EXPLORE
Sign In
← Back to Explore
splunk_escuTTP

Supernova Webshell

The following analytic detects the presence of the Supernova webshell, used in the SUNBURST attack, by identifying specific patterns in web URLs. The detection leverages Splunk to search for URLs containing "*logoimagehandler.ashx*codes*", "*logoimagehandler.ashx*clazz*", "*logoimagehandler.ashx*method*", and "*logoimagehandler.ashx*args*". This activity is significant as it indicates potential unauthorized access and arbitrary code execution on a compromised system. If confirmed malicious, this could lead to data theft, ransomware deployment, or other severe outcomes. Immediate steps include reviewing the web URLs, inspecting on-disk artifacts, and analyzing concurrent processes and network connections.

MITRE ATT&CK

T1505.003T1133
persistenceinitial-access

Detection Query

| tstats `security_content_summariesonly` count FROM datamodel=Web.Web
  WHERE web.url=*logoimagehandler.ashx*codes*
    OR
    Web.url=*logoimagehandler.ashx*clazz*
    OR
    Web.url=*logoimagehandler.ashx*method*
    OR
    Web.url=*logoimagehandler.ashx*args*
  BY Web.src Web.dest Web.url
     Web.vendor_product Web.user Web.http_user_agent
     _time span=1s
| `supernova_webshell_filter`

Author

John Stoner, Splunk

Created

2026-03-10

References

Tags

NOBELIUM GroupEarth AluxGhostRedirector IIS Module and Rungan Backdoor
Raw Content
name: Supernova Webshell
id: 2ec08a09-9ff1-4dac-b59f-1efd57972ec1
version: 9
date: '2026-03-10'
author: John Stoner, Splunk
status: experimental
type: TTP
description: The following analytic detects the presence of the Supernova webshell, used in the SUNBURST attack, by identifying specific patterns in web URLs. The detection leverages Splunk to search for URLs containing "*logoimagehandler.ashx*codes*", "*logoimagehandler.ashx*clazz*", "*logoimagehandler.ashx*method*", and "*logoimagehandler.ashx*args*". This activity is significant as it indicates potential unauthorized access and arbitrary code execution on a compromised system. If confirmed malicious, this could lead to data theft, ransomware deployment, or other severe outcomes. Immediate steps include reviewing the web URLs, inspecting on-disk artifacts, and analyzing concurrent processes and network connections.
data_source: []
search: |-
    | tstats `security_content_summariesonly` count FROM datamodel=Web.Web
      WHERE web.url=*logoimagehandler.ashx*codes*
        OR
        Web.url=*logoimagehandler.ashx*clazz*
        OR
        Web.url=*logoimagehandler.ashx*method*
        OR
        Web.url=*logoimagehandler.ashx*args*
      BY Web.src Web.dest Web.url
         Web.vendor_product Web.user Web.http_user_agent
         _time span=1s
    | `supernova_webshell_filter`
how_to_implement: To successfully implement this search, you need to be monitoring web traffic to your Solarwinds Orion. The logs should be ingested into splunk and populating/mapped to the Web data model.
known_false_positives: There might be false positives associted with this detection since items like args as a web argument is pretty generic.
references:
    - https://www.splunk.com/en_us/blog/security/detecting-supernova-malware-solarwinds-continued.html
    - https://www.guidepointsecurity.com/blog/supernova-solarwinds-net-webshell-analysis/
rba:
    message: Potential Supernova Webshell on $dest$
    risk_objects:
        - field: user
          type: user
          score: 50
        - field: dest
          type: system
          score: 50
    threat_objects: []
tags:
    analytic_story:
        - NOBELIUM Group
        - Earth Alux
        - GhostRedirector IIS Module and Rungan Backdoor
    asset_type: Web Server
    mitre_attack_id:
        - T1505.003
        - T1133
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: network