Hello Community,
Wondering if anyone has a use case or directions based on best practices of how Siemplify can be leveraged in the investigation and response of a probable web shell attack detection?
Thanks.
Leveraging Siemplify in the investigation and response of a probable web shell attack detection
+7
+5
Hmmm...That's a tough one. You asked about investigation and response, not detection, so that means in this use case you've already determined that your endpoint was compromised with a web shell? Investigating impact is a bit tricky but you may be able to automate some of the commonly performed jobs.
A. check all directories for additional web shells or other alien files.
-- EDR tools to list all files with same or later creation or modification date as the detected web shell.
---- Example, Cisco's AMP contains a tool "Orbital" which Siemplify has an integration for which can be used here.
-- Event logs find find all files with same or later creation or modification date as the detected web shell.
---- Not sure how to siemplify that. Maybe with Google Rapid Response? If these logs are placed in a Siem like QRadar or Splunk could use Siemplify integration to perform this search.
B. Query logs like net flow logs to determine what all the compromised server talked to
-- Cisco's StealthWatch + Siemplify integration. Search on events after web shell creation.
C. Determine and remediate vulnerabilities on suspected systems
-- Tools like Nessus or Rapid7 with Siemplify's integration to automatically query the systems.
D. Firewall logs to check for strange access. If in a siem can query with siemplify. Or perhaps siemplify has your firewall like Fortinet
-- Determine reputation of all IPs.
-- Determine any repetively seen IPs.
E. If using AD, use siemplify to query AD for recently created accounts. Immediate review of any with admin privs.
It'd be some work, but a playbook could be strung together to do a bunch of comparing findings or kicking off an automation based on a finding.
If you build something like this I'd love to see it.
+7
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.