S0578: SUPERNOVA
Analyst context for executives and security teams
SUPERNOVA matters because it represents an in-memory .NET C# web shell on Windows: a server-side foothold that can give an intruder persistent, remote access while blending into normal web activity. For leaders, the key issue is not the malware name alone, but whether internet-facing or internally exposed web applications have the logging, integrity monitoring, vulnerability response, and incident playbooks needed to prove a web shell is absent or contain one quickly.
Executive priority
Prioritize this as a web-application and server-resilience risk. The supplied ATT&CK relationships tie SUPERNOVA to web shell persistence, web-protocol command and control, exploit-driven execution, encoded/encrypted content, and resource-name masquerading. Executives should ask whether critical web servers are inventoried, patched, monitored for file and memory anomalies, and covered by incident response procedures that preserve evidence. Because official detection guidance is not provided, coverage should be validated through local telemetry and control testing rather than assumed from tool ownership.
Technical view
SOC and IR teams should validate coverage around Windows-hosted web applications and .NET application behavior. Focus on evidence that would reveal web shell persistence, unusual HTTP/S interactions, exploitation leading to code execution, encoded or obfuscated artifacts, and files or resources placed to look legitimate. Since SUPERNOVA is described as in-memory, file-only detection may be insufficient; teams should confirm availability of web server logs, endpoint process and module telemetry, application logs, file integrity data, and vulnerability/exposure context for affected web-facing software.
Likely telemetry
- Windows endpoint telemetry for web server processes, child processes, loaded modules, and command execution attempts
- Web server access logs, error logs, request parameters, user agents, source IPs, and unusual HTTP/S patterns
- Application and .NET runtime logs where available
- File integrity and change monitoring for web roots, application directories, configuration files, and suspiciously named resources
- Network telemetry for outbound HTTP/S from servers, including uncommon destinations or patterns inconsistent with the application
Detection direction
- Do not rely on a SUPERNOVA-specific signature alone; ATT&CK provides no official detection text for this object.
- Hunt for web shell behaviors tied to T1505.003: unexpected server-side files, abnormal request patterns, and web server processes initiating unusual activity.
- Correlate possible exploitation for client execution with new or changed application artifacts, crashes, errors, or suspicious process activity after web requests.
- Look for encoded or encrypted content and resource names or locations that closely resemble legitimate application components, while tuning for normal software update and deployment activity.
- Review web-protocol command-and-control possibilities by baselining normal server egress and investigating HTTP/S traffic from servers that should not initiate external communications.
Mitigation priorities
- Inventory and prioritize monitoring for Windows web servers and business-critical web applications.
- Patch and harden exposed applications and supporting server software according to vulnerability-management priority and vendor guidance.
- Restrict server egress to required destinations and review whether web servers can initiate unnecessary outbound HTTP/S connections.
- Implement least privilege for web application identities and service accounts to reduce post-compromise reach.
- Enable centralized retention of web, application, endpoint, and file-integrity telemetry sufficient for incident reconstruction.
Analyst notes and limits
MITRE describes SUPERNOVA as an in-memory .NET C# web shell discovered during investigation of APT29's SolarWinds operation but determined to be unrelated; subsequent analysis suggests it may have been used by SPIRAL. This take uses only the supplied ATT&CK object and relationship context, especially T1505.003, T1071.001, T1203, T1027.013, and T1036.005.
The ATT&CK object lists Windows as the platform but provides no official detection text, no tactics directly on the malware object, and no environment-specific indicators here. Local architecture, logging maturity, asset exposure, and vulnerability history are required to determine actual risk and coverage.
SUPERNOVA
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1071.001 | Web Protocols Sub-technique | SUPERNOVA had to receive an HTTP GET request containing a specific set of parameters in order to execute.CitationGuidepoint SUPERNOVA Dec 2020CitationUnit42 SUPERNOVA Dec 2020 |
| Enterprise | T1203 | Exploitation for Client Execution | SUPERNOVA was installed via exploitation of a SolarWinds Orion API authentication bypass vulnerability (CVE-2020-10148).CitationCarnegie Mellon University Supernova Dec 2020CitationSplunk Supernova Jan 2021 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | SUPERNOVA has masqueraded as a legitimate SolarWinds DLL.CitationGuidepoint SUPERNOVA Dec 2020CitationUnit42 SUPERNOVA Dec 2020 |
| Enterprise | T1505.003 | Web Shell Sub-technique | SUPERNOVA is a Web shell.CitationUnit42 SUPERNOVA Dec 2020CitationGuidepoint SUPERNOVA Dec 2020CitationCISA Supernova Jan 2021 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | SUPERNOVA contained Base64-encoded strings.CitationCISA Supernova Jan 2021 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 409675a0ef36… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Guidepoint SUPERNOVA Dec 2020
Riley, W. (2020, December 1). SUPERNOVA SolarWinds .NET Webshell Analysis. Retrieved February 18, 2021.
Open source URL -
[2]
Unit42 SUPERNOVA Dec 2020
Tennis, M. (2020, December 17). SUPERNOVA: A Novel .NET Webshell. Retrieved February 22, 2021.
Open source URL -
[3]
SolarWinds Advisory Dec 2020
SolarWinds. (2020, December 24). SolarWinds Security Advisory. Retrieved February 22, 2021.
Open source URL -
[4]
CISA Supernova Jan 2021
CISA. (2021, January 27). Malware Analysis Report (AR21-027A). Retrieved February 22, 2021.
Open source URL -
[5]
Microsoft Analyzing Solorigate Dec 2020
MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.
Open source URL -
[6]
mitre-attack S0578Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.