Skip to main content
Splunk Lantern

Detecting Supernova web shell malware

Scenario: Your company uses SolarWinds Orion business software, which is vulnerable to the Supernova malware attack.This attack exposes SolarWinds Orion via an in-memory web shell. Supernova leverages what was a zero-day vulnerability to install a trojanized .NET DLL. This DLL is not digitally signed like the Sunburst DLL was, which is one of the reasons multiple researchers believe that this is a different threat actor using a vulnerability to load their malicious code to vulnerable systems. The malware that is loaded is a web shell. This MITRE ATT&CK technique, T1505, is used by adversaries to backdoor web servers and establish persistent access to systems. You know you need to patch your SolarWinds software, but you also need to look for signs that your systems have been compromised.

Prerequisites

To succeed in implementing this use case, you need the following dependencies, resources, and information.

  • People: Threat hunter
  • Technologies: 
    • Splunk Enterprise or Splunk Cloud Platform
    • Vulnerability scanner (such as Tenable, Qualsys, or Acunetix)
    • Splunk App for Stream
  • Data normalized to the following CIM models:

{Replace this with any caveats, configurations, or other needs. Delete field if not needed.}

How to use Splunk software for this use case

Depending on what information you have available, you might find it useful to identify some or all of the following: 

Results

After running each of the searches, you will need to gather evidence, remove the malware, and remediate the vulnerability. 

Additional resources

The content in this use case comes from previously published blogs, one of the thousands of Splunk resources available to help users succeed. These additional Splunk resources might help you understand and implement this specific use case:

  • Was this article helpful?