-
Notifications
You must be signed in to change notification settings - Fork 11
ShellSweep Implementation Guide
First, find a home for ShellSweep or create a new App. Within the App, two items are required:
inputs.conf-
ShellSweep.ps1Script in the Bin src
To begin, add this to your inputs.conf:
[powershell://ShellSweep]
script = . "$SplunkHome\etc\apps\win_inputs_app\bin\ShellSweep.ps1"
disabled = false
sourcetype = shellsweep
schedule = 0 0 * * *
index = win
Modify the script src to your bin src and modify the schedule to your liking. The default schedule is set to daily.
Now, add ShellSweep to the bin src. The latest version is located here - https://github.com/MHaggis/ShellSweep/blob/main/ShellSweep.ps1
By default, ShellSweep will output to JSON allowing for easy ingesting and extraction by Splunk.
Once the inputs and script is set up, restart the universal forwarder and data should begin showing up based on the scheduled time.
In Splunk, that data will generally appear as:
{
"FilePath": "C:\\inetpub\\wwwroot\\evil.aspx",
"Entropy": 4.718015178376675,
"FileHash": "0c0017e0a80f8b55de0e4f6d7b6d18e0"
}The 4 fields are parsed and now anyone can query the data.
Aside from baselining and updating the entropy values in ShellSweep, another use case may be to capture everything and use the entropy to view them all in Splunk by FilePath.
index=win sourcetype=shellsweep
| stats values(Entropy) as Entropy by FilePath
This query will show you the FilePath and the associated Entropy value, allowing you to identify files with high entropy that may be potential web shells.