FireEye Red Team Tools Investigation and Response

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

This playbook does the following:

Collect indicators to aid in your threat hunting process.

  • Retrieve IOCs of FireEye red team tools.
  • Discover IOCs of associated activity related to the infection.
  • Generate an indicator list to block indicators with SUNBURST tags.

Hunt for the indicators

  • Search endpoints with the FireEye red team tools CVEs.
  • Search endpoint logs for FireEye red team tools hashes.
  • Search and link previous incidents with the FireEye hashes.

If compromised hosts are found, fire off sub-playbooks to isolate/quarantine infected hosts/endpoints and await further actions from the security team.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • Search Endpoints By Hash - Generic V2
  • Search Endpoint by CVE - Generic
  • Isolate Endpoint - Generic

Integrations#

This playbook does not use any integrations.

Scripts#

  • findIncidentsWithIndicator
  • http

Commands#

  • appendIndicatorField
  • cve
  • extractIndicators
  • linkIncidents
  • enrichIndicators
  • closeInvestigation
  • createNewIndicator

Playbook Inputs#


NameDescriptionDefault ValueRequired
FireEyeToolsCVECVE-2019-0708 ,CVE-2017-11774CVE-2018-15961,CVE-2019-19781 ,CVE-2019-3398,CVE-2019-11580 ,CVE-2018-13379,CVE-2020-0688 ,CVE-2019-11510,CVE-2019-0604 ,CVE-2020-10189,CVE-2019-8394 ,CVE-2020-1472,CVE-2018-8581 ,CVE-2016-0167,CVE-2014-1812Optional
FireEyeRedTeamToolsCVEsURLThe URL of FireEye red team tools CVEshttps://github.com/fireeye/red_team_tool_countermeasures/blob/master/all-hashes.csvOptional
IsolateEndpointAutomaticallyWhether to automatically isolate endpoints, or opt for manual user approval. True means isolation will be done automatically.FalseOptional

Playbook Outputs#


There are no outputs for this playbook.

Playbook Image#


FireEye Red Team Tools Investigation and Response