Skip to main content

PS-Remote Get MFT

This Playbook is part of the Windows Forensics Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

This playbook leverages the Windows built-in PowerShell and WinRM capabilities to connect to a Windows host to acquire and export the MFT (Master File Table) as forensic evidence for further analysis.


This playbook uses the following sub-playbooks, integrations, and scripts.


This playbook does not use any sub-playbooks.


This playbook does not use any integrations.


  • UnzipFile
  • AddEvidence
  • Set
  • Sleep


  • ps-remote-export-mft
  • ps-remote-download-file

Playbook Inputs#

NameDescriptionDefault ValueRequired
HostA single hostname or IP address from which to export the registry file. For example, testpc01.Optional
FilePathThe path on the hostname on which to create the MFT file. The default path will be c:\mft.mft.
If the AddHostNameToFile input is "true", the file downloaded to XSOAR will contain the hostname.
VolumeForMftThe volume for which to create the MFT. The default is c.
ZipMftSpecify "true" to zip the MFT file before sending it to XSOAR.trueOptional
AddHostNameToFileSpecify "true" for the downloaded filename to be comprised of the hostname, or "false" to keep the filename as configured in the FilePath argument.trueOptional

Playbook Outputs#

MftDetailsThe MFT file details.string

Playbook Image#

PS-Remote Get MFT