ATD - Detonate File

Detonates a File using the McAfee Advanced Threat Defense sandbox. Advanced Threat Defense supports the following File Types: 32-bit Portable Executables (PE)files; 64-bit PE+files exe, sys, dll, com, scr, cpl, ocx, cgi Microsoft Office Suite documents doc,dotm, docx, dotx, xls, ppam, xlsx, pps, xlsb, ppsx, xlsm, ppsm, ppt, ppt, pptx, pptm, rtf, shs, xltm, sldm, xltx, sldx, xlam, thmx, docm, xar Just Systems Ichitaro documents jtd, jtdc Adobe pdf, swf Compressed files gz, 7z, tgz, msi, zip, lzh, cab, lzma, rar Android application package apk, Java, JAR, CLASS, Java Script, Java bin files Image files jpeg, png, gif Other file types cmd, ace, bat, arj, vbs, chm, xml, lnk, url, mof, htm, ocx, html, potm, eml, potx, msg, ps1, vb, reg, vba, wsc, vbe, wsf, vbs, wsh

McAfee Advanced Threat Defense · 12 tasks · 3 inputs · 32 outputs

Inputs

  • File — The file to detonate. File is taken from the context.
  • Interval — Polling frequency - how often the polling command should run (minutes)
  • Timeout — How much time to wait before a timeout occurs (minutes)

Outputs

  • ATD.Task.taskId — The task ID of the sample uploaded
  • ATD.Task.jobId — The job ID of the sample uploaded
  • ATD.Task.messageId — The message Id relevant to the sample uploaded
  • ATD.Task.srcIp — Source IPv4 address
  • ATD.Task.destIp — Destination IPv4 address
  • ATD.Task.MD5 — MD5 of the sample uploaded
  • ATD.Task.SHA1 — SHA1 of the sample uploaded
  • ATD.Task.SHA256 — SHA256 of the sample uploaded
  • File.Name — Filename (only in case of report type=json)
  • File.Type — File type e.g. "PE" (only in case of report type=json)
  • File.Size — File size (only in case of report type=json)
  • File.MD5 — MD5 hash of the file (only in case of report type=json)
  • File.SHA1 — SHA1 hash of the file (only in case of report type=json)
  • File.SHA256 — SHA256 hash of the file (only in case of report type=json)
  • File.EntryID — The Entry ID of the sample
  • File.Malicious.Vendor — For malicious files, the vendor that made the decision
  • File.Malicious.Description — For malicious files, the reason for the vendor to make the decision
  • DBotScore.Indicator — The indicator we tested (only in case of report type=json)
  • DBotScore.Type — The type of the indicator (only in case of report type=json)
  • DBotScore.Vendor — Vendor used to calculate the score (only in case of report type=json)
  • DBotScore.Score — The actual score (only in case of report type=json)
  • IP.Address — IP's relevant to the sample
  • InfoFile.EntryID — The EntryID of the report file
  • InfoFile.Extension — The extension of the report file
  • InfoFile.Name — The name of the report file
  • InfoFile.Info — The info of the report file
  • InfoFile.Size — The size of the report file
  • InfoFile.Type — The type of the report file
  • File — File object
  • File.Malicious — File Malicious object
  • DBotScore — DBotScore object
  • InfoFile — Report file object

Commands used

atd-check-status atd-file-upload atd-get-report

Flowchart

yes yes yes yes Start Start GenericPolling - GenericPolling GenericPolling GenericPolling McAfee ATD Get Report - atd-get-report McAfee ATD Get Report atd-get-report Done Done Is McAfee ATD sandbox enabled? Is McAfee ATD sandbox ena... Filter taskId Filter taskId atd-check-status - atd-check-status atd-check-status atd-check-status Is File type supported? Is File type supported? Set File to context - Set Set File to context Set Is there a File to Detonate? Is there a File to Detonate? Set Context - Set Set Context Set Mcafee ATD Upload File - atd-file-upload Mcafee ATD Upload File atd-file-upload