Hello Community,
Wondering if anyone has a use case or directions based on best practices of how Siemplify can be leveraged in the investigation and response of a probable web shell attack detection?
Thanks.
Page 1 / 1
Hmmm...That's a tough one. You asked about investigation and response, not detection, so that means in this use case you've already determined that your endpoint was compromised with a web shell? Investigating impact is a bit tricky but you may be able to automate some of the commonly performed jobs.
A. check all directories for additional web shells or other alien files.
-- EDR tools to list all files with same or later creation or modification date as the detected web shell.
---- Example, Cisco's AMP contains a tool "Orbital" which Siemplify has an integration for which can be used here.
-- Event logs find find all files with same or later creation or modification date as the detected web shell.
---- Not sure how to siemplify that. Maybe with Google Rapid Response? If these logs are placed in a Siem like QRadar or Splunk could use Siemplify integration to perform this search.
B. Query logs like net flow logs to determine what all the compromised server talked to
-- Cisco's StealthWatch + Siemplify integration. Search on events after web shell creation.
C. Determine and remediate vulnerabilities on suspected systems
-- Tools like Nessus or Rapid7 with Siemplify's integration to automatically query the systems.
D. Firewall logs to check for strange access. If in a siem can query with siemplify. Or perhaps siemplify has your firewall like Fortinet
-- Determine reputation of all IPs.
-- Determine any repetively seen IPs.
E. If using AD, use siemplify to query AD for recently created accounts. Immediate review of any with admin privs.
It'd be some work, but a playbook could be strung together to do a bunch of comparing findings or kicking off an automation based on a finding.
If you build something like this I'd love to see it.
apologies for late reply and thanks for your response. You are right, investigation and response because detection is happening through the EDR but it might be false positive too which is why included investigation to know whether the detection is a True positive but i think that is more of a manual investigation and analysis based on the attack stealth nature
Good luck sir. That would be an awesome thing to automate determine True/False positive.
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.