CrowdStrike Falcon - T1059 - Command and Scripting Interpreter
This playbook handles command and scripting interpreter alerts based on the MITRE T1059 technique. An attacker might abuse command and script interpreters to execute commands, scripts, or binaries. The playbook executes the following stages: **Analysis** - Initiates the CommandLineAnalysiss script which will determine if the command lines have any suspicious artifacts that might indicate malicious behavior. - Enriches any indicators found during the command lines analysis phase. **Investigative Actions:** - In case malicious indicators were found, the playbook will initiate a check against CrowdStrike Falcon to identify if any other endpoint has been associated with the same indicators. - If there are any, the playbook will update the layout and create a new incident for further investigation. **Remediation:** - Terminate the process if the CrowdStike Falcon agent doesn't block it. - If the process failed or the parent process command line was suspicious as well, a manual action will be provided to the analyst to choose how to proceed further: - Terminate the parent process - Isolate the endpoint **Closure Steps:** - Handle malicious alerts by closing the alert as True Positive. - Handle non-malicious alerts by closing the alert as False Positive.
CrowdStrike Falcon · 33 tasks · 2 inputs · 0 outputs
Inputs
CommandLines— The command line analysis that was found in the alert. By default, we will analyze the command line and its parent command line.CreateNewIncidentForIndicators— If the playbook identifies malicious indicators associated with other hosts, a new incident will be generated with relevant information for the analysts.
Commands used
closeInvestigation
createNewIncident
cs-falcon-rtr-kill-process
endpoint
enrichIndicators
linkIncidents
setIncident