More fun with Solarwinds RCE, Webkit, and related vulnerabilities
IOCs (IP addresses, hashes of web shell .aspx files, names of .aspx files, user-agents) courtesy CISA
This repository is a companion to the article published at https://www.splunk.com/en_us/blog/security/supernova-redux-with-a-generous-portion-of-masquerading.html
CISA Analysis report: https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a
Contributing Advisories: https://us-cert.cisa.gov/ncas/current-activity/2021/04/20/cisa-releases-alert-exploitation-pulse-connect-secure https://us-cert.cisa.gov/ncas/alerts/aa-21-110a https://us-cert.cisa.gov/ncas/alerts/aa20-010a https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039b https://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a
DHS Emergency Directive 21-01 https://cyber.dhs.gov/ed/21-01/
Use these as lookup tables in Splunk for simple IOC matching. Note: if you want to use these with ES, you need to use the versions in the EnterpriseSecurity directory. See blog post here for guidance: https://www.splunk.com/en_us/blog/security/smoothing-the-bumps-of-onboarding-threat-indicators-into-splunk-enterprise-security.html
If you wish to add more IOCs to this repo, please send a PR!
23APR2021