Internal Host SSH Investigate

Description

Investigate an internal unix host using SSH. This pushes a bash script to the endpoint and runs it, collecting generic information about the processes, user activity, and network activity. This includes the process list, login history, cron jobs, and open sockets. The results are zipped up in .csv files and added to the vault for an analyst to review.

Type: Investigation
Product: Splunk SOAR
Apps: SSH
Last Updated: 2021-12-14
Author: Philip Royer, Splunk
ID: fdb65816-6688-41d8-8698-755b7b4ec44e

Associated Detections

How To Implement

The ssh asset requires sudo access to view the processes with open sockets.

Explore Playbook

Required field

Reference

https://github.com/Neo23x0/Fenrir/blob/master/fenrir.sh

source | version: 1

Twitter Facebook LinkedIn

Internal Host SSH Investigate

Description

Associated Detections

How To Implement

Explore Playbook

Required field

Reference

You May Also Enjoy

Okta Mismatch Between Source and Response for Verify Push Request

Okta Suspicious Use of a Session Cookie

Okta Multiple Failed Requests to Access Applications

Windows Rundll32 WebDav With Network Connection