{
	"id": "98bbdde7-71dc-419a-bc97-9b536c57e9a7",
	"created_at": "2026-04-06T00:17:44.045438Z",
	"updated_at": "2026-04-10T13:12:14.580214Z",
	"deleted_at": null,
	"sha1_hash": "5a59428788d2189437f5275da8572b179416917e",
	"title": "SUPERNOVA Redux, with a Generous Portion of Masquerading | Splunk",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5185318,
	"plain_text": "Security APRIL 22, 2021 | 10 MINUTE READ\r\nSUPERNOVA\r\nRedux, with a\r\nGenerous Portion\r\nof Masquerading\r\nC ontributors: Mick Baccio, Katie Brown, James Brodsky,\r\nDrew Church, Dave Herrald, Ryan Kovar, Marcus\r\nLaFerrera, Michael Natkin and John Stoner\r\nIf you want just to see how to find masquerading, skip\r\ndown to the “detections” sections. Otherwise, read on for\r\na quick breakdown of what happened, how to detect it,\r\nand MITRE ATT\u0026CK mappings.\r\nBy Splunk\r\nDigital Resilience Pays\r\nOff\r\nSplunk Blogs\r\nManage cookie\r\nsettings\r\nReject\r\nAccept\r\nCookies allow us to optimise your use of our website. We also use third-party cookies for advertising and analytics. Please\r\nread our Privacy Statement and Cookie Notice for more information.\r\nhttps://www.splunk.com/en_us/blog/security/supernova-redux-with-a-generous-portion-of-masquerading.html\r\nPage 1 of 18\n\nRecent SUPERNOVA\r\nAttack, Now with\r\nMasquerading\r\nThe Cybersecurity and Infrastructure Security Agency\r\n(CISA) issued an analyst report (AR21-112A) on April 22,\r\n2021 that discussed a recent incident that they\r\nsupported. As you read the first paragraph, it hits recent\r\nhot buttons: Pulse Secure and SolarWinds. Then you start\r\nwondering where is this going?\r\n“The threat actor connected to the entity’s\r\nnetwork via a Pulse Secure virtual private\r\nnetwork (VPN) appliance, moved laterally to\r\nits SolarWinds Orion server, installed\r\nmalware referred to by security\r\nresearchers as SUPERNOVA (a .NET\r\nwebshell), and collected credentials.” —\r\nAnalysis Report (AR21-112A)\r\nAll of a sudden, we see SUPERNOVA and we breathe a\r\nsigh of relief; we’ve got this, in fact, we blogged about this\r\nback in January 2021 in Detecting Supernova Malware\r\nSolarwinds Continued. But as we read farther, we come\r\nto find out that the adversary lovingly decided to take\r\ntheir copy of procdump.exe — a command line tool that\r\nis used to create dumps of processes and has been used\r\nby various actors to dump credentials — renamed it\r\nSplunklogger.exe, and placed it on the compromised\r\nSolarWinds server.\r\nGreat.\r\nThis blog will highlight some new detections that were\r\nseen in this attack along with a discussion around\r\nmasquerading. We will also provide some detections that\r\nyou can take advantage of in your own environment. As\r\nmentioned before, we won’t go deep into SUPERNOVA\r\nitself as we already have covered that in a previous blog,\r\nbut these actions on objective are important to call out.\r\nHow resilient is your\r\norganization? Learn\r\nhow to mature your\r\ndigital resilience\r\nwith this free guide.\r\nDownload now\r\nSplunk Blogs\r\nCookies allow us to optimise your use of our website. We also use third-party cookies for advertising and analytics. Please\r\nread our Privacy Statement and Cookie Notice for more information.\r\nhttps://www.splunk.com/en_us/blog/security/supernova-redux-with-a-generous-portion-of-masquerading.html\r\nPage 2 of 18\n\nWhat You Need to Know\r\nThis specific attack has a few interesting traits. The first\r\nis that the adversary is using residential IP addresses\r\nbased in the United States (US) to make them appear as\r\nUS-based employees and then leveraging valid accounts\r\nto gain access via the VPN.