Automatic Handling of HSS Web Shell Attacks (Automated handling of host rebound Shell attacks)
Playbook Overview
The Automated handling of host rebound Shell attacks playbook automatically adds the host that triggers the alert whose Alarm Type is Web shell to a VPC security group, and SecMaster automatically blocks the outbound (access from the host to third parties) and inbound (access from third parties to the host) access. The playbook will automatically close the alert at the same time.
Trigger condition: The alert source is HSS, and the alert type is Web shell.
You need to enable this playbook for it to take effect.
Prerequisites
- Your SecMaster professional edition is available.
- The HSS security alarm log has been connected to SecMaster, and the Auto Alert Conversion button has been enabled. For details about how to connect logs to SecMaster, see Enabling Log Access.
- You have created a model using the built-in Host - Reverse Shell template and enabled the model. For details about how to create and enable a model, see Creating an Alert Model Using a Preconfigured Model Template and Managing Models, respectively.
Procedure
- Log in to the SecMaster console.
- In the navigation pane on the left, choose Workspaces > Management. In the workspace list, click the name of the target workspace.
Figure 1 Workspace management page
- In the navigation pane on the left, choose Security Orchestration > Playbooks.
Figure 2 Accessing the Playbooks tab
- On the Playbooks page, search for the Automated handling of host rebound Shell attacks playbook and click Enable in the Operation column of the playbook.
- In the dialog box displayed, select the initial playbook version v1 and click OK. If the Playbook Status of the Automated handling of host rebound Shell attacks playbook changes to Enabled, the playbook has been enabled successfully.
Implementation Effect
The Automated handling of host rebound Shell attacks playbook automatically adds the host that triggers the alert whose Alarm Type is Web shell to a VPC security group, and SecMaster automatically blocks the outbound (access from the host to third parties) and inbound (access from third parties to the host) access. The playbook will automatically close the alert at the same time.
- If the playbook detects an HSS alert whose Alarm Type is Web shell, the playbook generates a to-do task for automatically isolating the host that triggered the alert. In the navigation pane on the left of the SecMaster workspace, choose . On the To-Dos page, you can view the task whose name is Review Server Isolation and the Associated Object is Automated handling of host rebound Shell attacks.
- On the To-Dos page, locate the task whose name is Review Server Isolation and Associated Object is Automated handling of host rebound Shell attacks and click Review in the Operation column. On the Playbook - Node Review pane displayed on the right, select Continue.
- If the isolation is approved, SecMaster automatically adds the host to the VPC security group. SecMaster automatically blocks the outbound (host access to third parties) and inbound (third parties access to the host) access. You can view the security group named SecMaster_One-Click_Host_Isolation in the VPC service. For details about how to view a security group, see Viewing a Security Group.
Figure 4 SecMaster_One-Click_Host_Isolation security group
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
