SUPERNOVA Web Shell Exploit Report

SUPERNOVA is a malicious .NET web shell that was discovered on compromised SolarWinds Orion servers. Unlike typical web shells uploaded post-compromise, SUPERNOVA was a modified version of an existing legitimate .NET DLL file (app_web_logoimagehandler.ashx.b6031896.dll) that was not digitally signed.

SUPERNOVA exploited the fact that .NET applications can execute arbitrary C# code if a web shell is embedded into the source and compiled. The attacker inserted a method that allowed remote commands to be executed by sending specially crafted HTTP requests to the affected server. It was not signed like the official SolarWinds update and did not match the supply chain-style backdoor seen in SUNBURST.

• T1505.003 – Server Software Component: Web Shell
• T1059.004 – Command and Scripting Interpreter: .NET
• T1105 – Ingress Tool Transfer
• T1027 – Obfuscated Files or Information
• T1055 – Process Injection

View this mapping using official MITRE ATT&CK Navigator

• Scan SolarWinds installations for unsigned .NET DLLs like app_web_logoimagehandler
• Monitor for suspicious .NET reflection or compilation behavior on web servers
• Alert on abnormal outbound traffic from Orion servers
• Use EDR tools to detect non-signed DLL execution in privileged directories

• Microsoft Security Blog
• Palo Alto Networks: SUPERNOVA Analysis
• MITRE T1505.003