Splunk SOAR (f.k.a. Phantom)

Issues with network shares and WRM SOAR app

knot9
Engager

I'm trying to create a playbook that uses the Windows Remote Management app to take a file saved locally on a server and move it to a location on a network share. I've tried using different command and Powershell options and the WRM app's built-in action 'copy-item' and none of them work. 

I can run these commands and scripts locally on the server logged-in as the user that would be performing these actions through SOAR and everything works fine. I can also have SOAR move the file from a local folder to another local folder and everything works fine. It's only when I ask SOAR to move it to a network share it will not work.

Examples of what I'm doing: 

    Move-Item -Path C:\folder\file.txt -Destination \\servername\sharename 

This script will work fine locally, but will not through SOAR.

   Move-Item -Path C:\folder\file.txt -Destination C:\differentfolder\file.txt

This script will work fine both locally and through SOAR.

I've tried mapping the drive so I can use M:\file.txt and it still fails. I've asked SOAR to run the commands directly and also have tried letting SOAR run a script that uses these commands and it will not work. It doesn't seem to be a permission issue since I'm able to do all of this locally. 

I'm lost at what else I can try or what else to look for as possible issues. Thanks for any help.

Labels (2)
0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...