'clazz'
22 selection2:
23 cs-uri-query|contains: 'logoimagehandler.ashx'
24 sc-status: 500
25 condition: selection1 or selection2
26fields:
27 - client_ip
28 - response
29falsepositives:
30 - Unknown
31level: critical
References
-
The recently announced supply-chain compromise of SolarWinds and FireEye illustrated many of the threats observed during that investigation, with particular focus being placed on the SUNBURST SolarWinds Orion implant, the memory-resident TEARDROP malware dropper, and usage of Cobalt Strike’s BEACON module. However, in the IOCs listed by FireEye as part of this investigation, a .NET webshell named SUPERNOVA was identified with no supplemental analysis as to its method of operation or any behavioral indications of this webshell being present in an environment.
Read More -
Related rules
- CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit
- DEWMODE Webshell Access
- MOVEit CVE-2023-34362 Exploitation Attempt - Potential Web Shell Request
- Oracle WebLogic Exploit
- COLDSTEEL Persistence Service Creation