Skip to main content
 
 
 
Splunk Lantern

Detecting Supernova web shell malware

 

Your company uses SolarWinds Orion business software, which is vulnerable to the Supernova malware attack. This attack exposes SolarWinds Orion via an in-memory web shell. Supernova leverages what was a zero-day vulnerability to install a trojanized .NET DLL. This DLL is not digitally signed like the Sunburst DLL was, which is one of the reasons multiple researchers believe that this is a different threat actor using a vulnerability to load their malicious code to vulnerable systems. The malware that is loaded is a web shell. This MITRE ATT&CK technique, T1505, is used by adversaries to backdoor web servers and establish persistent access to systems. You know you need to patch your SolarWinds software, but you also need to look for signs that your systems have been compromised.

How to use Splunk software for this use case

Depending on what information you have available, you might find it useful to identify some or all of the following: 

Next steps

After running each of the searches, you will need to gather evidence, remove the malware, and remediate the vulnerability. 

The content in this use case comes from previously published blogs, one of the thousands of Splunk resources available to help users succeed. These additional Splunk resources might help you understand and implement this specific use case:

Splunk OnDemand Services: Use these credit-based services for direct access to Splunk technical consultants with a variety of technical services from a pre-defined catalog. Most customers have OnDemand Services per their license support plan. Engage the ODS team at ondemand@splunk.com if you would like assistance.