Internal Host SSH Investigate

Description

Investigate an internal unix host using SSH. This pushes a bash script to the endpoint and runs it, collecting generic information about the processes, user activity, and network activity. This includes the process list, login history, cron jobs, and open sockets. The results are zipped up in .csv files and added to the vault for an analyst to review.

Type: Investigation
Product: Splunk SOAR
Apps: SSH
Last Updated: 2021-12-14
Author: Philip Royer, Splunk
ID: fdb65816-6688-41d8-8698-755b7b4ec44e
Use-cases:

Associated Detections

How To Implement

The ssh asset requires sudo access to view the processes with open sockets.

Explore Playbook

Required field

Reference

https://github.com/Neo23x0/Fenrir/blob/master/fenrir.sh

source | version: 1

Twitter Facebook LinkedIn

Internal Host SSH Investigate

Description

Associated Detections

How To Implement

Explore Playbook

Required field

Reference

You May Also Enjoy

Headless Browser Mockbin or Mocky Request

Headless Browser Usage

Windows Find Interesting ACL with FindInterestingDomainAcl

Windows Get Local Admin with FindLocalAdminAccess