From 9c8e1387a948bbcb8e5b47306c567d9d0b35c0ae Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Thu, 17 Dec 2020 09:05:08 +0100
Subject: [PATCH] rule: Solarwinds SUPERNOVA web shell access

---
 .../web/web_solarwinds_supernova_webshell.yml | 25 +++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 rules/web/web_solarwinds_supernova_webshell.yml

diff --git a/rules/web/web_solarwinds_supernova_webshell.yml b/rules/web/web_solarwinds_supernova_webshell.yml
new file mode 100644
index 000000000..3bcbb019d
--- /dev/null
+++ b/rules/web/web_solarwinds_supernova_webshell.yml
@@ -0,0 +1,25 @@
+title: Solarwinds SUPERNOVA Webshell Access
+id: a2cee20b-eacc-459f-861d-c02e5d12f1db
+status: experimental
+description: Detects access to SUPERNOVA webshell as described in Guidepoint report
+author: Florian Roth
+date: 2020/12/17
+references:
+    - https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/
+tags:
+    - attack.persistence
+    - attack.t1505.003
+logsource:
+    category: webserver
+detection:
+    selection:
+        c-uri|contains|all:
+            - 'logoimagehandler.ashx'
+            - 'clazz'
+    condition: selection
+fields:
+    - client_ip
+    - response
+falsepositives:
+    - Unknown
+level: critical
\ No newline at end of file