diff --git a/rules/web/web_solarwinds_supernova_webshell.yml b/rules/web/web_solarwinds_supernova_webshell.yml
new file mode 100644
index 000000000..3bcbb019d
--- /dev/null
+++ b/rules/web/web_solarwinds_supernova_webshell.yml
@@ -0,0 +1,25 @@
+title: Solarwinds SUPERNOVA Webshell Access
+id: a2cee20b-eacc-459f-861d-c02e5d12f1db
+status: experimental
+description: Detects access to SUPERNOVA webshell as described in Guidepoint report
+author: Florian Roth
+date: 2020/12/17
+references:
+    - https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/
+tags:
+    - attack.persistence
+    - attack.t1505.003
+logsource:
+    category: webserver
+detection:
+    selection:
+        c-uri|contains|all:
+            - 'logoimagehandler.ashx'
+            - 'clazz'
+    condition: selection
+fields:
+    - client_ip
+    - response
+falsepositives:
+    - Unknown
+level: critical
\ No newline at end of file