Skip to main content

Command-Line Analysis

This Playbook is part of the Common Playbooks Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

This playbook takes a command line from the alert and performs the following actions:

  • Checks for base64 string and decodes if exists
  • Extracts and enriches indicators from the command line
  • Checks specific arguments for malicious usage

At the end of the playbook, it sets a possible verdict for the command line, based on the finding:

  1. Indicators found in the command line
  2. Found AMSI techniques
  3. Found suspicious parameters
  4. Usage of malicious tools
  5. Indication of network activity
  6. Indication of suspicious LOLBIN execution

Note: To run this playbook with a list of command lines, set this playbook to run in a loop. To do so, navigate to 'Loop' and check "For Each Input".

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • Compare Process Execution Arguments To LOLBAS Patterns

Integrations#

This playbook does not use any integrations.

Scripts#

  • Set
  • MatchRegexV2
  • DeleteContext
  • Base64Decode

Commands#

  • extractIndicators

Playbook Inputs#


NameDescriptionDefault ValueRequired
CommandlineThe command line.Optional
StringSimilarityThresholdStringSimilarity automation threshold. Used by the Compare "Process Execution Arguments To LOLBAS Patterns" sub-playbook. This input controls the StringSimilarity automation threshold.0.5Optional

Playbook Outputs#


PathDescriptionType
MatchRegexThe regex found in the command line.unknown
IndicatorsIndicators extracted from the command line.unknown
commandline.originalThe original command line.unknown
commandline.decodedThe decoded command line.unknown
IPThe IP object.unknown
URLThe URL object.uknown
FileThe file object.unknown
DomainThe domain object.unknown
CommandlineVerdict.base64Command line verdict base64 was found. True/Falseunknown
CommandlineVerdict.suspiciousParametersCommand line verdict suspicious parameters found. True/Falseunknown
CommandlineVerdict.AMSICommand line verdict AMSI found. True/Falseunknown
CommandlineVerdict.foundIndicatorsCommand line verdict foundIndicators found. True/Falseunknown
CommandlineVerdict.maliciousToolsCommand line verdict maliciousTools found. True/Falseunknown
CommandlineVerdict.networkActivityCommand line verdict networkActivity found. True/Falseunknown
CommandlineVerdict.SuspiciousLolbinExecutionCommand line verdict SuspiciousLolbinExecution found. True/Falseunknown

Playbook Image#


Command-Line Analysis