\r\nFrom there, the adversary used a virtual machine and\r\nobfuscated PowerShell scripts to move laterally to the\r\nSolarWinds server. At this point, the SUPERNOVA\r\nwebshell is installed. Due to logs being cleared during the\r\nattack, CISA was not able to determine if the adversary\r\nexploited CVE-2020-10148, an authentication bypass\r\nvulnerability of SolarWinds Orion or another method to\r\ngain access.\r\nAt this point, the adversary is collecting credentials as\r\nwell as deploying tools to maintain persistence, evade\r\ndefenses and other activities. A common tool that\r\ncertain adversaries use is procdump.exe. Procdump.exe\r\nis a Microsoft command line utility that is used to\r\nmonitor applications and can create crash dumps.\r\nAdversaries have been observed using procdump to\r\ndump credentials. To obfuscate the existence of\r\nprocdump.exe on the SolarWinds server, the adversary\r\nrenamed their copy of procdump.exe to splunklogger.exe.\r\nThis masquerading technique is fairly common with\r\ncertain utilities because the existence of that utility on\r\ncertain systems may trigger alarms for organizations,\r\nwhereas a tool like Splunk is used in many organizations\r\nand would raise less concern when seen.\r\nAfter credentials were dumped from LSASS memory, the\r\nadversary used the organization’s web server to\r\nexfiltrate the credentials and then deleted the web\r\nserver logs in an effort to cover their tracks.\r\nAdditional access occurred after the initial attack by\r\nleveraging credentials that were likely cracked offline\r\nSplunk Blogs\r\nCookies allow us to optimise your use of our website. We also use third-party cookies for advertising and analytics. Please\r\nread our Privacy Statement and Cookie Notice for more information.\r\nhttps://www.splunk.com/en_us/blog/security/supernova-redux-with-a-generous-portion-of-masquerading.html\r\nPage 3 of 18\n\nfrom the initial credential dump. A final identified access\r\nevent occurred where both procdump.exe and winrar.exe\r\nwere seen masquerading as wininit.exe and the\r\nadversary made an attempt to archive credentials,\r\nprobably before they were exfiltrated.\r\nDetecting Masquerading\r\nAs Well as Indicators of\r\nthe SUPERNOVA Attack\r\nin Splunk\r\nHere we will give you some hot-off-the-press searches to\r\nhelp find some of the badness derived from the CISA\r\nAnalysis Report on this recent SUPERNOVA attack. If we\r\nhave coverage for these searches in Splunk security\r\ncontent, we call them out further below in the MITRE\r\nATT\u0026CK section.\r\nWe covered some thoughts on detecting the\r\nSUPERNOVA webshell in our previous post on the subject\r\nas well as the associated vulnerabilities, so today we will\r\nfocus on the activities that took place after the webshell\r\nwas established, specifically around masquerading and\r\nfile integrity of the files manipulated.\r\nIndicators of Compromise (IOCs)\r\nCISA published IOCs, including file names, hashes and\r\nIPs, in their blog post. So we collected the common\r\nhashes for procdump.exe, along with the IOCs that CISA\r\nidentified and converted these indicators into simple\r\nCSV format so that you may use them as lookup tables —\r\nthey are posted here. But what’s a lookup table, and how\r\ndoes it help with security detection in Splunk? Got you\r\ncovered there, too.