Skip to main content
 
Splunk Lantern

File hashes associated with the Supernova trojanized DLL

 

Your company uses SolarWinds Orion business software, which is vulnerable to the Supernova in-memory web shell attack. You know that because it runs in memory, detection and forensic analysis post-breach are difficult. You want to identify if the file hashes associated with the Supernova trojanized DLL have been written to disk. Using information reported by various security researchers, you have a path name and some hashes from VirusTotal to search for. 

Option 1  - Normalized data

  1. Ensure that your deployment is ingesting endpoint logs from your various systems. You should also ensure you are ingesting normalized data, populating the Endpoint data model in the Common Information Model (CIM). For information on installing and using the CIM, see the Common Information Model documentation.
  2. Run the following search. You can optimize it by specifying an index and adjusting the time range.
    | tstats count FROM datamodel=Endpoint.Filesystem WHERE
        Filesystem.file_name=*logoimagehandler.ashx* OR 
        Filesystem.file_hash=C15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71 
        OR Filesystem.file_hash=75af292f34789a1c782ea36c7127bf6106f595e8 OR 
        Filesystem.file_hash=56ceb6d0011d87b6e4d7023d7ef85676 groupby 
        Filesystem.file_name Filesystem.file_path Filesystem.dest 
        Filesystem.file_hash Filesystem.vendor_product Filesystem.user _time span=1s 

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
| tstats count FROM datamodel=Endpoint.Filesystem WHERE
Filesystem.file_name=*logoimagehandler.ashx* OR 
Filesystem.file_hash=C15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71 
OR Filesystem.file_hash=75af292f34789a1c782ea36c7127bf6106f595e8 OR 
Filesystem.file_hash=56ceb6d0011d87b6e4d7023d7ef85676 groupby 
Filesystem.file_name Filesystem.file_path Filesystem.dest 
Filesystem.file_hash Filesystem.vendor_product Filesystem.user _time span=1s 

Query the Endpoint data model for hashes associated with the Supernova trojanized  DLL. The hashes are associated with the filename and identified by VirusTotal: 

SHA256: C15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71
SHA1: 75af292f34789a1c782ea36c7127bf6106f595e8
MD5: 56ceb6d0011d87b6e4d7023d7ef85676
 

Option 2 - Microsoft Sysmon

  1. Ensure that your deployment is ingesting Microsoft Sysmon data. 
  2. Run the following search. You can optimize it by specifying an index and adjusting the time range.
    sourcetype=xmlwineventlog:microsoft-windows-sysmon/operational EventCode=11 file_name=*logoimagehandler.ashx* 
    | table _time host Image Computer TargetFilename

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
sourcetype=xmlwineventlog:microsoft-windows-sysmon/operational Search only Sysmon operational data.
EventCode=11

Search for event code 11, which indicates that the driver detected a controller error on \Device\Harddisk3\DR3.

file_name=*logoimagehandler.ashx* Search for the file name shown.
| table _time host Image Computer TargetFilename Display the results in a table with columns in the order shown.

Next steps

If any results indicate the file or the hashes are detected, then the host or computer where the vulnerability is detected needs to be further investigated and remediated according to your response plan. This involves a final step of re-imaging the system with a known good system build after investigation.

Finally, you might be interested in other processes associated with the Detecting Supernova web shell malware use case.