Shuffle-SOAR command and control mitigation
339 views
Skip to first unread message
Meo Yes
Jun 19, 2023, 12:32:12 PM6/19/23
to Wazuh mailing list
Hello i hope everyone is doing great, i am now receiving alert from wazuh about command and control attack level 15 i want to do the mitigation part i mean i want to give shuffle playbook to execute it for example deleting the file added or quarantine or isolate the pc from the rest of the network, the attack i am having are command and control backdoor, trojan and reverse shell with meterpreter. And i don't know how to do it !
i am installing wazuh and shuffle in docker in same Virtual machine can anyone have any idea or recommand me a video or documentation thank you and have amazing day.
Norberto Cesar Vicchi
Jun 19, 2023, 1:05:11 PM6/19/23
to Wazuh mailing list
Hello Meo,
Based on the information provided, it seems like you are experiencing a serious security incident. We recommend that you immediately isolate the affected machine from the network and follow your organization's incident response plan.
Based on the information provided, it seems like you are experiencing a serious security incident. We recommend that you immediately isolate the affected machine from the network and follow your organization's incident response plan.
In terms of Wazuh, we suggest reviewing the rules and decoders related to command and control attacks, backdoors, trojans, and reverse shells.
Here you can check some active responses like removing detected malicious files.
You can learn a lot more about Wazuh's active response here.
Regarding Wazuh and Shuffle integration, you can check this link.
Regards,
Norberto
Meo Yes
Jun 19, 2023, 3:52:59 PM6/19/23
to Wazuh mailing list
Hey again, thank you for the answer mr
Norberto Cesar Vicchi
The integration is already done and Wazuh is connected with Shuffle and it is sending the alerts about command and control attacks, my question is want to make automatic response to the rule like i said before for example deleting the file of the malware or isolating the pc from network to stop the communication between the C2 server and my pc. do you have any idea how to do it with Shuffle security orchestration automation and response! thank you again sir
Norberto Cesar Vicchi
Jun 20, 2023, 12:51:02 PM6/20/23
to Wazuh mailing list
I am afraid that regarding Shuffle configuration you should refer to their documentation or community.
Regards,
Norberto
Meo Yes
Jun 21, 2023, 5:46:57 PM6/21/23
to Wazuh mailing list
thank you, i will keep here my problem maybe anyone can help
Reply all
Reply to author
Forward
0 new messages