\r\nProcess Monitoring\r\nWe frequently are asked \"why should we use Sysmon for\r\nprocess monitoring instead of native Windows capability\r\nvia Event ID 4688?\" This situation is a perfect example as\r\nSplunk Blogs\r\nCookies allow us to optimise your use of our website. We also use third-party cookies for advertising and analytics. Please\r\nread our Privacy Statement and Cookie Notice for more information.\r\nhttps://www.splunk.com/en_us/blog/security/supernova-redux-with-a-generous-portion-of-masquerading.html\r\nPage 4 of 18\n\nto why the rich data gathered by Sysmon is so valuable to\r\ndefenders and threat hunters: hashes.\r\nMicrosoft's documentation for 4688 is available here. If\r\nwe look in the example Event XML, we will only see\r\ninformation such as the NewProcessId or\r\nNewProcessName. If we've turned on CommandLine\r\ntracking, we'll be provided that information as well.\r\nComparatively, Sysmon Event Code 1 has a number of\r\nother fields including multiple types of hashes, the\r\nCompany, and even the parent process id to better\r\ncontextualize the process that was created.\r\nIf we compare files being executed based on the name of\r\nthe original file and the process, we can use Sysmon data\r\nwith a search like this to get a side by side comparison\r\nand use the match function with the eval command to\r\nget a comparative.\r\nEventCode=1 OriginalFileName=* process_name=*\r\n| eval OriginalFileName=upper(OriginalFileName\r\n| eval match=if(OriginalFileName=process_name,\r\n| search match=\"No Match\"\r\n| table _time host OriginalFileName process_nam\r\nAs you can see above, we can see that psexec.c is\r\nrunning under the name of smb.exe. It is important to\r\nnote that without additional filtering, the search above is\r\na bit noisy. However, for our purposes, we could easily\r\nswap out the OriginalFileName value of * in this search to\r\nSplunk Blogs\r\nCookies allow us to optimise your use of our website. We also use third-party cookies for advertising and analytics. Please\r\nread our Privacy Statement and Cookie Notice for more information.\r\nhttps://www.splunk.com/en_us/blog/security/supernova-redux-with-a-generous-portion-of-masquerading.html\r\nPage 5 of 18\n\nlook for just procdump.exe or add the string\r\n“splunklogger” like the search below.\r\nAnother technique that we can use to identify\r\nmasquerading is the use of file hashes. To do this, we can\r\nagain use a favored capability of Splunk, that is the\r\nlookup!\r\nWe mentioned them above, and just to make sure this\r\nblog is super long, let’s cover them in greater detail. A\r\nvery effective way of determining whether or not a\r\nprocess executing on one of your production servers is\r\nlegit is to use lookups sourced with “known good”\r\nmetadata about processes normally found in your\r\nenvironment. Assuming you have tight control over\r\nupgrades that will change legitimate binaries (e.g. a\r\nchange control process/board), any executing binaries\r\non your production servers that are “unknown” when\r\ncompared to “known good” can be flagged.\r\nHere’s one way of accomplishing that in Splunk. First, we\r\nleverage Sysmon’s Event Code 1, which provides hash\r\nvalues and a lot of other interesting process metadata, to\r\nharvest this data from a known-good “golden image”\r\nserver in the environment, and we pipe it to a lookup\r\ncalled UFKnownLookup.csv. Note, there’s all sorts of\r\ninteresting metadata in these events, like the company\r\nname, the version number of the file, a description, and so\r\nforth:\r\nindex=endpoint process_name=splunk* EventCode=1\r\n| eval knowngood=1\r\n| stats values(process_name) as process_name va\r\n| outputlookup UFKnownGood.csv\r\nNow, we can leverage it in subsequent searches. For\r\nexample, let’s rip a page from the CISA SUPERNOVA\r\nreport, take a copy of procdump.exe (which is a\r\nSysinternals binary) and rename it “splunklogger.exe”\r\nSplunk Blogs\r\nCookies allow us to optimise your use of our website. We also use third-party cookies for advertising and analytics. Please\r\nread our Privacy Statement and Cookie Notice for more information.\r\nhttps://www.splunk.com/en_us/blog/security/supernova-redux-with-a-generous-portion-of-masquerading.html\r\nPage 6 of 18\n\nand then put it on our desktop and run it. It will look like\r\nthis in a Sysmon event.\r\nNow, let’s run a search to find Splunk binaries that are\r\n“unknown” to us, leveraging the lookup:\r\nindex=endpoint process_name=splunk* EventCode=1\r\n| lookup UFKnownGood.csv SHA256 OUTPUT known_go\r\n| eval known_good = case(known_good == 1, \"1\",\r\n| search known_good=0\r\n| stats values(process_name) as process_name va\r\nAnd voila! We can see that a binary called\r\n“splunklogger.exe” executed, but it wasn’t in our\r\napproved lookup list, and oh, by the way, even though it is\r\ncalled “splunklogger.exe” it certainly isn’t a real Splunk\r\nbinary, based on the Company and Description metadata.\r\nIn production, generating the lookup itself against raw\r\ndata is a reasonable thing to do on an occasional basis.\r\nBut for matching voluminous Sysmon data in Splunk, a\r\ntstats search against an accelerated data model from\r\nthe Common Information Model is more optimal, like this\r\none against Endpoint.Processes:\r\n| tstats summariesonly=t prestats=t count,value\r\n| rename Processes.process_hash as hashes\r\nSplunk Blogs\r\nCookies allow us to optimise your use of our website. We also use third-party cookies for advertising and analytics. Please\r\nread our Privacy Statement and Cookie Notice for more information.\r\nhttps://www.splunk.com/en_us/blog/security/supernova-redux-with-a-generous-portion-of-masquerading.html\r\nPage 7 of 18\n\n| stats values(*) by hashes\r\n| rex field=hashes \"SHA256=(?\u003cSHA256\u003e.*),\"\r\n| lookup UFKnownGood.csv SHA256\r\n| eval known_good = case(known_good == 1, \"1\",\r\n| search known_good=0\r\nFee Fi Fo FIM\r\nWe also figured file integrity monitoring (FIM) was a\r\nsuper appropriate topic to cover since, ya know,\r\nprocdump.exe went all splunklogger.exe on us. The goal\r\nwe’re trying to accomplish with FIM is simple: detect\r\nunauthorized changes made to files, directories, network\r\ndevices, OS and more. This can be accomplished by\r\nestablishing a “baseline” for a file state, and monitoring\r\nfor changes made to that state. It’s a great way to quickly\r\nidentify file discrepancies, modifications, and additions.\r\nNeed a FIM solution now? There are multiple software\r\nsolutions that are designated for file integrity monitoring\r\nlike Tripwire and Qualys FIM.\r\nMore of an open source kind of person? Not a problem,\r\nthere are several solutions available depending on your\r\nrequirements. Some of the more popular open source\r\nFIM solutions include OSSEC and osquery.\r\nGot none of that? You can always use “native” file activity\r\nmonitoring, from things like Sysmon’s FileCreate and\r\nFileDelete events, or even Windows 4663 events. All of\r\nSplunk Blogs\r\nCookies allow us to optimise your use of our website. We also use third-party cookies for advertising and analytics. Please\r\nread our Privacy Statement and Cookie Notice for more information.