Internal Host WinRM Response

Description

Published in response to CVE-2021-44228, this playbook accepts a list of hosts and filenames to remediate on the endpoint. If filenames are provided, the endpoints will be searched and then the user can approve deletion. Then the user is prompted to quarantine the endpoint.

Type: Response
Product: Splunk SOAR
Apps: Windows Remote Management
Last Updated: 2021-12-14
Author: Kelby Shelton, Splunk
ID: 32fd9db5-5201-4b2f-b2c2-9299c7b3495d
Use-cases:

Associated Detections

How To Implement

The winrm asset requires Administrator access to gather certain files.

Explore Playbook

Required field

Reference

source | version: 1

Twitter Facebook LinkedIn

Internal Host WinRM Response

Description

Associated Detections

How To Implement

Explore Playbook

Required field

Reference

You May Also Enjoy

Headless Browser Mockbin or Mocky Request

Headless Browser Usage

Windows Find Interesting ACL with FindInterestingDomainAcl

Windows Get Local Admin with FindLocalAdminAccess