GitHub Repo

Analytics Story: SolarWinds WHD RCE Post Exploitation

Date: 2026-02-09 ID: 8d6080bf-bb29-4569-94dd-e4c797569c48 Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

CVE-2025-26399 is a critical remote code execution vulnerability in SolarWinds Web Help Desk caused by insecure deserialization in the AjaxProxy component. The flaw allows unauthenticated attackers to execute arbitrary code on vulnerable, internet-exposed systems with high privileges. Because Web Help Desk often runs with elevated access and integrates into internal IT environments, successful exploitation provides a direct entry point into enterprise networks. This analytic story focuses on post-exploitation detection, providing a collection of detections designed to identify malicious activity occurring after initial compromise. The included detections monitor for behaviors such as suspicious process execution, command shell spawning, abnormal child processes from the Web Help Desk service, privilege escalation attempts, lateral movement activity, persistence mechanisms, and outbound command-and-control communications associated with exploitation of CVE-2025-26399.

Why it matters

Threat actors actively exploit this vulnerability by scanning for exposed Web Help Desk instances and delivering crafted payloads to gain execution. Following initial access, attackers quickly deploy legitimate remote management and forensic tools to establish persistence and interactive control. This enables reconnaissance, credential access, and potential lateral movement, demonstrating a fast transition from exploitation to hands-on intrusion.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Disable Defender AntiVirus Registry Disable or Modify Tools TTP
Disable Defender BlockAtFirstSeen Feature Disable or Modify Tools TTP
Disable Windows Behavior Monitoring Disable or Modify Tools TTP
Malicious PowerShell Process - Encoded Command Obfuscated Files or Information Hunting
Scheduled Task Deleted Or Created via CMD Scheduled Task TTP
Set Default PowerShell Execution Policy To Unrestricted or Bypass PowerShell TTP
Suspicious Scheduled Task from Public Directory Scheduled Task Anomaly
System Information Discovery Detection System Information Discovery TTP
Windows Cmdline Tool Execution From Non-Shell Process JavaScript Anomaly
Windows DisableAntiSpyware Registry Disable or Modify Tools TTP
Windows DLL Module Loaded in Temp Dir Ingress Tool Transfer Hunting
Windows File Download Via PowerShell PowerShell, Ingress Tool Transfer Anomaly
Windows Group Discovery Via Net Local Groups, Domain Groups Hunting
Windows Hijack Execution Flow Version Dll Side Load DLL Anomaly
Windows HTTP Network Communication From MSIExec Msiexec Anomaly
Windows Known Abused DLL Loaded Suspiciously DLL TTP
Windows Modify Registry Disable WinDefender Notifications Modify Registry TTP
Windows MSIExec Remote Download Msiexec TTP
Windows Process Execution From ProgramData Match Legitimate Resource Name or Location Hunting
Windows Scheduled Task with Highest Privileges Scheduled Task TTP
Windows Scheduled Task with Suspicious Command Scheduled Task TTP
Windows Schtasks Create Run As System Scheduled Task TTP
Windows Service Creation Using Registry Entry Services Registry Permissions Weakness Anomaly
Windows Unsigned DLL Side-Loading DLL Anomaly
Windows Unsigned DLL Side-Loading In Same Process Path DLL TTP
WinEvent Windows Task Scheduler Event Action Started Scheduled Task Hunting

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Cisco Network Visibility Module Flow Data Network icon Network cisco:nvm:flowdata not_applicable
CrowdStrike ProcessRollup2 Other crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 3 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4698 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4700 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4702 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log TaskScheduler 200 Windows icon Windows wineventlog WinEventLog:Microsoft-Windows-TaskScheduler/Operational
Windows Event Log TaskScheduler 201 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security

References

Source: GitHub | Version: 1