\r\nhttps://www.splunk.com/en_us/blog/security/supernova-redux-with-a-generous-portion-of-masquerading.html\r\nPage 8 of 18\n\nthe solutions we mention integrate well with Splunk, and\r\nmany populate our Change data model for ease of use.\r\nSplunk Enterprise\r\nSecurity and ESCU\r\nThreat Intelligence Framework\r\nIf you are using Splunk Enterprise Security, the lookups of\r\nIOCs that are listed above can be ingested easily into the\r\nthreat intelligence framework. Perhaps you aren’t sure\r\nhow to do that. No worries, we published some guidance\r\nand a how-to on integrating lists of IOC into the\r\nEnterprise Security threat intelligence framework.\r\nEnterprise Security Content\r\nUpdates (ESCU)\r\nFor folks using ESCU, our Threat Research team already\r\nhas a number of detections around masquerading. While\r\nthey are not all in a single analytic story, they can be\r\nfound by using the Keyword Search. In fact, if you check\r\nout the MITRE ATT\u0026CK table below, you can cut and\r\npaste those Splunk Search titles into the Keyword\r\nSearch (place * between the words in place of spaces) to\r\nview them in ESCU. If you have ESCU running today, you\r\nalready have some great coverage!\r\nMITRE ATT\u0026CK\r\nReviewing the CISA Analysis Report (AR-21-112A), we\r\nmapped the adversary’s activity to MITRE ATT\u0026CK. Each\r\ntactic is then linked to Splunk content to help you hunt\r\nfor that information. Be aware; these searches are\r\nprovided as a way to accelerate your hunting. We\r\nrecommend you configure them via the Splunk Security\r\nEssentials App. You may need to modify them to work in\r\nSplunk Blogs\r\nCookies allow us to optimise your use of our website. We also use third-party cookies for advertising and analytics. Please\r\nread our Privacy Statement and Cookie Notice for more information.\r\nhttps://www.splunk.com/en_us/blog/security/supernova-redux-with-a-generous-portion-of-masquerading.html\r\nPage 9 of 18\n\nyour environment! Many of these searches are optimized\r\nfor use with the tstats command.\r\nFinally, as more information becomes available, we will\r\nupdate these searches if more ATT\u0026CK TTPs become\r\nknown.\r\nATT\u0026CK\r\nTechnique\r\nTechnique/\r\nSub-Technique Title\r\nSplunk\r\nSearches\r\nT1105 Ingress Tool Transfer\r\nSuspicious\r\nCurl Network\r\nConnection\r\nT1036.003\r\nRename System\r\nUtilities\r\nSystem\r\nProcesses\r\nRun From\r\nUnexpected\r\nLocations\r\nT1505.003 Web Shell\r\nDetect\r\nExchange\r\nWeb Shell\r\nW3WP\r\nSpawning\r\nShell\r\nSupernova\r\nWebshell\r\nT1078 Valid Accounts Reconnaissa\r\nnce of\r\nAccess and\r\nPersistence\r\nOpportunitie\r\ns via\r\nPowerSploit\r\nmodules\r\nSetting\r\nCredentials\r\nvia\r\nDSInternals\r\nmodules\r\nSplunk Blogs\r\nCookies allow us to optimise your use of our website. We also use third-party cookies for advertising and analytics. Please\r\nread our Privacy Statement and Cookie Notice for more information.\r\nhttps://www.splunk.com/en_us/blog/security/supernova-redux-with-a-generous-portion-of-masquerading.html\r\nPage 10 of 18\n\nProbing\r\nAccess with\r\nStolen\r\nCredentials\r\nvia\r\nPowerSploit\r\nmodules\r\nSetting\r\nCredentials\r\nvia\r\nPowerSploit\r\nmodules\r\nReconnaissa\r\nnce of\r\nCredential\r\nStores and\r\nServices via\r\nMimikatz\r\nmodules\r\nReconnaissa\r\nnce and\r\nAccess to\r\nAccounts\r\nand Groups\r\nvia Mimikatz\r\nmodules\r\nReconnaissa\r\nnce of\r\nPrivilege\r\nEscalation\r\nOpportunitie\r\ns via\r\nPowerSploit\r\nmodules\r\nApplying\r\nStolen\r\nCredentials\r\nvia Mimikatz\r\nmodules\r\nApplying\r\nStolen\r\nSplunk Blogs\r\nCookies allow us to optimise your use of our website. We also use third-party cookies for advertising and analytics. Please\r\nread our Privacy Statement and Cookie Notice for more information.