Windows Forensics Pack.#This Playbook is part of the
Supported Cortex XSOAR versions: 6.0.0 and later.
This playbook leverages the Windows built-in PowerShell and WinRM capabilities to connect to a Windows host. It then connects to the Netsh tool to create an ETL file which is the equivalent of a Wireshark PCAP file by using the PS-Remote integration. After receiving the resultant ETL, XSOAR will convert the ETL to a PCAP file to be parsed and enriched later. Review Microsoft documentation for how to use ETL filters (https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj129382(v=ws.11)#using-filters-to-limit-etl-trace-file-details).
This playbook uses the following sub-playbooks, integrations, and scripts.
This playbook does not use any sub-playbooks.
This playbook does not use any integrations.
|A single hostname or IP address from which to create the ETL file. For example, testpc01.
|The maximum file size in MB for the ETL. Once the file reached this size the capute will stop. For example, 10MB.
|The path on the hostname on which to create the ETL file. The default path will be c:\etl.etl.
If the AddHostNameToFile input is "true", the file downloaded to XSOAR will contain the hostname.
|The filter to apply when creating the ETL file. For example, IPv4.Address=18.104.22.168 will capture traffic just from the 22.214.171.124 IP address. If no filter is specified, all traffic will be recorded.
|The time to record in seconds.
|Specify "true" to zip the ETL file before sending it to XSOAR.
|Specify "true" for the downloaded filename to contain the hostname, or "false" to keep the filename as configured in the FilePath argument.
|The PCAP file details.