Internal Host WinRM Response

Description

Published in response to CVE-2021-44228, this playbook accepts a list of hosts and filenames to remediate on the endpoint. If filenames are provided, the endpoints will be searched and then the user can approve deletion. Then the user is prompted to quarantine the endpoint.

Type: Response
Product: Splunk SOAR
Apps: Windows Remote Management
Last Updated: 2021-12-14
Author: Kelby Shelton, Splunk
ID: 32fd9db5-5201-4b2f-b2c2-9299c7b3495d

Associated Detections

How To Implement

The winrm asset requires Administrator access to gather certain files.

Explore Playbook

Required field

Reference

source | version: 1

Twitter Facebook LinkedIn

Internal Host WinRM Response

Description

Associated Detections

How To Implement

Explore Playbook

Required field

Reference

You May Also Enjoy

Okta Mismatch Between Source and Response for Verify Push Request

Okta Suspicious Use of a Session Cookie

Okta Multiple Failed Requests to Access Applications

Windows Rundll32 WebDav With Network Connection