Scenario: Your company uses SolarWinds Orion business software, which is vulnerable to the Supernova malware attack.This attack exposes SolarWinds Orion via an in-memory web shell. Supernova leverages what was a zero-day vulnerability to install a trojanized .NET DLL. This DLL is not digitally signed like the Sunburst DLL was, which is one of the reasons multiple researchers believe that this is a different threat actor using a vulnerability to load their malicious code to vulnerable systems. The malware that is loaded is a web shell. This MITRE ATT&CK technique, T1505, is used by adversaries to backdoor web servers and establish persistent access to systems. You know you need to patch your SolarWinds software, but you also need to look for signs that your systems have been compromised.
To succeed in implementing this use case, you need the following dependencies, resources, and information.
How to use Splunk software for this use case
Depending on what information you have available, you might find it useful to identify some or all of the following:
- Systems vulnerable to Supernova malware
- File hashes associated with the Supernova trojanized DLL
- DLL loaded in a specific process
- .NET assemblies being compiled
- Web shell present in web traffic events
After running each of the searches, you will need to gather evidence, remove the malware, and remediate the vulnerability.
The content in this use case comes from previously published blogs, one of the thousands of Splunk resources available to help users succeed. These additional Splunk resources might help you understand and implement this specific use case: