Skip to main content
Splunk Lantern

File hashes associated with the Supernova trojanized DLL

You might need to examine your data for specific hashes when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

Your company uses SolarWinds Orion business software, which is vulnerable to the Supernova in-memory web shell attack. You know that because it runs in memory, detection and forensic analysis post-breach are difficult. You want to identify if the file hashes associated with the Supernova trojanized DLL have been written to disk. Using information reported by various security researchers, you have a path name and some hashes from VirusTotal to search for. 

Option 1

To optimize the search shown below, you should specify an index and a time range. In addition, content developed by the Splunk Security Research team requires the use of consistent, normalized data provided by the Common Information Model (CIM). This search requires the Endpoint data model. For information on installing and using the CIM, see the Common Information Model documentation.

  1. Ensure that your deployment is ingesting endpoint logs from your various systems and populating the Endpoint data model.
  2. Run the following search:
    | tstats count FROM datamodel=Endpoint.Filesystem WHERE
    Filesystem.file_name=*logoimagehandler.ashx* OR 
    Filesystem.file_hash=C15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71 
    OR Filesystem.file_hash=75af292f34789a1c782ea36c7127bf6106f595e8 OR 
    Filesystem.file_hash=56ceb6d0011d87b6e4d7023d7ef85676 groupby 
    Filesystem.file_name Filesystem.file_path Filesystem.dest 
    Filesystem.file_hash Filesystem.vendor_product Filesystem.user _time span=1s 

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
| tstats count FROM datamodel=Endpoint.Filesystem WHERE
Filesystem.file_name=*logoimagehandler.ashx* OR 
Filesystem.file_hash=C15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71 
OR Filesystem.file_hash=75af292f34789a1c782ea36c7127bf6106f595e8 OR 
Filesystem.file_hash=56ceb6d0011d87b6e4d7023d7ef85676 groupby 
Filesystem.file_name Filesystem.file_path Filesystem.dest 
Filesystem.file_hash Filesystem.vendor_product Filesystem.user _time span=1s 

Query the Endpoint data model for hashes associated with the Supernova trojanized  DLL. The hashes are associated with the filename and identified by VirusTotal: 

SHA256: C15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71
SHA1: 75af292f34789a1c782ea36c7127bf6106f595e8
MD5: 56ceb6d0011d87b6e4d7023d7ef85676
 

Option 2

To optimize the search shown below, you should specify an index and a time range.  

  1. Ensure that your deployment is ingesting Microsoft Sysmon data. 
  2. Run the following search:
    sourcetype=xmlwineventlog:microsoft-windows-sysmon/operational EventCode=11 
    file_name=*logoimagehandler.ashx* 
    | table _time host Image Computer TargetFilename

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
sourcetype=xmlwineventlog:microsoft-windows-sysmon/operational Search only Sysmon operational data.
EventCode=11

Search for event code 11, which indicates that the driver detected a controller error on \Device\Harddisk3\DR3.

file_name=*logoimagehandler.ashx* Search for the file name shown.
| table _time host Image Computer TargetFilename Display the results in a table with columns in the order shown.

Result

If any results indicate the file or the hashes are detected, then the host or computer where the vulnerability is detected needs to be further investigated and remediated according to your response plan. This involves a final step of re-imaging the system with a known good system build after investigation.

  • Was this article helpful?