This playbook acts upon events where a file has been determined to be malicious (ie webshells being dropped on an end host). Before deleting the file, we run a "more" command on the file in question to extract its contents. We then run a delete on the file in question.
- Type: Response
- Product: Splunk SOAR
- Apps: Windows Remote Management
- Last Updated: 2021-03-29
- Author: Philip Royer, Splunk
- ID: fc0edc96-ff2b-48b0-9a6f-63da6783fd63
How To Implement
This playbook reads and then deletes files stored with artifact:.cef.filePath from hosts stored in artifact:.cef.destinationAddress. Windows Remote Management must be enabled on the remote computer.
source | version: 1