Endpoint Malware Investigation - Generic V2 Deprecated

Deprecated. Use 'Malware Investigation & Response Incident handler' instead. (From the 'Malware Investigation And Response Pack') This playbook provides a framework for handling malware investigation through all essential steps. The playbook consists of 7 stages. Each stage contains the relevant playbook or tasks. This playbook auto extracts indicators from incidents using indicator extraction rules of the malware incident type. To use Illusive integration in the `Forensics - Generic` playbook, note that you will be able to set the forensic timeline by editing the `Forensics - Generic` playbook inputs.

Malware Core · 68 tasks · 25 inputs · 0 outputs

Inputs

  • AutoIsolation — This input determines the threshold severity from which to perform auto-isolation for the infected endpoint. Specify the severity number (Default is 3 - High): Specify the severity number: 0 - Unknown 0.5 - Informational 1 - Low 2 - Medium 3 - High 4 - Critical
  • Email — The email address to send a notification if there is a possibility of the malware spreading and infecting other endpoints.
  • MD5 — The MD5 hash value for the suspicious file.
  • SHA256 — The SHA256 hash value for the suspicious file.
  • Hostname — Hostname of the machine on which the file is located.
  • FilePath — The path of the file to retrieve. For example: C:\users\folder\file.txt
  • UseD2 — Specifies whether to use a D2 agent to retrieve the file.
  • SHA1 — The SHA1 hash value for the suspicious file.
  • ActivateAutomaticHunting — Activate Threat Hunting - Generic playbook for automatic hunting. Yes- to activate.
  • ManualThreatHunting — Perform manual threat hunting. Yes- to activate.
  • NeedMoreForensics — The value `Yes` will activate the playbook `Forensics - Generic` that retrieves additional forensics on the investigating host. Yes- to activate,
  • IPAddress — This input is relevant if the Threat Hunting - Generic playbook is activated. If you activated the Threat Hunting - Generic playbook and you are hunting IP addresses, provide the IP addresses here.
  • URLDomain — This input is relevant if the Threat Hunting - Generic playbook is activated. If you activated Threat Hunting - Generic playbook and you are hunting for URLs or domains, provide the URLs or domains here.
  • InternalRange — This input is relevant if the Threat Hunting - Generic playbook is activated. The input is a list of internal IP ranges to check IP addresses against. The list should be provided in CIDR notation, separated by commas. An example of a list of ranges would be: "172.16.0.0/12,10.0.0.0/8,192.168.0.0/16" (without quotes). If a list is not provided, the playbook will use the default list provided in the IsIPInRanges script (the known IPv4 private address ranges).
  • InternalDomainName — This input is relevant if the Threat Hunting - Generic playbook is activated. The input is the organization's internal domain name. This is provided for the IsInternalHostName script that checks if the detected host names are internal or external if the hosts contain the internal domains suffix. For example, demisto.com. If there is more than one domain, use the | character to separate values such as (demisto.com|test.com)
  • InternalHostRegex — This input is relevant if the Threat Hunting - Generic playbook is activated. This is provided for the IsInternalHostName script that checks if the detected host names are internal or external if the hosts match the organizations naming convention. For example, the host testpc1 will have the following regex \w{6}\d{1}
  • Agent_ID — This input is relevant if retrieving the file by EDR. If so, provide the relevant Agent_ID\Endpoint id.
  • CriticalUsers — This input will be used for the `Calculate Severity - Generic v2` playbook. Provide your critical users (CSV is optional).
  • CriticalEndpoints — This input will be uses for the `Calculate Severity - Generic v2` playbook. Provide your critical endpoint hostnames (CSV is optional).
  • CriticalGroups — This input will be uses for the `Calculate Severity - Generic v2` playbook. Provide the DN names of your critical AD groups (CSV is optional).
  • AutoUnIsolation — Providing "Yes" in this playbook input will activated the "Unisolate Endpoint - Generic" playbook.
  • Endpoint_ip — The IP of the endpoint which is involved in the investigation.
  • LinkSimilarIncidents — Providing "Yes" in this playbook input will link the incidents that were found similar by DBotFindSimilarIncidents.
  • DetonateFile — Providing "Yes" to this input will activate the "Detonate File - Generic".
  • IsolationAfterHunting — Providing "Yes" to this input will activate the "Isolate Endpoint Generic V2" after the execution of threat hunting procedures.

