File hashes associated with the Supernova trojanized DLL
Your company uses SolarWinds Orion business software, which is vulnerable to the Supernova in-memory web shell attack. You know that because it runs in memory, detection and forensic analysis post-breach are difficult. You want to identify if the file hashes associated with the Supernova trojanized DLL have been written to disk. Using information reported by various security researchers, you have a path name and some hashes from VirusTotal to search for.
Required data
Option 1 - Normalized data
- Ensure that your deployment is ingesting endpoint logs from your various systems. You should also ensure you are ingesting normalized data, populating the Endpoint data model in the Common Information Model (CIM). For information on installing and using the CIM, see the Common Information Model documentation.
- Run the following search. You can optimize it by specifying an index and adjusting the time range.
| tstats count FROM datamodel=Endpoint.Filesystem WHERE Filesystem.file_name=*logoimagehandler.ashx* OR Filesystem.file_hash=C15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71 OR Filesystem.file_hash=75af292f34789a1c782ea36c7127bf6106f595e8 OR Filesystem.file_hash=56ceb6d0011d87b6e4d7023d7ef85676 groupby Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.file_hash Filesystem.vendor_product Filesystem.user _time span=1s
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Splunk Search | Explanation |
---|---|
| tstats count FROM datamodel=Endpoint.Filesystem WHERE Filesystem.file_name=*logoimagehandler.ashx* OR Filesystem.file_hash=C15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71 OR Filesystem.file_hash=75af292f34789a1c782ea36c7127bf6106f595e8 OR Filesystem.file_hash=56ceb6d0011d87b6e4d7023d7ef85676 groupby Filesystem.file_name Filesystem.file_path Filesystem.dest Filesystem.file_hash Filesystem.vendor_product Filesystem.user _time span=1s |
Query the Endpoint data model for hashes associated with the Supernova trojanized DLL. The hashes are associated with the filename and identified by VirusTotal: SHA256: C15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71 |
Option 2 - Microsoft Sysmon
- Ensure that your deployment is ingesting Microsoft Sysmon data.
- Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype=xmlwineventlog:microsoft-windows-sysmon/operational EventCode=11 file_name=*logoimagehandler.ashx* | table _time host Image Computer TargetFilename
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Splunk Search | Explanation |
---|---|
sourcetype=xmlwineventlog:microsoft-windows-sysmon/operational | Search only Sysmon operational data. |
EventCode=11 |
Search for event code 11, which indicates that the driver detected a controller error on \Device\Harddisk3\DR3. |
file_name=*logoimagehandler.ashx* | Search for the file name shown. |
| table _time host Image Computer TargetFilename | Display the results in a table with columns in the order shown. |
Next steps
If any results indicate the file or the hashes are detected, then the host or computer where the vulnerability is detected needs to be further investigated and remediated according to your response plan. This involves a final step of re-imaging the system with a known good system build after investigation.
Finally, you might be interested in other processes associated with the Detecting Supernova web shell malware use case.