LoFP LoFP / there might be false positives associted with this detection since items like args as a web argument is pretty generic.

Techniques

Sample rules

Supernova Webshell

Description

The following analytic detects the presence of the Supernova webshell, used in the SUNBURST attack, by identifying specific patterns in web URLs. The detection leverages Splunk to search for URLs containing “logoimagehandler.ashxcodes*”, “logoimagehandler.ashxclazz*”, “logoimagehandler.ashxmethod*”, and “logoimagehandler.ashxargs*”. This activity is significant as it indicates potential unauthorized access and arbitrary code execution on a compromised system. If confirmed malicious, this could lead to data theft, ransomware deployment, or other severe outcomes. Immediate steps include reviewing the web URLs, inspecting on-disk artifacts, and analyzing concurrent processes and network connections.

Detection logic


| tstats `security_content_summariesonly` count from datamodel=Web.Web where web.url=*logoimagehandler.ashx*codes* OR Web.url=*logoimagehandler.ashx*clazz* OR Web.url=*logoimagehandler.ashx*method* OR Web.url=*logoimagehandler.ashx*args* by Web.src Web.dest Web.url Web.vendor_product Web.user Web.http_user_agent _time span=1s 
| `supernova_webshell_filter`