Try in Splunk SOAR

Description

This playbook acts upon events where a file has been determined to be malicious (ie webshells being dropped on an end host). Before deleting the file, we run a "more" command on the file in question to extract its contents. We then run a delete on the file in question.

  • Type: Response
  • Product: Splunk SOAR
  • Apps: Windows Remote Management
  • Last Updated: 2021-03-29
  • Author: Philip Royer, Splunk
  • ID: fc0edc96-ff2b-48b0-9a6f-63da6783fd63
  • Use-cases:

Associated Detections

How To Implement

This playbook reads and then deletes files stored with artifact:.cef.filePath from hosts stored in artifact:.cef.destinationAddress. Windows Remote Management must be enabled on the remote computer.

Explore Playbook

explore

Required field

  • filePath
  • destinationAddress

Reference

source | version: 1