.NET assemblies being compiled
Your company uses SolarWinds Orion business software, which is vulnerable to the Supernova in-memory web shell attack. You know that because it runs in memory, detection and forensic analysis post-breach are difficult. You want to determine if .NET assemblies are being compiled.
Required data
Option 1 - Normalized data
- Ensure that your deployment is ingesting endpoint logs from your various systems. You should also ensure you are ingesting normalized data, populating the Endpoint data model in the Common Information Model (CIM). For information on installing and using the CIM, see the Common Information Model documentation.
- Run the following search. You can optimize it by specifying an index and adjusting the time range.
| tstats count FROM datamodel=Endpoint.Processes WHERE Processes.process_exec=cvtres.exe Processes.parent_process_exec=csc.exe groupby Processes.process_exec Processes.process_id Processes.process Processes.parent_process_exec Processes.parent_process Processes.parent_process_id Processes.dest Processes.user Processes.vendor_product _time span=1s
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Splunk Search | Explanation |
---|---|
| tstats count FROM datamodel=Endpoint.Processes WHERE Processes.process_exec=cvtres.exe Processes.parent_process_exec=csc.exe groupby Processes.process_exec Processes.process_id Processes.process Processes.parent_process_exec Processes.parent_process Processes.parent_process_id Processes.dest Processes.user Processes.vendor_product _time span=1s |
Query the Endpoint data model for the creation of CSC.exe and CVTRES.exe as child processes during execution of .NET apps. |
Option 2 - Microsoft Sysmon
- Ensure that your deployment is ingesting Microsoft Sysmon data.
- Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype=xmlwineventlog:microsoft-windows-sysmon/operational EventCode=1 CommandLine=*cvtres.exe* ParentCommandLine=*csc.exe* | table _time CommandLine ParentCommandLine User host ProcessId ParentProcessId
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Splunk Search | Explanation |
---|---|
sourcetype=xmlwineventlog:microsoft-windows-sysmon/operational | Search only Sysmon operational data. |
EventCode=1 | Search for event code 1, which indicates process creation. |
CommandLine=*cvtres.exe* ParentCommandLine=*csc.exe* | Search for the text shown in the command line data and in the parent command line data. |
| table _time CommandLine ParentCommandLine User host ProcessId ParentProcessId | Display the results in a table with columns in the order shown. |
Next steps
Because many .NET apps can create CSC.exe and CVTRES.exe as child processes during execution, this is a tactic to hunt, not to deploy as a signature with your SIEM. This is not an indicator of compromise but, it may be worth the time to run this search and then hunt for additional actions occurring immediately after this behavior on vulnerable systems.
Finally, you might be interested in other processes associated with the Detecting Supernova web shell malware use case.