Delete Detected Files

Description

This playbook acts upon events where a file has been determined to be malicious (ie webshells being dropped on an end host). Before deleting the file, we run a "more" command on the file in question to extract its contents. We then run a delete on the file in question.

Type: Response
Product: Splunk SOAR
Apps: Windows Remote Management
Last Updated: 2021-03-29
Author: Philip Royer, Splunk
ID: fc0edc96-ff2b-48b0-9a6f-63da6783fd63

Associated Detections

Executable File Written in Administrative SMB Share

How To Implement

This playbook reads and then deletes files stored with artifact:.cef.filePath from hosts stored in artifact:.cef.destinationAddress. Windows Remote Management must be enabled on the remote computer.

Explore Playbook

explore

Required field

filePath
destinationAddress

Reference

source | version: 1

Twitter Facebook LinkedIn

Delete Detected Files

Description

Associated Detections

How To Implement

Explore Playbook

Required field

Reference

You May Also Enjoy

Windows Vulnerable 3CX Software

3CX Supply Chain Attack Network Indicators

Hunting 3CXDesktopApp Software

Okta Mismatch Between Source and Response for Verify Push Request