-
Notifications
You must be signed in to change notification settings - Fork 15
ShellSweepPlus Implementation Guide
As with ShellSweep, it's fairly easy to get going and deployed to web servers across the fleet.
First, find a home for ShellSweepPlus or create a new App. Within the App, two items are required:
inputs.conf-
ShellSweepPlus.ps1Script in the Bin directory
Add the script to the inputs.conf, which will run the script every day at midnight. Modify as needed based on requirements.
[powershell://ShellSweepPlus]
script = . "$SplunkHome\etc\apps\win_inputs_app\bin\ShellSweepPlus.ps1"
disabled = false
sourcetype = shellsweepplus
schedule = 0 0 * * *
index = win
Now, add ShellSweepPlus to the bin src. The latest version is located here. By default, ShellSweep will output to JSON, allowing for easy ingesting and extraction by Splunk.
Once the inputs and script are set up, restart the universal forwarder and data should begin showing up based on the scheduled time.
Then in Splunk, query the data as such:
index=win sourcetype=shellsweepplus
| stats count by DetectionMethod ConfidenceScore suspiciousKeywords matchedHeuristics FilePath Entropy StDev Hash
Modify your query by DetectionMethod to see across the board how each differs across your files.
Similar to ShellSweep, it's also possible to run ShellSweepPlus separately without Splunk. Maybe for incident response or validation other preventative controls may have missed. It's as simple as a single command:
.\ShellSweepPlus.ps1 -ScanPath "C:\inetpub\wwwroot" -ExcludedDirectories @("C:\inetpub\wwwroot\logs", "C:\inetpub\wwwroot\images") -HashIgnore @("1a2b3c4d5e6f7890", "0a1b2c3d4e5f6789")