\r\nhttps://www.splunk.com/en_us/blog/security/supernova-redux-with-a-generous-portion-of-masquerading.html\r\nPage 11 of 18\n\nCredentials\r\nvia\r\nPowerSploit\r\nmodules\r\nSetting\r\nCredentials\r\nvia Mimikatz\r\nmodules\r\nT1047\r\nWindows\r\nManagement\r\nInstrumentation\r\nScript\r\nExecution via\r\nWMI\r\nProcess\r\nExecution via\r\nWMI\r\nRemote\r\nProcess\r\nInstantiation\r\nvia WMI\r\nReconnaissa\r\nnce and\r\nAccess to\r\nOperating\r\nSystem\r\nElements via\r\nPowerSploit\r\nmodules\r\nWMI\r\nPermanent\r\nEvent\r\nSubscription\r\nWMI\r\nTemporary\r\nEvent\r\nSubscription\r\nT1018\r\nRemote System\r\nDiscovery\r\nWindows\r\nAdFind Exe\r\nT1070.001 Clear Windows Event\r\nLogs\r\nWindows\r\nEvent Log\r\nSplunk Blogs\r\nCookies allow us to optimise your use of our website. We also use third-party cookies for advertising and analytics. Please\r\nread our Privacy Statement and Cookie Notice for more information.\r\nhttps://www.splunk.com/en_us/blog/security/supernova-redux-with-a-generous-portion-of-masquerading.html\r\nPage 12 of 18\n\nCleared\r\nSuspicious\r\nwevtutil\r\nUsage\r\nT1021.002\r\nSMB/Windows Admin\r\nShares\r\nReconnaissa\r\nnce of\r\nConnectivity\r\nvia\r\nPowerSploit\r\nmodules\r\nReconnaissa\r\nnce and\r\nAccess to\r\nShared\r\nResources\r\nvia\r\nPowerSploit\r\nmodules\r\nReconnaissa\r\nnce and\r\nAccess to\r\nShared\r\nResources\r\nvia Mimikatz\r\nmodules\r\nDetect\r\nPsExec With\r\naccepteula\r\nFlag\r\nSMB Traffic\r\nSpike\r\nSMB Traffic\r\nSpike - MLTK\r\nT1057 Process Discovery Reconnaissa\r\nnce and\r\nAccess to\r\nProcesses\r\nand Services\r\nSplunk Blogs\r\nCookies allow us to optimise your use of our website. We also use third-party cookies for advertising and analytics. Please\r\nread our Privacy Statement and Cookie Notice for more information.\r\nhttps://www.splunk.com/en_us/blog/security/supernova-redux-with-a-generous-portion-of-masquerading.html\r\nPage 13 of 18\n\nvia Mimikatz\r\nmodules\r\nReconnaissa\r\nnce and\r\nAccess to\r\nOperating\r\nSystem\r\nElements via\r\nPowerSploit\r\nmodules\r\nT1083\r\nFile and Directory\r\nDiscovery\r\nReconnaissa\r\nnce and\r\nAccess to\r\nOperating\r\nSystem\r\nElements via\r\nPowerSploit\r\nmodules\r\nT1140\r\nDeobfuscate/Decode\r\nFiles or Information\r\nCertUtil With\r\nDecode\r\nArgument\r\nT1003.001 LSASS Memory Detect\r\nMimikatz\r\nUsing\r\nLoaded\r\nImages\r\nDump LSASS\r\nvia comsvcs\r\nDLL\r\nCreate\r\nRemote\r\nThread into\r\nLSASS\r\nAccess\r\nLSASS\r\nMemory for\r\nDump\r\nCreation\r\nSplunk Blogs\r\nCookies allow us to optimise your use of our website. We also use third-party cookies for advertising and analytics. Please\r\nread our Privacy Statement and Cookie Notice for more information.\r\nhttps://www.splunk.com/en_us/blog/security/supernova-redux-with-a-generous-portion-of-masquerading.html\r\nPage 14 of 18\n\nDetect\r\nCredential\r\nDumping\r\nthrough\r\nLSASS\r\naccess\r\nDump LSASS\r\nvia\r\nprocdump\r\nCreation of\r\nlsass Dump\r\nwith\r\nTaskmgr\r\nDump LSASS\r\nvia\r\nprocdump\r\nRename\r\nT1041\r\nExfiltration Over C2\r\nChannel\r\nDetect\r\nSNICat SNI\r\nExfiltration\r\nT1059.001 PowerShell Malicious\r\nPowerShell\r\nProcess -\r\nConnect To\r\nInternet With\r\nHidden\r\nWindow\r\nSet Default\r\nPowerShell\r\nExecution\r\nPolicy To\r\nUnrestricted\r\nor Bypass\r\nAny\r\nPowershell\r\nDownloadStr\r\ning\r\nMalicious\r\nPowerShell\r\nSplunk Blogs\r\nCookies allow us to optimise your use of our website. We also use third-party cookies for advertising and analytics. Please\r\nread our Privacy Statement and Cookie Notice for more information.