Delete Detected Files

Description

This playbook acts upon events where a file has been determined to be malicious (ie webshells being dropped on an end host). Before deleting the file, we run a "more" command on the file in question to extract its contents. We then run a delete on the file in question.

Type: Response
Product: Splunk SOAR
Apps: Windows Remote Management
Last Updated: 2021-03-29
Author: Philip Royer, Splunk
ID: fc0edc96-ff2b-48b0-9a6f-63da6783fd63
Use-cases:

Associated Detections

Executable File Written in Administrative SMB Share

How To Implement

This playbook reads and then deletes files stored with artifact:.cef.filePath from hosts stored in artifact:.cef.destinationAddress. Windows Remote Management must be enabled on the remote computer.

Explore Playbook

explore

Required field

filePath
destinationAddress

Reference

source | version: 1

Twitter Facebook LinkedIn

Delete Detected Files

Description

Associated Detections

How To Implement

Explore Playbook

Required field

Reference

You May Also Enjoy

Headless Browser Mockbin or Mocky Request

Headless Browser Usage

Windows Find Interesting ACL with FindInterestingDomainAcl

Windows Get Local Admin with FindLocalAdminAccess