title: Solarwinds SUPERNOVA Webshell Access
id: a2cee20b-eacc-459f-861d-c02e5d12f1db
status: experimental
description: Detects access to SUPERNOVA webshell as described in Guidepoint report
author: Florian Roth
date: 2020/12/17
modified: 2020/12/22
references:
    - https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/
    - https://www.anquanke.com/post/id/226029
tags:
    - attack.persistence
    - attack.t1505.003
logsource:
    category: webserver
detection:
    selection1:
        c-uri|contains|all:
            - 'logoimagehandler.ashx'
            - 'clazz'
    selection2:
        c-uri|contains:
            - 'logoimagehandler.ashx'
        sc-status: 500
    condition: selection1 or selection2
fields:
    - client_ip
    - response
falsepositives:
    - Unknown
level: critical