Command-Line Analysis
This playbook takes a command line from the alert and performs the following actions: - Checks for base64 string and decodes if exists - Extracts and enriches indicators from the command line - Checks specific arguments for malicious usage At the end of the playbook, it sets a possible verdict for the command line, based on the finding: 1. Indicators found in the command line 2. Found AMSI techniques 3. Found suspicious parameters 4. Usage of malicious tools 5. Indication of network activity 6. Indication of suspicious LOLBIN execution 7. Suspicious path and arguments in the command line Note: To run this playbook with a list of command lines, set this playbook to run in a loop. To do so, navigate to 'Loop' and check "For Each Input".
Common Playbooks · 34 tasks · 2 inputs · 16 outputs
Inputs
Commandline— The command line.StringSimilarityThreshold— StringSimilarity automation threshold. Used by the Compare "Process Execution Arguments To LOLBAS Patterns" sub-playbook. This input controls the StringSimilarity automation threshold.
Outputs
MatchRegex— The regex found in the command line.Indicators— Indicators extracted from the command line.commandline.original— The original command line.commandline.decoded— The decoded command line.IP— The IP object.URL— The URL object.File— The file object.Domain— The domain object.CommandlineVerdict.base64— Command line verdict base64 was found. True/FalseCommandlineVerdict.suspiciousParameters— Command line verdict suspicious parameters found. True/FalseCommandlineVerdict.AMSI— Command line verdict AMSI found. True/FalseCommandlineVerdict.foundIndicators— Command line verdict foundIndicators found. True/FalseCommandlineVerdict.maliciousTools— Command line verdict maliciousTools found. True/FalseCommandlineVerdict.networkActivity— Command line verdict networkActivity found. True/FalseCommandlineVerdict.SuspiciousLolbinExecution— Command line verdict SuspiciousLolbinExecution found. True/FalseCommandlineVerdict.SuspiciousCmdPathAndArguments— Command line verdict SuspiciousCmdPathAndArguments found. True/False
Commands used
extractIndicators