\r\nhttps://www.splunk.com/en_us/blog/security/supernova-redux-with-a-generous-portion-of-masquerading.html\r\nPage 15 of 18\n\nProcess With\r\nObfuscation\r\nTechniques\r\nAny\r\nPowershell\r\nDownloadFil\r\ne\r\nMalicious\r\nPowerShell\r\nProcess -\r\nExecution\r\nPolicy\r\nBypass\r\nT1105 Ingress Tool Transfer\r\nSuspicious\r\nCurl Network\r\nConnection\r\nHere is a list of all the MITRE ATT\u0026CK TTP’s that we saw\r\nbeing used in this attack:\r\nT1133, T1078, T1059.001, T1140, T1105, T1505.00\r\nConclusion\r\nThis blog is a little bit of an outlier. We realize that attacks\r\nare continually occurring, but with the masquerading of\r\nprocdump.exe as splunklogger.exe as well as the use of\r\nthe SUPERNOVA malware, which was so recent, it felt\r\nlike a good time to talk about this specific attack.\r\nMasquerading and obfuscation are capabilities that\r\nmany adversaries use during their attacks. Hopefully,\r\nthese searches will provide you the ability to have more\r\nvisibility into your environment and any malicious activity\r\nthat you might be experiencing. If they don’t work\r\nperfectly, think of them as “SplunkSpiration” :-). Again, you\r\nmay have to modify them to work in your unique\r\nenvironment. If we uncover additional information, we\r\nwill update this blog.\r\nSplunk Blogs\r\nCookies allow us to optimise your use of our website. We also use third-party cookies for advertising and analytics. Please\r\nread our Privacy Statement and Cookie Notice for more information.\r\nhttps://www.splunk.com/en_us/blog/security/supernova-redux-with-a-generous-portion-of-masquerading.html\r\nPage 16 of 18\n\n----------------------------------------------------\r\nThanks!\r\nJohn Stoner\r\nSplunk\r\nThe world’s leading organizations trust Splunk to help keep their digital systems secure and\r\nreliable. Our software solutions and services help to prevent major issues, absorb shocks and\r\naccelerate transformation. Learn what Splunk does and why customers choose Splunk.\r\nSplunk Blogs\r\nCookies allow us to optimise your use of our website. We also use third-party cookies for advertising and analytics. Please\r\nread our Privacy Statement and Cookie Notice for more information.\r\nhttps://www.splunk.com/en_us/blog/security/supernova-redux-with-a-generous-portion-of-masquerading.html\r\nPage 17 of 18\n\nSplunk Blogs\r\nCookies allow us to optimise your use of our website. We also use third-party cookies for advertising and analytics. Please\r\nread our Privacy Statement and Cookie Notice for more information.\r\nhttps://www.splunk.com/en_us/blog/security/supernova-redux-with-a-generous-portion-of-masquerading.html\r\nPage 18 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.splunk.com/en_us/blog/security/supernova-redux-with-a-generous-portion-of-masquerading.html"
	],
	"report_names": [
		"supernova-redux-with-a-generous-portion-of-masquerading.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434664,
	"ts_updated_at": 1775826734,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5a59428788d2189437f5275da8572b179416917e.pdf",
		"text": "https://archive.orkl.eu/5a59428788d2189437f5275da8572b179416917e.txt",
		"img": "https://archive.orkl.eu/5a59428788d2189437f5275da8572b179416917e.jpg"
	}
}