ATD - Detonate File
Detonates a File using the McAfee Advanced Threat Defense sandbox. Advanced Threat Defense supports the following File Types: 32-bit Portable Executables (PE)files; 64-bit PE+files exe, sys, dll, com, scr, cpl, ocx, cgi Microsoft Office Suite documents doc,dotm, docx, dotx, xls, ppam, xlsx, pps, xlsb, ppsx, xlsm, ppsm, ppt, ppt, pptx, pptm, rtf, shs, xltm, sldm, xltx, sldx, xlam, thmx, docm, xar Just Systems Ichitaro documents jtd, jtdc Adobe pdf, swf Compressed files gz, 7z, tgz, msi, zip, lzh, cab, lzma, rar Android application package apk, Java, JAR, CLASS, Java Script, Java bin files Image files jpeg, png, gif Other file types cmd, ace, bat, arj, vbs, chm, xml, lnk, url, mof, htm, ocx, html, potm, eml, potx, msg, ps1, vb, reg, vba, wsc, vbe, wsf, vbs, wsh
McAfee Advanced Threat Defense · 12 tasks · 3 inputs · 32 outputs
Inputs
File— The file to detonate. File is taken from the context.Interval— Polling frequency - how often the polling command should run (minutes)Timeout— How much time to wait before a timeout occurs (minutes)
Outputs
ATD.Task.taskId— The task ID of the sample uploadedATD.Task.jobId— The job ID of the sample uploadedATD.Task.messageId— The message Id relevant to the sample uploadedATD.Task.srcIp— Source IPv4 addressATD.Task.destIp— Destination IPv4 addressATD.Task.MD5— MD5 of the sample uploadedATD.Task.SHA1— SHA1 of the sample uploadedATD.Task.SHA256— SHA256 of the sample uploadedFile.Name— Filename (only in case of report type=json)File.Type— File type e.g. "PE" (only in case of report type=json)File.Size— File size (only in case of report type=json)File.MD5— MD5 hash of the file (only in case of report type=json)File.SHA1— SHA1 hash of the file (only in case of report type=json)File.SHA256— SHA256 hash of the file (only in case of report type=json)File.EntryID— The Entry ID of the sampleFile.Malicious.Vendor— For malicious files, the vendor that made the decisionFile.Malicious.Description— For malicious files, the reason for the vendor to make the decisionDBotScore.Indicator— The indicator we tested (only in case of report type=json)DBotScore.Type— The type of the indicator (only in case of report type=json)DBotScore.Vendor— Vendor used to calculate the score (only in case of report type=json)DBotScore.Score— The actual score (only in case of report type=json)IP.Address— IP's relevant to the sampleInfoFile.EntryID— The EntryID of the report fileInfoFile.Extension— The extension of the report fileInfoFile.Name— The name of the report fileInfoFile.Info— The info of the report fileInfoFile.Size— The size of the report fileInfoFile.Type— The type of the report fileFile— File objectFile.Malicious— File Malicious objectDBotScore— DBotScore objectInfoFile— Report file object
Commands used
atd-check-status
atd-file-upload
atd-get-report