Commands used

closeInvestigation linkIncidents send-mail setIncident

Flowchart

No Yes yes No Yes No Yes yes Continue Investigation False positive yes yes yes yes yes yes yes yes yes Start Start Detonation Detonation File enrichment File enrichment Hunting Hunting Remediation Remediation Manual - Get analyst approval for auto-remediation Manual - Get analyst appr... Analyst review of the investigation Analyst review of the inv... Manual - Unisolate endpoints Manual - Unisolate endpoints File Enrichment - Generic v2 - File Enrichment - Generic v2 File Enrichment - Generic v2 File Enrichment - Generic v2 Detonate File - Generic - Detonate File - Generic Detonate File - Generic Detonate File - Generic Generate Investigation Summary Report - GenerateInvestigationSummaryReport Generate Investigation Su... GenerateInvestigationSummaryR... Was a file retrieved? Was a file retrieved? Retrieve file manually Retrieve file manually Manual - Hunt for other infected endpoints Manual - Hunt for other i... Were there any more infected endpoints found? Were there any more infec... Analyst manual remediation Analyst manual remediation Perform manual malware analysis and forensics Perform manual malware an... False Positive False Positive Get analyst approval for local containment Get analyst approval for ... Auto-Isolation? Auto-Isolation? Continue with the investigation or close as false positive? Continue with the investi... Calculate Severity - Generic v2 - Calculate Severity - Generic v2 Calculate Severity - Gene... Calculate Severity - Generic v2 Notify that more infected endpoints were found - send-mail Notify that more infected... send-mail Send notification regarding infected endpoints? Send notification regardi... Done Done Close Investigation - closeInvestigation Close Investigation closeInvestigation Manual - Close incident in the source product Manual - Close incident i... Set incident - Isolated field - setIncident Set incident - Isolated f... setIncident Isolate infected endpoints Isolate infected endpoints Retrieve File from Endpoint - Generic V2 - Retrieve File from Endpoint - Generic V2 Retrieve File from Endpoi... Retrieve File from Endpoint -... Activate automatic hunting Activate automatic hunting Threat Hunting - Generic - Threat Hunting - Generic Threat Hunting - Generic Threat Hunting - Generic Continue to manual threat hunting? Continue to manual threat... Need more forensics? Need more forensics? Assign incident to analyst - AssignAnalystToIncident Assign incident to analyst AssignAnalystToIncident Add the file that caused the FP in the source product to allow list Add the file that caused ... Get host forensics - Generic - Get host forensics - Generic Get host forensics - Generic Get host forensics - Generic Manually list detected hostnames Manually list detected ho... Set manual host names - commentsToContext Set manual host names commentsToContext Activated auto unisolation Activated auto unisolation Unisolate Endpoint - Generic - Unisolate Endpoint - Generic Unisolate Endpoint - Generic Unisolate Endpoint - Generic Get endpoint details - Generic - Get endpoint details - Generic Get endpoint details - Ge... Get endpoint details - Generic Isolate Endpoint - Generic V2 - Isolate Endpoint - Generic V2 Isolate Endpoint - Generi... Isolate Endpoint - Generic V2 Isolate Endpoint - Generic V2 - Isolate Endpoint - Generic V2 Isolate Endpoint - Generi... Isolate Endpoint - Generic V2 Isolation Isolation Forensics Forensics Unisolation Unisolation Set user as account - Set Set user as account Set Set detected hostnames to context - SetAndHandleEmpty Set detected hostnames to... SetAndHandleEmpty Set detected IP's to context - SetAndHandleEmpty Set detected IP's to context SetAndHandleEmpty No results for manual TH No results for manual TH Get endpoint details - Generic - Get endpoint details - Generic Get endpoint details - Ge... Get endpoint details - Generic Set endpoint details to layout - SetGridField Set endpoint details to l... SetGridField Set to layout Set to layout Find similar incidents - DBotFindSimilarIncidents Find similar incidents DBotFindSimilarIncidents Set similar incidents to layout - SetGridField Set similar incidents to ... SetGridField Find similar incidents Find similar incidents Get endpoint details Get endpoint details Block Indicators - Generic v2 - Block Indicators - Generic v2 Block Indicators - Generi... Block Indicators - Generic v2 Are there similar incidents? Are there similar incidents? Link similar incidents - linkIncidents Link similar incidents linkIncidents Link the similar events? Link the similar events? Close investigation as false positive - closeInvestigation Close investigation as fa... closeInvestigation Manual - Close incident in the source product Manual - Close incident i... Closing reason Closing reason Set detected users to to context - SetAndHandleEmpty Set detected users to to ... SetAndHandleEmpty Activate auto detonation? Activate auto detonation? Activate auto isolation after threat hunting? Activate auto isolation a...