Detecting Supernova web shell malware
Your company uses SolarWinds Orion business software, which is vulnerable to the Supernova malware attack. This attack exposes SolarWinds Orion via an in-memory web shell. Supernova leverages what was a zero-day vulnerability to install a trojanized .NET DLL. This DLL is not digitally signed like the Sunburst DLL was, which is one of the reasons multiple researchers believe that this is a different threat actor using a vulnerability to load their malicious code to vulnerable systems. The malware that is loaded is a web shell. This MITRE ATT&CK technique, T1505, is used by adversaries to backdoor web servers and establish persistent access to systems. You know you need to patch your SolarWinds software, but you also need to look for signs that your systems have been compromised.
How to use Splunk software for this use case
Depending on what information you have available, you might find it useful to identify some or all of the following:
After running each of the searches, you will need to gather evidence, remove the malware, and remediate the vulnerability.
The content in this use case comes from previously published blogs, one of the thousands of Splunk resources available to help users succeed. These additional Splunk resources might help you understand and implement this specific use case:
- Blog: SUPERNOVA Redux, with a generous portion of masquerading
- Blog: Using Splunk to detect sunburst backdoor
- Blog: Onboarding threat indicators into Splunk Enterprise Security: SolarWinds continued
Still need help with this use case? Most customers have OnDemand Services per their license support plan. Engage the ODS team at OnDemand-Inquires@splunk.